Detects output generated by EQGRP scanner.exe

Hunt Hypothesis

The hypothesis is that the detection of output from scanner.exe indicates potential reconnaissance activity by the EQGRP group, as this tool is commonly used to gather system information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of adversarial activity and prevent further compromise.

YARA Rule

rule EquationGroup_scanner_output {
   meta:
      description = "Detects output generated by EQGRP scanner.exe"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2017-04-17"
   strings:
      $s1 = "# Scan for windows boxes" ascii fullword
      $s2 = "Going into send" ascii fullword
      $s3 = "# Does not work" ascii fullword
      $s4 = "You are the weakest link, goodbye" ascii fullword
      $s5 = "rpc   Scan for RPC  folks" ascii fullword
   condition:
      filesize < 1000KB and 2 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• Internal Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Scan by EQGRP scanner.exe
  Description: The EQGRP scanner.exe is part of a scheduled maintenance task that runs during off-peak hours to scan the system for vulnerabilities.
  Filter/Exclusion: Check for Process.parent_process_name = "Task Scheduler" or Process.command_line LIKE '%/quiet%'

• Scenario: Security Tool Integration with EQGRP scanner.exe
  Description: A third-party security tool (e.g., Microsoft Defender, CrowdStrike) integrates with EQGRP scanner.exe to perform coordinated scans.
  Filter/Exclusion: Check for Process.parent_process_name = "msdefender.exe" or Process.parent_process_name = "crowdstrike.exe"

• Scenario: Administrative Task to Update EQGRP Tools
  Description: An admin runs EQGRP scanner.exe as part of a routine update or patching process to ensure all tools are up to date.
  Filter/Exclusion: Check for Process.command_line LIKE '%/update%' or Process.user = "Administrator"

• Scenario: Log Analysis Job Using EQGRP scanner.exe
  Description: A log analysis job (e.g., using Splunk or ELK stack) triggers EQGRP scanner.exe to parse and analyze log files for compliance or security purposes.
  Filter/Exclusion: Check for Process.parent_process_name = "splunkd.exe" or Process.parent_process_name = "elasticsearch.exe"

• Scenario: False Positive from Malware Analysis Lab
  Description: In a malware analysis lab, EQGRP scanner.exe is used to simulate or analyze malware behavior, leading to false positives.
  Filter/Exclusion: Check for Process.machine_name LIKE '%lab%' or Process.user = "malware_analysis_user"