EQGRP Toolset Firewall - file workit.py

Hunt Hypothesis

The detection identifies potential adversary use of the workit.py script associated with the EQGRP toolset, which may be used for network traversal or firewall manipulation. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage adversarial activity leveraging compromised infrastructure in their Azure Sentinel environment.

YARA Rule

rule EQGRP_workit 
{

    meta:
        description = "EQGRP Toolset Firewall - file workit.py"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "fb533b4d255b4e6072a4fa2e1794e38a165f9aa66033340c2f4f8fd1da155fac"

    strings:
        $s1 = "macdef init > /tmp/.netrc;" fullword ascii
        $s2 = "/usr/bin/wget http://" fullword ascii
        $s3 = "HOME=/tmp ftp" fullword ascii
        $s4 = " >> /tmp/.netrc;" fullword ascii
        $s5 = "/usr/rapidstream/bin/tftp" fullword ascii
        $s6 = "created shell_command:" fullword ascii
        $s7 = "rm -f /tmp/.netrc;" fullword ascii
        $s8 = "echo quit >> /tmp/.netrc;" fullword ascii
        $s9 = "echo binary >> /tmp/.netrc;" fullword ascii
        $s10 = "chmod 600 /tmp/.netrc;" fullword ascii
        $s11 = "created cli_command:" fullword ascii
   
    condition:
        6 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 11 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled Job Execution
  Description: A legitimate scheduled job runs the workit.py script as part of routine system maintenance or configuration updates.
  Filter/Exclusion: process.parent_process_name:"task scheduler" OR process.parent_process_name:"cron"

• Scenario: Admin Task for Configuration Sync
  Description: An administrator uses workit.py to synchronize firewall configurations across multiple EQGRP nodes during a planned maintenance window.
  Filter/Exclusion: process.user:"admin" AND process.command_line:"sync_firewall_config"

• Scenario: CI/CD Pipeline Deployment
  Description: The workit.py script is executed as part of a CI/CD pipeline to deploy updates to the EQGRP firewall toolset.
  Filter/Exclusion: process.parent_process_name:"jenkins" OR process.parent_process_name:"gitlab-runner"

• Scenario: Log Analysis Tool Integration
  Description: A log analysis tool (e.g., Splunk, ELK) uses workit.py to parse and process firewall logs for reporting purposes.
  Filter/Exclusion: process.parent_process_name:"splunk" OR process.parent_process_name:"logstash"

• Scenario: Debugging or Troubleshooting Session
  Description: A security or network engineer runs workit.py manually to debug or troubleshoot firewall behavior.
  Filter/Exclusion: process.user:"security_ops" AND process.command_line:"debug_firewall"