Detects tool from EQGRP toolset - file noclient-3.0.5.3

Hunt Hypothesis

The hypothesis is that the presence of the noclient-3.0.5.3 file from the EQGRP toolset indicates potential adversary activity leveraging a known malicious tool for persistence or data exfiltration. SOC teams should proactively hunt for this artifact in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors using this toolset.

YARA Rule

rule EQGRP_noclient_3_0_5 
{
    meta:
        description = "Detects tool from EQGRP toolset - file noclient-3.0.5.3"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-15"

    strings:
        $x1 = "-C %s 127.0.0.1\" scripme -F -t JACKPOPIN4 '&" fullword ascii
        $x2 = "Command too long!  What the HELL are you trying to do to me?!?!  Try one smaller than %d bozo." fullword ascii
        $x3 = "sh -c \"ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx \"" fullword ascii
        $x4 = "Error from ourtn, did not find keys=target in tn.spayed" fullword ascii
        $x5 = "ourtn -d -D %s -W 127.0.0.1:%d  -i %s -p %d %s %s" fullword ascii

    condition:
        ( uint16(0) == 0x457f and filesize < 700KB and 1 of them ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using the noclient-3.0.5.3 tool as part of routine network monitoring and diagnostics.
  Filter/Exclusion: Check for presence of admin credentials or user in the sudo group, or filter by process owner (user == "root" or user == "admin").

• Scenario: A scheduled job runs the noclient-3.0.5.3 tool to collect system metrics or perform log analysis.
  Filter/Exclusion: Filter by process name or command line arguments that include keywords like scheduled, cron, or job.

• Scenario: The noclient-3.0.5.3 tool is part of a legitimate software update or patching process.
  Filter/Exclusion: Filter by presence of update-related command-line arguments or check for execution within a known update window.

• Scenario: A developer or DevOps engineer uses noclient-3.0.5.3 to test network connectivity or perform health checks on internal systems.
  Filter/Exclusion: Filter by user role (e.g., user == "devops" or user == "developer") or check for presence of test-related command-line flags.

• Scenario: The tool is used in a security or compliance audit to validate system configurations or check for vulnerabilities.
  Filter/Exclusion: Filter by presence of audit-related command-line arguments or check for execution in a known audit environment.