Detects tool from EQGRP toolset - file dn.1.0.2.1.linux

Hunt Hypothesis

Adversaries may be using the dn.1.0.2.1.linux tool from the EQGRP toolset to establish persistence or exfiltrate data within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise from advanced persistent threats leveraging known malicious tooling.

YARA Rule

rule EQGRP_dn_1_0_2_1 
{

    meta:
        description = "Detects tool from EQGRP toolset - file dn.1.0.2.1.linux"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-15"

    strings:
        $s1 = "Valid commands are: SMAC, DMAC, INT, PACK, DONE, GO" fullword ascii
        $s2 = "invalid format suggest DMAC=00:00:00:00:00:00" fullword ascii
        $s3 = "SMAC=%02x:%02x:%02x:%02x:%02x:%02x" fullword ascii
        $s4 = "Not everything is set yet" fullword ascii

    condition:
        ( uint16(0) == 0x457f and filesize < 30KB and 2 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Legitimate use of dn.1.0.2.1.linux by the EQGRP toolset for network diagnostics
  Filter/Exclusion: Exclude processes where the file path contains /opt/EQGRP/tools/ or where the process is initiated by a known system admin user (e.g., root, admin, network-admin).

• Scenario: Scheduled maintenance job using dn.1.0.2.1.linux to monitor network traffic
  Filter/Exclusion: Exclude processes that match the cron job pattern /etc/cron.d/eqgrp-maintenance or have a command line argument containing --monitor or --scheduled.

• Scenario: System update or package installation that includes dn.1.0.2.1.linux as part of a dependency
  Filter/Exclusion: Exclude processes initiated by package managers like apt or yum, or where the command line includes install, update, or upgrade.

• Scenario: Development environment using dn.1.0.2.1.linux for testing network configurations
  Filter/Exclusion: Exclude processes running in a development VM or container, or where the user is a developer (e.g., dev-team, test-user) and the command line includes --test or --dev.

• Scenario: Security tool or SIEM integration using dn.1.0.2.1.linux for log correlation
  Filter/Exclusion: Exclude processes that are part of a SIEM integration (e.g., splunk, logstash, elasticsearch) or where the command line includes --log, --correlate, or --siem.