The detection identifies potential adversary use of the EQGRP Toolset Firewall components, specifically the pandarock_v1.11.1.1.bin and pit files, which may indicate unauthorized network configuration or firewall manipulation. SOC teams should proactively hunt for this behavior to identify and mitigate potential lateral movement or network persistence tactics in their Azure Sentinel environment.
YARA Rule
rule EQGRP_pandarock
{
meta:
description = "EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
super_rule = 1
hash1 = "1214e282ac7258e616ebd76f912d4b2455d1b415b7216823caa3fc0d09045a5f"
hash2 = "c8a151df7605cb48feb8be2ab43ec965b561d2b6e2a837d645fdf6a6191ab5fe"
strings:
$x1 = "* Not attempting to execute \"%s\" command" fullword ascii
$x2 = "TERMINATING SCRIPT (command error or \"quit\" encountered)" fullword ascii
$x3 = "execute code in <file> passing <argX> (HEX)" fullword ascii
$x4 = "* Use arrow keys to scroll through command history" fullword ascii
$s1 = "pitCmd_processCmdLine" fullword ascii
$s2 = "execute all commands in <file>" fullword ascii
$s3 = "__processShellCmd" fullword ascii
$s4 = "pitTarget_getDstPort" fullword ascii
$s5 = "__processSetTargetIp" fullword ascii
$o1 = "Logging commands and output - ON" fullword ascii
$o2 = "This command is too dangerous. If you'd like to run it, contact the development team" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 3000KB and 1 of ($x*) ) or ( 4 of them ) or 1 of ($o*)
}This YARA rule can be deployed in the following contexts:
This rule contains 11 string patterns in its detection logic.
Scenario: Legitimate Software Update Deployment
Description: A system administrator is deploying a legitimate software update that includes the file pandarock_v1.11.1.1.bin as part of a patch or upgrade process.
Filter/Exclusion: process.name == "msiexec.exe" OR process.name == "setup.exe" OR file.name == "update_package.exe"
Scenario: Scheduled Job for Configuration Backup
Description: A scheduled job is running to back up firewall configuration files, which includes the file pandarock_v1.11.1.1.bin as part of a backup process.
Filter/Exclusion: process.name == "backup.exe" OR process.name == "scheduled_task_runner.exe" OR file.name == "config_backup_script.bat"
Scenario: Internal Tool for Network Monitoring
Description: An internal network monitoring tool, such as pandarock_v1.11.1.1.bin, is being used by the security team to analyze firewall traffic.
Filter/Exclusion: process.user == "security_team_user" OR process.name == "network_analyzer.exe" OR file.name == "firewall_monitoring_tool.exe"
Scenario: File Integrity Check Using a Security Tool
Description: A security tool like pitr (or similar) is being used to perform a file integrity check and is accessing the file pandarock_v1.11.1.1.bin as part of its scan.
Filter/Exclusion: process.name == "file_integrity_checker.exe" OR process.name == "pitr.exe" OR file.name == "integrity_check_script.ps1"
Scenario: Log Analysis Tool Processing Firewall Logs
Description: A log analysis tool, such as pitr,