Detects tool from EQGRP toolset - file 1212.pl

Hunt Hypothesis

The hypothesis is that the presence of the 1212.pl file from the EQGRP toolset indicates potential adversary activity leveraging compromised systems for persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial operations that may evade traditional detection methods.

YARA Rule

rule EQGRP_1212 
{

    meta:
        description = "Detects tool from EQGRP toolset - file 1212.pl"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-15"

    strings:
        $s1 = "if (!(($srcip,$dstip,$srcport,$dstport) = ($line=~/^([a-f0-9]{8})([a-f0-9]{8})([a-f0-9]{4})([a-f0-9]{4})$/)))" fullword ascii
        $s2 = "$ans=\"$srcip:$srcport -> $dstip:$dstport\";" fullword ascii
        $s3 = "return \"ERROR:$line is not a valid port\";" fullword ascii
        $s4 = "$dstport=hextoPort($dstport);" fullword ascii
        $s5 = "sub hextoPort" fullword ascii
        $s6 = "$byte_table{\"$chars[$sixteens]$chars[$ones]\"}=$i;" fullword ascii

    condition:
        filesize < 6KB and 4 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: System administrator runs 1212.pl as part of a scheduled maintenance job to generate reports.
  Filter/Exclusion: Check for process owner (user = root or user = admin) and presence of a scheduled job ID in the command line.

• Scenario: Security team uses 1212.pl for legitimate forensic analysis or incident response.
  Filter/Exclusion: Include a field for process.name = "1212.pl" and check for presence of a security team user or group in the process owner.

• Scenario: The tool 1212.pl is part of a legitimate software package used for configuration management or system monitoring.
  Filter/Exclusion: Filter by file.path to ensure it’s only matching the known legitimate installation path (e.g., /opt/eqgrp/bin/1212.pl).

• Scenario: The script 1212.pl is executed during a software update or patching process.
  Filter/Exclusion: Check for presence of a known update or patching tool in the command line (e.g., patchmgr, update.sh), or use a time-based filter for known update windows.

• Scenario: The tool 1212.pl is used by a third-party application or service that is part of the enterprise’s standard toolset.
  Filter/Exclusion: Include a field for process.parent_process to identify known legitimate parent processes (e.g., java, nginx, systemd).