The detection identifies potential use of the EQGRP Toolset Firewall module with RC5 or RC6 opcodes, which may indicate adversarial network communication or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise or lateral movement by advanced persistent threats.
YARA Rule
rule EQGRP_RC5_RC6_Opcode
{
meta:
description = "EQGRP Toolset Firewall - RC5 / RC6 opcode"
author = "Florian Roth"
reference = "https://securelist.com/blog/incidents/75812/the-equation-giveaway/"
date = "2016-08-17"
strings:
/*
mov esi, [ecx+edx*4-4]
sub esi, 61C88647h
mov [ecx+edx*4], esi
inc edx
cmp edx, 2Bh
*/
$s1 = { 8B 74 91 FC 81 EE 47 86 C8 61 89 34 91 42 83 FA 2B }
condition:
1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Legitimate use of RC5/RC6 opcodes by the EQGRP Toolset Firewall during routine configuration updates
Filter/Exclusion: process.name == "eqgrp-firewall-config" or process.parent.name == "eqgrp-firewall"
Scenario: Scheduled job running EQGRP Toolset Firewall maintenance tasks that use RC5/RC6 opcodes
Filter/Exclusion: process.name == "eqgrp-scheduled-maintenance" or file.name == "eqgrp-maintenance-script.sh"
Scenario: Admin task involving EQGRP Toolset Firewall diagnostics that trigger RC5/RC6 opcode usage
Filter/Exclusion: process.name == "eqgrp-diagnostic-tool" or user.name == "admin_firewall"
Scenario: Network traffic analysis tool like Wireshark or tcpdump capturing RC5/RC6 opcodes for analysis
Filter/Exclusion: process.name == "tcpdump" or process.name == "wireshark"
Scenario: Security tool like Snort or Suricata using RC5/RC6 opcodes for signature matching
Filter/Exclusion: process.name == "snort" or process.name == "suricata"