EQGRP Toolset Firewall - file BUSURPER-2211-724.exe

Hunt Hypothesis

The detection identifies potential adversary use of the BUSURPER-2211-724.exe file, which is associated with the EQGRP toolset, indicating possible lateral movement or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced threats.

YARA Rule

rule EQGRP_BUSURPER_2211_724 
{

    meta:
        description = "EQGRP Toolset Firewall - file BUSURPER-2211-724.exe"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "d809d6ff23a9eee53d2132d2c13a9ac5d0cb3037c60e229373fc59a4f14bc744"

    strings:
        $s1 = ".got_loader" fullword ascii
        $s2 = "_start_text" fullword ascii
        $s3 = "IMPLANT" fullword ascii
        $s4 = "KEEPGOING" fullword ascii
        $s5 = "upgrade_implant" fullword ascii

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: A legitimate system update or patching process uses the BUSURPER-2211-724.exe file as part of a scheduled maintenance task.
  Filter/Exclusion: Check for file hashes against a known good hash database or use a filter like file_hash == "known_good_hash".

• Scenario: An administrator is running the BUSURPER-2211-724.exe tool as part of a routine network firewall configuration audit using the EQGRP Toolset.
  Filter/Exclusion: Filter by user context, such as user == "admin_account" or user == "network_admin".

• Scenario: A scheduled job on a Windows server is executing BUSURPER-2211-724.exe to perform a firewall rule validation or compliance check.
  Filter/Exclusion: Use a filter like process.parent_process == "schtasks.exe" or process.parent_process == "task scheduler".

• Scenario: The file BUSURPER-2211-724.exe is part of a legitimate third-party security tool that is configured to interact with the EQGRP Toolset Firewall.
  Filter/Exclusion: Check for the presence of a known legitimate tool, e.g., process.name == "legitimate_tool.exe" or use a whitelist of allowed processes.

• Scenario: A user is manually testing the EQGRP Toolset Firewall by running BUSURPER-2211-724.exe in a controlled environment for troubleshooting.
  Filter/Exclusion: Use a filter like process.command_line contains "test_mode" or process.command_line contains "debug" to identify test executions.