EQGRP Toolset Firewall - file screamingplow.sh

Hunt Hypothesis

The detection identifies potential adversary use of the screamingplow.sh script, which may be part of the EQGRP toolset, indicating possible unauthorized network configuration changes. SOC teams should proactively hunt for this behavior to identify and mitigate potential firewall manipulation by advanced persistent threats in their Azure Sentinel environment.

YARA Rule

rule EQGRP_screamingplow 
{

    meta:
        description = "EQGRP Toolset Firewall - file screamingplow.sh"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "c7f4104c4607a03a1d27c832e1ebfc6ab252a27a1709015b5f1617b534f0090a"

    strings:
        $s1 = "What is the name of your PBD:" fullword ascii
        $s2 = "You are now ready for a ScreamPlow" fullword ascii

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: System administrator runs screamingplow.sh as part of a scheduled maintenance job to update firewall configurations.
  Filter/Exclusion: process.parent_process == "cron" OR process.parent_process == "systemd" OR process.parent_process == "atd"

• Scenario: DevOps team uses screamingplow.sh as part of a CI/CD pipeline to deploy configuration changes to the firewall.
  Filter/Exclusion: process.parent_process == "jenkins" OR process.parent_process == "git" OR process.parent_process == "docker"

• Scenario: Security team executes screamingplow.sh manually to test or debug firewall rule changes.
  Filter/Exclusion: user == "security_team_user" OR user == "firewall_admin" OR user == "root"

• Scenario: A legitimate tool named screamingplow.sh is used by the enterprise’s internal toolset for network monitoring and logging.
  Filter/Exclusion: file.path == "/opt/eqgrp/firewall/scripts/screamingplow.sh" OR file.path == "/usr/local/bin/screamingplow.sh"

• Scenario: A backup or restore process triggers screamingplow.sh to reapply firewall rules after a system restore.
  Filter/Exclusion: process.name == "backup_restore_script" OR process.name == "restore_firewall_rules.sh" OR process.parent_process == "backup_service"