The hypothesis is that the presence of teflondoor.exe, a known component of the EQGRP toolset, may indicate initial compromise or lateral movement by an adversary leveraging this tool for persistence or command and control. SOC teams should proactively hunt for this artifact in Azure Sentinel to identify potential adversarial activity early and prevent further exploitation within the environment.
YARA Rule
rule EQGRP_teflondoor
{
meta:
description = "Detects tool from EQGRP toolset - file teflondoor.exe"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
strings:
$x1 = "%s: abort. Code is %d. Message is '%s'" fullword ascii
$x2 = "%s: %li b (%li%%)" fullword ascii
$s1 = "no winsock" fullword ascii
$s2 = "%s: %s file '%s'" fullword ascii
$s3 = "peer: connect" fullword ascii
$s4 = "read: write" fullword ascii
$s5 = "%s: done!" fullword ascii
$s6 = "%s: %li b" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 30KB and 1 of ($x*) and 3 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: Legitimate system update or patching process using teflondoor.exe
Filter/Exclusion: Check for presence of teflondoor.exe in known system directories like C:\Windows\System32 or within Microsoft Update packages. Use a filter like:
file.directory == "C:\Windows\System32" or file.name == "WindowsUpdate.exe"Scenario: Scheduled job running teflondoor.exe as part of a legitimate enterprise tool (e.g., backup or monitoring software)
Filter/Exclusion: Filter events where the process is initiated by a scheduled task with a known name, such as BackupJob or MonitoringService. Use:
process.parent.name == "schtasks.exe" and process.name == "teflondoor.exe" and process.parent.command_line contains "BackupJob"Scenario: Admin task using teflondoor.exe for network discovery or inventory
Filter/Exclusion: Filter processes initiated by a user with elevated privileges (e.g., Administrator) and associated with a known admin task. Use:
user.name == "Administrator" and process.name == "teflondoor.exe" and process.command_line contains "inventory"Scenario: Antivirus or endpoint protection tool using teflondoor.exe for scanning or quarantine
Filter/Exclusion: Exclude processes where teflondoor.exe is launched by a known security tool (e.g., Windows Defender, Malwarebytes). Use:
process.parent.name == "WindowsDefender.exe" or process.parent.name == "Malwarebytes.exe"Scenario: Development or testing environment using teflondoor.exe for internal diagnostics
**