EQGRP Toolset Firewall - file SecondDate-2211.exe

Hunt Hypothesis

The detection identifies potential adversary use of the SecondDate-2211.exe file, which is associated with the EQGRP toolset and may be used for network firewall manipulation. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage adversarial activity that could lead to persistent network access or data exfiltration.

YARA Rule

rule EQGRP_SecondDate_2211 
{

    meta:
        description = "EQGRP Toolset Firewall - file SecondDate-2211.exe"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "2337d0c81474d03a02c404cada699cf1b86c3c248ea808d4045b86305daa2607"

    strings:
        $s1 = "SD_processControlPacket" fullword ascii
        $s2 = "Encryption_rc4SetKey" fullword ascii
        $s3 = ".got_loader" fullword ascii
        $s4 = "^GET.*(?:/ |\\.(?:htm|asp|php)).*\\r\\n" fullword ascii

    condition:
        ( uint16(0) == 0x457f and filesize < 200KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job execution
  Description: A system administrator schedules a task using Task Scheduler to run SecondDate-2211.exe as part of a routine maintenance or data synchronization process.
  Filter/Exclusion: process.parent_process == "schtasks.exe" or process.parent_process_name == "Task Scheduler"

• Scenario: Software update or patch deployment
  Description: The file SecondDate-2211.exe is part of a legitimate software update or patch from EQGRP Toolset, executed by a patch management tool like Microsoft System Center Configuration Manager (SCCM).
  Filter/Exclusion: process.parent_process == "msiexec.exe" or process.parent_process_name == "SCCM"

• Scenario: Administrative tool usage during maintenance window
  Description: An administrator uses SecondDate-2211.exe as part of a firewall configuration tool or network diagnostic utility during a scheduled maintenance window.
  Filter/Exclusion: process.parent_process == "mmc.exe" or process.parent_process_name == "Administrative Tools"

• Scenario: File integrity monitoring tool execution
  Description: A file integrity monitoring tool like Tripwire or OSSEC runs SecondDate-2211.exe as part of its scan or remediation process.
  Filter/Exclusion: process.parent_process == "tripwire.exe" or process.parent_process_name == "File Integrity Monitor"

• Scenario: Third-party tool integration with EQGRP Toolset
  Description: A third-party tool, such as a network monitoring or log analysis tool, integrates with EQGRP Toolset and executes SecondDate-2211.exe as part of its workflow.
  Filter/Exclusion: process.parent_process == "nmap.exe" or process.parent_process_name == "Network Monitoring Tool"