EQGRP Toolset Firewall - file tinyhttp_setup.sh

Hunt Hypothesis

The detection identifies potential adversary use of the tinyhttp_setup.sh script as part of the EQGRP toolset to establish covert communication channels. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage persistent access and command-and-control activities in their Azure Sentinel environment.

YARA Rule

rule EQGRP_tinyhttp_setup 
{

    meta:
        description = "EQGRP Toolset Firewall - file tinyhttp_setup.sh"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "3d12c83067a9f40f2f5558d3cf3434bbc9a4c3bb9d66d0e3c0b09b9841c766a0"
    
    strings:
        $x1 = "firefox http://127.0.0.1:8000/$_name" fullword ascii
        $x2 = "What is the name of your implant:" fullword ascii /* it's called conscience */
        $x3 = "killall thttpd" fullword ascii
        $x4 = "copy http://<IP>:80/$_name flash:/$_name" fullword ascii
    
    condition:
        ( uint16(0) == 0x2123 and filesize < 2KB and 1 of ($x*) ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: System update or patching process using a known legitimate script with a similar name
  Filter/Exclusion: process.name IN ("yum", "apt", "dnf", "zypper") or check for known update tools in the system’s package manager logs

• Scenario: Scheduled maintenance task deploying a configuration management tool like Ansible or Puppet
  Filter/Exclusion: process.name IN ("ansible", "puppet", "chef") or check for presence of configuration management tool binaries in the execution path

• Scenario: Admin manually installing a legitimate monitoring tool like Prometheus or Grafana
  Filter/Exclusion: process.name IN ("tar", "unzip", "rpm", "deb") and check for known legitimate tool installation paths or checksums

• Scenario: Automated backup job extracting files from a backup archive
  Filter/Exclusion: process.name IN ("tar", "gzip", "7z", "zip") and check for presence of backup directories or known backup tools in the execution context

• Scenario: Security tool or endpoint protection agent performing a file integrity check or remediation
  Filter/Exclusion: process.name IN ("clamav", "bitdefender", "kaspersky", "mcafee") or check for presence of security tool directories in the execution path