EQGRP Toolset Firewall - from files tinyexec

Hunt Hypothesis

The detection identifies potential adversary use of the tinyexec tool, which is associated with the EQGRP toolset, to establish covert communication through firewall rules. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage persistent access or command and control activities in their Azure Sentinel environment.

YARA Rule

rule EQGRP_tinyexec 
{

    meta:
        description = "EQGRP Toolset Firewall - from files tinyexec"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"

    strings:
        $s1 = { 73 68 73 74 72 74 61 62 00 2E 74 65 78 74 }
        $s2 = { 5A 58 55 52 89 E2 55 50 89 E1 }

    condition:
        uint32(0) == 0x464c457f and filesize < 270 and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task Using tinyexec
  Description: A legitimate system maintenance script or task (e.g., systemd or cron job) uses tinyexec to execute a routine firewall configuration update.
  Filter/Exclusion: process.parent_process_name:"systemd" OR process.parent_process_name:"cron" OR file.path:"/etc/cron.d/"

• Scenario: Admin Task to Deploy Firewall Rules via tinyexec
  Description: A system administrator uses tinyexec to run a script that updates firewall rules as part of a security policy change.
  Filter/Exclusion: process.user:"root" AND process.command_line:"update-firewall-rules.sh"

• Scenario: Legitimate Use of tinyexec in a Security Tool
  Description: A security tool (e.g., Snort, Suricata, or OSSEC) uses tinyexec to execute a custom script for log analysis or threat detection.
  Filter/Exclusion: process.name:"snort" OR process.name:"suricata" OR process.name:"ossec"

• Scenario: Automated Patching Tool Using tinyexec
  Description: A patching tool (e.g., Ansible, Chef, or Puppet) uses tinyexec to apply firewall rule changes during a system update.
  Filter/Exclusion: process.name:"ansible" OR process.name:"chef" OR process.name:"puppet"

• Scenario: User-Initiated Firewall Rule Adjustment via tinyexec
  Description: A user (with elevated privileges) manually runs a script using tinyexec to adjust firewall settings for a specific application or service.
  Filter/Exclusion: `process.user:“admin” AND file.name:“firewall