EQGRP Toolset Firewall - file userscript.FW

Hunt Hypothesis

The hypothesis is that the detection of the EQGRP Toolset Firewall file userscript.FW may indicate the presence of a compromised or malicious script attempting to manipulate firewall rules. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence mechanisms used by adversaries.

YARA Rule

rule EQGRP_userscript 
{

    meta:
        description = "EQGRP Toolset Firewall - file userscript.FW"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "5098ff110d1af56115e2c32f332ff6e3973fb7ceccbd317637c9a72a3baa43d7"

    strings:
        $x1 = "Are you sure? Don't forget that NETSCREEN firewalls require BANANALIAR!! " fullword ascii

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script named userscript.FW as part of routine system maintenance or patching.
  Filter/Exclusion: Check for process.parent_process_name == "schtasks.exe" or process.command_line contains "schtasks"

• Scenario: Admin-Initiated Firewall Rule Update
  Description: An administrator manually updates the firewall configuration using the EQGRP Toolset, triggering the script userscript.FW.
  Filter/Exclusion: Check for process.user == "Administrator" and process.command_line contains "firewall update"

• Scenario: Automated Compliance Scan
  Description: A compliance tool or security scanner (e.g., Microsoft Intune, Azure Security Center) runs a script named userscript.FW to validate firewall settings.
  Filter/Exclusion: Check for process.name == "complianceScanner.exe" or process.parent_process_name == "taskeng.exe"

• Scenario: Legitimate Script for Network Configuration
  Description: A network administrator uses a script named userscript.FW to configure firewall policies on a server using the EQGRP Toolset.
  Filter/Exclusion: Check for process.command_line contains "configure firewall" or process.user == "NetworkAdmin"

• Scenario: Third-Party Tool Integration
  Description: A third-party tool (e.g., Palo Alto Networks, Fortinet) integrates with the EQGRP Toolset and executes userscript.FW as part of its configuration process.
  Filter/Exclusion: Check for process.name == "thirdPartyTool.exe" or process.parent_process_name == "thirdPartyTool.exe"