The detection identifies potential adversary use of the jetplow.sh script, which may be part of the EQGRP toolset, to establish covert network communication. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage persistent access or command-and-control activities in their Azure Sentinel environment.
YARA Rule
rule EQGRP_jetplow_SH
{
meta:
description = "EQGRP Toolset Firewall - file jetplow.sh"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
hash1 = "ee266f84a1a4ccf2e789a73b0a11242223ed6eba6868875b5922aea931a2199c"
strings:
$s1 = "cd /current/bin/FW/BANANAGLEE/$bgver/Install/LP/jetplow" fullword ascii
$s2 = "***** Please place your UA in /current/bin/FW/OPS *****" fullword ascii
$s3 = "ln -s ../jp/orig_code.bin orig_code_pixGen.bin" fullword ascii
$s4 = "***** Welcome to JetPlow *****" fullword ascii
condition:
1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: System administrator runs jetplow.sh as part of a scheduled maintenance job to update firewall rules.
Filter/Exclusion: process.parent_process_name == "cron" OR process.parent_process_name == "systemd"
Scenario: Security team uses jetplow.sh to analyze network traffic for compliance purposes.
Filter/Exclusion: process.user == "security_team_user" OR process.command_line_contains("compliance")
Scenario: DevOps team executes jetplow.sh during a CI/CD pipeline to test firewall configurations.
Filter/Exclusion: process.command_line_contains("ci_cd_pipeline") OR process.user == "devops_user"
Scenario: IT staff manually runs jetplow.sh to troubleshoot a firewall-related issue.
Filter/Exclusion: process.user == "it_support_user" OR process.command_line_contains("troubleshoot")
Scenario: A legitimate security tool (e.g., iptables or nftables) is being configured using jetplow.sh as part of an automation script.
Filter/Exclusion: process.command_line_contains("iptables") OR process.command_line_contains("nftables")