The hypothesis is that the detection identifies potential exploitation of the EQGRP Toolset Firewall through the execution of suspicious Python scripts named sploit.py, which may indicate initial compromise or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that could lead to deeper network infiltration.
YARA Rule
rule EQGRP_sploit
{
meta:
description = "EQGRP Toolset Firewall - from files sploit.py, sploit.py"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
super_rule = 1
hash1 = "0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6"
hash2 = "0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6"
strings:
$s1 = "print \"[+] Connecting to %s:%s\" % (self.params.dst['ip'], self.params.dst['port'])" fullword ascii
$s2 = "@overridable(\"Must be overriden if the target will be touched. Base implementation should not be called.\")" fullword ascii
$s3 = "@overridable(\"Must be overriden. Base implementation should not be called.\")" fullword ascii
$s4 = "exp.load_vinfo()" fullword ascii
$s5 = "if not okay and self.terminateFlingOnException:" fullword ascii
$s6 = "print \"[-] keyboard interrupt before response received\"" fullword ascii
$s7 = "if self.terminateFlingOnException:" fullword ascii
$s8 = "print 'Debug info ','='*40" fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 90KB and 1 of ($s*) ) or ( 4 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: Scheduled Job Execution of sploit.py for Network Configuration Backup
Description: A legitimate scheduled job runs sploit.py to automate the backup of firewall configurations.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "backup"
Scenario: Admin Task to Validate Firewall Rules Using sploit.py Script
Description: An administrator uses sploit.py to validate and test firewall rule compliance as part of a security audit.
Filter/Exclusion: process.user contains "Domain\Administrator" or process.command_line contains "audit"
Scenario: CI/CD Pipeline Deployment of sploit.py for Firewall Rule Updates
Description: A CI/CD pipeline deploys sploit.py to update firewall rules on a test environment.
Filter/Exclusion: process.parent_process_name == "jenkins.exe" or process.command_line contains "deploy"
Scenario: Third-Party Tool Integration Using sploit.py for Firewall Monitoring
Description: A third-party security tool integrates with the firewall using sploit.py to monitor traffic.
Filter/Exclusion: process.parent_process_name == "thirdparty_monitor.exe" or process.command_line contains "monitor"
Scenario: Development Environment Testing of sploit.py for Firewall Simulation
Description: A developer tests sploit.py in a sandboxed environment to simulate firewall behavior.
Filter/Exclusion: process.process_name contains "sandboxed_env" or process.command_line contains "test"