EQGRP Toolset Firewall - file uninstallPBD.bat

Hunt Hypothesis

The presence of the uninstallPBD.bat file may indicate the uninstallation of the EQGRP Toolset Firewall, which could be part of an adversary’s effort to remove persistence or evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential removal of malicious tools and assess the adversary’s intent to clean up their footprint.

YARA Rule

rule EQGRP_uninstallPBD 
{

    meta:
        description = "EQGRP Toolset Firewall - file uninstallPBD.bat"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "692fdb449f10057a114cf2963000f52ce118d9a40682194838006c66af159bd0"

    strings:
        $s1 = "memset 00e9a05c 4 38845b88" fullword ascii
        $s2 = "_hidecmd" fullword ascii
        $s3 = "memset 013abd04 1 0d" fullword ascii
    
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled Maintenance Task
  Description: A system administrator schedules a maintenance task using Task Scheduler to run uninstallPBD.bat as part of a routine cleanup or software update.
  Filter/Exclusion: Check for Task Scheduler origin, or filter by ProcessName = "schtasks.exe" or CommandLine containing "schtasks.exe /run".

• Scenario: Legitimate Software Uninstallation
  Description: The uninstallPBD.bat script is part of a legitimate software package (e.g., EQGRP Toolset Firewall) and is executed during a user-initiated uninstallation process.
  Filter/Exclusion: Filter by ProcessUser = "User" or check for presence of uninstallPBD.bat in the known software installation directory.

• Scenario: Admin Script for Configuration Reset
  Description: An admin script named uninstallPBD.bat is used to reset firewall configurations or remove temporary files during a system reconfiguration.
  Filter/Exclusion: Filter by ProcessUser = "Administrator" and check for presence of uninstallPBD.bat in a known admin script directory (e.g., C:\AdminScripts\).

• Scenario: Automated Patching Job
  Description: A patching tool or automation framework (e.g., Microsoft System Center Configuration Manager) runs uninstallPBD.bat as part of a patching process to remove outdated components.
  Filter/Exclusion: Filter by ProcessName = "ConfigMgr.exe" or CommandLine containing "ConfigMgr.exe" or "SCCM.exe".

• Scenario: False Positive from Malware Analysis Environment
  Description: The script uninstallPBD.bat is executed in a malware analysis sandbox or test environment, leading to a false positive alert.
  *Filter/Ex