EQGRP Toolset Firewall - file sniffer_xml2pcap

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the sniffer_xml2pcap tool from the EQGRP toolset to covertly exfiltrate network traffic data by converting XML firewall logs into PCAP format. SOC teams should proactively hunt for this behavior to identify potential data exfiltration attempts leveraging legitimate tools in an Azure Sentinel environment.

YARA Rule

rule EQGRP_sniffer_xml2pcap 
{

    meta:
        description = "EQGRP Toolset Firewall - file sniffer_xml2pcap"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "f5e5d75cfcd86e5c94b0e6f21bbac886c7e540698b1556d88a83cc58165b8e42"

    strings:
        $x1 = "-s/--srcip <sourceIP>  Use given source IP (if sniffer doesn't collect source IP)" fullword ascii
        $x2 = "convert an XML file generated by the BLATSTING sniffer module into a pcap capture file." fullword ascii

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled job running sniffer_xml2pcap for network traffic analysis
  Filter/Exclusion: process.parent_process_name == "systemd" OR process.parent_process_name == "cron" OR process.parent_process_name == "atd"

• Scenario: Admin using tcpdump or Wireshark to capture and convert XML logs to pcap for forensic analysis
  Filter/Exclusion: process.name == "tcpdump" OR process.name == "wireshark" OR process.name == "tshark"

• Scenario: Regular log parsing task using sniffer_xml2pcap as part of a log management pipeline
  Filter/Exclusion: process.command_line_contains("log_parser") OR process.command_line_contains("logstash")

• Scenario: System update or patching process that temporarily generates XML logs being converted to pcap
  Filter/Exclusion: process.command_line_contains("yum") OR process.command_line_contains("apt") OR process.command_line_contains("dnf")

• Scenario: Security tool like OSSEC or Splunk using sniffer_xml2pcap to process XML-based log files
  Filter/Exclusion: process.command_line_contains("ossec") OR process.command_line_contains("splunk") OR process.command_line_contains("logstash")