EQGRP Toolset Firewall - file install_get_persistent_filenames

Hunt Hypothesis

The detection identifies potential adversary use of the EQGRP toolset to install persistent files via firewall-related activities, indicating possible long-term persistence on the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy, persistent threats that may evade traditional detection methods.

YARA Rule

rule install_get_persistent_filenames 
{

    meta:
        description = "EQGRP Toolset Firewall - file install_get_persistent_filenames"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "4a50ec4bf42087e932e9e67e0ea4c09e52a475d351981bb4c9851fda02b35291"

    strings:
        $s1 = "Generates the persistence file name and prints it out." fullword ascii

    condition:
        ( uint16(0) == 0x457f and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: System Update or Patch Installation
  Description: A legitimate system update or patch installation process may generate files with similar names to those detected by the rule, such as install_get_persistent_filenames.
  Filter/Exclusion: Check for file paths containing known update directories (e.g., C:\Windows\Temp\, C:\Windows\Update\, or C:\Program Files\Microsoft\Windows\Update\). Use a filter like:

  file_path contains "Windows\Update" or "Windows\Temp"

• Scenario: Scheduled Task Creation or Management
  Description: An administrator may create or modify a scheduled task using tools like schtasks.exe or Task Scheduler, which could generate temporary files with similar names.
  Filter/Exclusion: Filter events related to schtasks.exe or Task Scheduler by checking the process name:

  process_name == "schtasks.exe" or process_name == "TaskScheduler"

• Scenario: Configuration Management Tool Deployment
  Description: Tools like Chef, Puppet, or Ansible may deploy configuration files or scripts that temporarily use filenames similar to the rule’s signature.
  Filter/Exclusion: Filter by process name or user context:

  process_name contains "chef" or "puppet" or "ansible" or user == "Administrator"

• Scenario: Antivirus or Endpoint Protection File Scan
  Description: Antivirus tools like Windows Defender, Kaspersky, or Bitdefender may generate temporary files during a scan that match the rule’s signature.
  Filter/Exclusion: Filter by process name or file hash:

  process_name contains "Windows Defender" or "Kaspersky