EQGRP Toolset Firewall - from files BananaUsurper-2120, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-31

Hunt Hypothesis

The detection identifies potential adversary use of EQGRP toolset components, including suspicious files associated with known malicious toolsets, indicating possible lateral movement or network reconnaissance. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by threat actors leveraging these tools for persistence or data exfiltration.

YARA Rule

rule EQGRP_Implants_Gen6 
{

    meta:
        description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, writeJetPlow-2130"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        super_rule = 1
        hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119"
        hash2 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4"
        hash3 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939"
        hash4 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2"
        hash5 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3"
        hash6 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f"
        hash7 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c"

    strings:
        $s1 = "LP.c:pixSecurity - Improper number of bytes read in Security/Interface Information" fullword ascii
        $s2 = "LP.c:pixSecurity - Not in Session" fullword ascii
        $s3 = "getModInterface__preloadedModules" fullword ascii
        $s4 = "showCommands" fullword ascii
        $s5 = "readModuleInterface" fullword ascii
        $s6 = "Wrapping_Not_Necessary_Or_Wrapping_Ok" fullword ascii
        $s7 = "Get_CMD_List" fullword ascii
        $s8 = "LP_Listen2" fullword ascii
        $s9 = "killCmdList" fullword ascii

    condition:
        ( uint16(0) == 0x457f and filesize < 6000KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job running the BLIQUER-3120 tool for routine system maintenance
  Filter/Exclusion: process.name IN (BLIQUER-3120) AND event.type == "scheduled_task" AND user.name == "system"

• Scenario: Admin using BPICKER-3100 to configure firewall rules via the command line
  Filter/Exclusion: process.name == "BPICKER-3100" AND event.type == "command_line" AND user.name == "admin"

• Scenario: BLIAR-2110 is used by the IT department to perform network diagnostics
  Filter/Exclusion: process.name == "BLIAR-2110" AND event.type == "network_diag" AND user.name == "it_ops"

• Scenario: BananaUsurper-2120 is part of a legitimate security toolset used for threat hunting
  Filter/Exclusion: process.name == "BananaUsurper-2120" AND event.type == "threat_hunting" AND user.name == "security_team"

• Scenario: writeJetPlow-2130 is executed as part of a backup process to write logs to disk
  Filter/Exclusion: process.name == "writeJetPlow-2130" AND event.type == "backup" AND user.name == "backup_svc"