The detection identifies potential use of the EQGRP toolset by capturing unique string patterns associated with its firewall components, which may indicate initial compromise or lateral movement. SOC teams should proactively hunt for this behavior to detect early-stage adversarial activity and prevent further network infiltration in Azure Sentinel.
YARA Rule
rule EQGRP_Unique_Strings
{
meta:
description = "EQGRP Toolset Firewall - Unique strings"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
strings:
$s1 = "/BananaGlee/ELIGIBLEBOMB" ascii
$s2 = "Protocol must be either http or https (Ex: https://1.2.3.4:1234)"
condition:
1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Check for the presence of veeam or backup in the process name or command line arguments.
Scenario: Administrative task using PowerShell to generate temporary firewall rules for testing
Filter/Exclusion: Filter out processes with powershell.exe where the command line includes -Command or -File with a script path containing test or temp.
Scenario: SQL Server Agent Job executing a script that temporarily modifies firewall settings
Filter/Exclusion: Exclude processes where the parent process is sqlagent.exe or where the command line includes sqlcmd or osql.
Scenario: Ansible playbook execution for configuration management that includes firewall rule updates
Filter/Exclusion: Filter out processes with ansible in the command line and check for the presence of --playbook or --inventory with a known management playbook path.
Scenario: Windows Task Scheduler running a legitimate script to monitor and log firewall activity
Filter/Exclusion: Exclude processes launched by schtasks.exe or where the command line includes log or monitor in the script name.