The detection identifies potential adversary use of the shellcode.py file associated with the EQGRP Toolset Firewall, which may indicate initial compromise or command and control activity. SOC teams should proactively hunt for this behavior to identify early-stage malicious activity and prevent further lateral movement within the Azure Sentinel environment.
YARA Rule
rule EQGRP_shellcode
{
meta:
description = "EQGRP Toolset Firewall - file shellcode.py"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
hash1 = "ac9decb971dd44127a6ca0d35ac153951f0735bb4df422733046098eca8f8b7f"
strings:
$s1 = "execute_post = '\\xe8\\x00\\x00\\x00\\x00\\x5d\\xbe\\xef\\xbe\\xad\\xde\\x89\\xf7\\x89\\xec\\x29\\xf4\\xb8\\x03\\x00\\x00\\x00" ascii
$s2 = "tiny_exec = '\\x7f\\x45\\x4c\\x46\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x03\\x00\\x01\\x00\\x00" ascii
$s3 = "auth_id = '\\x31\\xc0\\xb0\\x03\\x31\\xdb\\x89\\xe1\\x31\\xd2\\xb6\\xf0\\xb2\\x0d\\xcd\\x80\\x3d\\xff\\xff\\xff\\xff\\x75\\x07" ascii
$c1 = { e8 00 00 00 00 5d be ef be ad de 89 f7 89 ec 29 f4 b8 03 00 00 00 }
/* $c2 = { 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 } too many fps */
$c3 = { 31 c0 b0 03 31 db 89 e1 31 d2 b6 f0 b2 0d cd 80 3d ff ff ff ff 75 07 }
condition:
1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Scheduled Job for Code Analysis
Description: A legitimate scheduled job runs a Python script named shellcode.py as part of a code analysis or security testing tool (e.g., Bandit, SonarQube, or OWASP ZAP).
Filter/Exclusion: Check for presence of known security tools in the process tree or use a filter like:
process.parent_process_name IN ("bandit", "sonar-scanner", "zap.sh")Scenario: Admin Task for Script Debugging
Description: A system administrator is debugging a Python script named shellcode.py using a tool like PyCharm, VS Code, or Jupyter Notebook.
Filter/Exclusion: Filter by process names associated with development environments:
process.name IN ("pycharm64", "code", "jupyter-notebook")Scenario: CI/CD Pipeline Execution
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions, or GitLab CI) runs a Python script named shellcode.py as part of a build or test phase.
Filter/Exclusion: Check for presence of CI/CD tool names in the process tree or use a filter like:
process.parent_process_name IN ("jenkins", "github-actions", "gitlab-runner")Scenario: Log Analysis Tool Processing
Description: A log analysis tool (e.g., ELK Stack, Splunk, or Graylog) uses a Python script named shellcode.py to parse or process log files.
Filter/Exclusion: Filter by known log analysis tools or check for log file access patterns: