The hypothesis is that the presence of ssh.py and telnet.py files may indicate the use of the EQGRP toolset, which could be used for unauthorized remote access or network reconnaissance. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or command and control activities early.
YARA Rule
rule EQGRP_ssh_telnet_29
{
meta:
description = "EQGRP Toolset Firewall - from files ssh.py, telnet.py"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
super_rule = 1
hash1 = "630d464b1d08c4dfd0bd50552bee2d6a591fb0b5597ecebaa556a3c3d4e0aa4e"
hash2 = "07f4c60505f4d5fb5c4a76a8c899d9b63291444a3980d94c06e1d5889ae85482"
strings:
$s1 = "received prompt, we're in" fullword ascii
$s2 = "failed to login, bad creds, abort" fullword ascii
$s3 = "sending command \" + str(n) + \"/\" + str(tot) + \", len \" + str(len(chunk) + " fullword ascii
$s4 = "received nat - EPBA: ok, payload: mangled, did not run" fullword ascii
$s5 = "no status returned from target, could be an exploit failure, or this is a version where we don't expect a stus return" ascii
$s6 = "received arp - EPBA: ok, payload: fail" fullword ascii
$s7 = "chopped = string.rstrip(payload, \"\\x0a\")" fullword ascii
condition:
( filesize < 10KB and 2 of them ) or ( 3 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Using SSH
Description: A system administrator uses the ssh.py script as part of a scheduled maintenance job to perform routine system checks and updates.
Filter/Exclusion: Check for process.name containing “scheduled_maintenance” or user field matching the admin account used for maintenance tasks.
Scenario: Telnet-based Remote Monitoring Tool
Description: A legitimate remote monitoring tool (e.g., telnet.py) is used by the IT team to monitor network devices and collect metrics.
Filter/Exclusion: Filter by process.name matching the known monitoring tool name or check for destination.port matching the expected monitoring port (e.g., 23).
Scenario: Automated Deployment Script Using SSH
Description: A deployment script (e.g., ssh.py) is used by DevOps to push code updates to multiple servers during a CI/CD pipeline.
Filter/Exclusion: Check for process.name containing “deploy” or “ci_cd” and verify the user field matches the DevOps service account.
Scenario: Internal Network Discovery Using Telnet
Description: A network discovery tool (e.g., telnet.py) is used by the security team to map internal network devices and verify connectivity.
Filter/Exclusion: Filter by process.name matching the known discovery tool name or check for source.ip within the internal network range.
Scenario: Scripted Backup Process Using SSH
Description: A backup script (e.g., ssh.py) is used to securely transfer backup data between servers as part of a nightly backup routine.
Filter/Exclusion: Check for process.name containing “backup” or “nightly” and verify the user field matches the backup service account.