EQGRP Toolset Firewall - file sploit.py

Hunt Hypothesis

The detection identifies potential exploitation of the sploit.py file associated with the EQGRP Toolset Firewall, which may indicate unauthorized access or lateral movement. SOC teams should proactively hunt for this behavior to uncover covert malware activity or reconnaissance efforts that could lead to deeper network compromise.

YARA Rule

rule EQGRP_sploit_py 
{

    meta:
        description = "EQGRP Toolset Firewall - file sploit.py"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6"

    strings:
        $x1 = "the --spoof option requires 3 or 4 fields as follows redir_ip" ascii
        $x2 = "[-] timeout waiting for response - target may have crashed" fullword ascii
        $x3 = "[-] no response from health check - target may have crashed" fullword ascii
    
    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled Job for Script Execution
  Description: A legitimate scheduled job runs sploit.py as part of a routine system maintenance or configuration update.
  Filter/Exclusion: process.parent_process_name:"Task Scheduler" OR process.parent_process_name:"schtasks.exe"

• Scenario: Admin Task for Code Testing
  Description: A system administrator is testing a Python script named sploit.py as part of a development or QA process.
  Filter/Exclusion: process.user:"Administrator" AND process.command_line:"python sploit.py --test"

• Scenario: CI/CD Pipeline Execution
  Description: The script sploit.py is part of a CI/CD pipeline that automates testing or deployment tasks.
  Filter/Exclusion: process.command_line:"/usr/bin/python3 /opt/ci_pipeline/sploit.py" OR process.command_line:"python3 sploit.py --ci"

• Scenario: Log Analysis Tool Using Python Script
  Description: A log analysis tool (e.g., ELK, Splunk, or custom script) uses sploit.py to parse or process log files.
  Filter/Exclusion: process.command_line:"/opt/log_analyzer/sploit.py" OR process.parent_process_name:"splunkd"

• Scenario: Legacy Tool Integration
  Description: An older tool or legacy system (e.g., eqgrp_toolset_firewall) uses sploit.py as a helper script for configuration or data processing.
  Filter/Exclusion: process.parent_process_name:"eqgrp_toolset_firewall" OR process.command_line:"eqgrp_toolset_firewall --run sploit.py"