EQGRP Toolset Firewall - file StoreFc.py

Hunt Hypothesis

The detection identifies potential adversary use of the StoreFc.py script from the EQGRP toolset, which may be used to exfiltrate data or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced persistent threats.

YARA Rule

rule EQGRP_StoreFc 
{

    meta:
        description = "EQGRP Toolset Firewall - file StoreFc.py"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "f155cce4eecff8598243a721389046ae2b6ca8ba6cb7b4ac00fd724601a56108"

    strings:
        $x1 = "Usage: StoreFc.py --configFile=<path to xml file> --implantFile=<path to BinStore implant> [--outputFile=<file to write the conf" ascii
        $x2 = "raise Exception, \"Must supply both a config file and implant file.\"" fullword ascii
        $x3 = "This is wrapper for Store.py that FELONYCROWBAR will use. This" fullword ascii

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled Job for Data Archiving
  Description: A legitimate scheduled job runs the StoreFc.py script to archive old data to a secure storage location.
  Filter/Exclusion: Exclude processes initiated by the system scheduler (e.g., cron, task scheduler) or with a known job name like DataArchiveJob.

• Scenario: Admin Task for Log File Management
  Description: An administrator uses the StoreFc.py script to move or compress log files as part of routine log management.
  Filter/Exclusion: Exclude processes with the user context of an admin account (e.g., root, Administrator) or with a command-line argument indicating log management (e.g., --logrotate).

• Scenario: Integration with Third-Party Storage System
  Description: The StoreFc.py script is part of an integration with a third-party storage solution (e.g., AWS S3, Azure Blob Storage) for automated data transfer.
  Filter/Exclusion: Exclude processes that include API keys or endpoints specific to known third-party services (e.g., aws s3, azure storage).

• Scenario: Development Environment Testing
  Description: A developer is testing the StoreFc.py script in a development environment to ensure it works correctly before deployment.
  Filter/Exclusion: Exclude processes running in a development directory (e.g., /dev, /src) or with a command-line flag like --test or --dry-run.

• Scenario: Automated Backup Process
  Description: The StoreFc.py script is used as part of an automated backup process to store critical application data.
  Filter/Exclusion: Exclude processes that occur during known backup windows (e.g., backup_window_0200) or have a command-line argument like `