Detects tool from EQGRP toolset - file durablenapkin.solaris.2.0.1.1

Hunt Hypothesis

The detection identifies the presence of the EQGRP tool ‘durablenapkin.solaris.2.0.1.1’, which is associated with potential adversarial activity due to its known ties to malicious toolsets. SOC teams should proactively hunt for this artifact in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging this tool.

YARA Rule

rule EQGRP_durablenapkin_solaris_2_0_1 
{

    meta:
        description = "Detects tool from EQGRP toolset - file durablenapkin.solaris.2.0.1.1"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-15"

    strings:
        $s1 = "recv_ack: %s: Service not supplied by provider" fullword ascii
        $s2 = "send_request: putmsg \"%s\": %s" fullword ascii
        $s3 = "port undefined" fullword ascii
        $s4 = "recv_ack: %s getmsg: %s" fullword ascii
        $s5 = ">> %d -- %d" fullword ascii

    condition:
        ( uint16(0) == 0x457f and filesize < 40KB and 2 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate system maintenance job uses the durablenapkin.solaris.2.0.1.1 tool as part of a scheduled maintenance task.
  Filter/Exclusion: Check for process.name containing “scheduled_maintenance” or process.args containing “maintenance” or “system_check”.

• Scenario: Admin Task for Log Rotation
  Description: An administrator uses the durablenapkin.solaris.2.0.1.1 tool to rotate logs as part of routine system administration.
  Filter/Exclusion: Filter by process.user being a known admin user (e.g., “root”, “admin”) and check for process.args containing “logrotate” or “rotate”.

• Scenario: Software Upgrade or Patch Deployment
  Description: The tool is used during a software upgrade or patch deployment process, which is a standard part of system updates.
  Filter/Exclusion: Look for process.args containing “upgrade”, “patch”, or “install” and check for process.parent.name related to a known deployment tool (e.g., pkg, svcadm).

• Scenario: Security Tool Integration
  Description: The tool is part of a security or compliance toolset that is integrated into the enterprise environment for monitoring or auditing.
  Filter/Exclusion: Filter by process.name containing “security” or “audit” and check for process.parent.name related to a known security tool (e.g., splunk, logstash).

• Scenario: Legacy System Compatibility Check
  Description: The tool is used to verify compatibility or perform diagnostics on legacy systems that are still in use within the enterprise.
  Filter/Exclusion: Check for process.args containing