EQGRP Toolset Firewall - file payload.py

Hunt Hypothesis

The detection identifies potential adversary use of the EQGRP Toolset Firewall through the presence of the file payload.py, which may indicate initial compromise or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage malware execution and prevent further network infiltration.

YARA Rule

rule EQGRP_payload 
{

    meta:
        description = "EQGRP Toolset Firewall - file payload.py"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "21bed6d699b1fbde74cbcec93575c9694d5bea832cd191f59eb3e4140e5c5e07"

    strings:
        $s1 = "can't find target version module!" fullword ascii
        $s2 = "class Payload:" fullword ascii

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Script
  Description: A legitimate system maintenance script named payload.py is run as part of a scheduled job to perform disk cleanup or log rotation.
  Filter/Exclusion: Check for presence of systemd or crontab entries, and verify the script’s location in /etc/ or /opt/ directories.

• Scenario: Python-based Configuration Management Tool
  Description: A configuration management tool like Ansible or SaltStack uses a Python script named payload.py to apply configuration changes across the network.
  Filter/Exclusion: Check for presence of Ansible/SaltStack directories (/etc/ansible, /var/lib/salt) and verify the script’s execution context (e.g., via ansible-playbook or salt-call).

• Scenario: Custom Reporting Script for Compliance
  Description: A custom Python script named payload.py is used by the IT department to generate compliance reports and is stored in a shared directory like /opt/reports/.
  Filter/Exclusion: Check for script location in /opt/ or /usr/local/bin/, and verify the script is owned by a known admin user or group.

• Scenario: Development Environment Build Script
  Description: A development team uses a Python script named payload.py as part of a CI/CD pipeline to build and test applications.
  Filter/Exclusion: Check for presence of CI/CD directories like /var/lib/jenkins/ or /home/ciuser/, and verify the script is in a development environment.

• Scenario: Security Tool for Threat Intelligence Feeds
  Description: A security tool like OSSEC or CrowdStrike uses a Python script named payload.py to process threat intelligence feeds.
  Filter/Exclusion: Check for presence of security tool