The hypothesis is that the detection of the bc-genpkt file indicates potential adversary use of the EQGRP toolset to generate malicious network packets for covert communication or payload delivery. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise attempts by advanced threats leveraging known malicious tooling.
YARA Rule
rule EQGRP_bc_genpkt
{
meta:
description = "Detects tool from EQGRP toolset - file bc-genpkt"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
strings:
$x1 = "load auxiliary object=%s requested by file=%s" fullword ascii
$x2 = "size of new packet, should be %d <= size <= %d bytes" fullword ascii
$x3 = "verbosity - show lengths, packet dumps, etc" fullword ascii
$s1 = "%s: error while loading shared libraries: %s%s%s%s%s" fullword ascii
$s2 = "cannot dynamically load executable" fullword ascii
$s3 = "binding file %s to %s: %s symbol `%s' [%s]" fullword ascii
$s4 = "randomize the initiator cookie" fullword ascii
condition:
uint16(0) == 0x457f and filesize < 1000KB and ( 1 of ($s*) and 3 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 7 string patterns in its detection logic.
Scenario: Scheduled job running bc-genpkt for packet generation
Description: A legitimate scheduled job uses bc-genpkt to generate test packets for network testing or simulation.
Filter/Exclusion: Exclude processes where the command line includes --test or --simulate flags, or where the parent process is a known scheduling tool like cron or systemd.
Scenario: Admin task to generate packets for forensic analysis
Description: A security or network admin uses bc-genpkt to create custom packets for analysis or training purposes.
Filter/Exclusion: Exclude processes initiated by users in the admin or security group, or where the command line includes --analysis or --forensic flags.
Scenario: Integration with network monitoring tools
Description: bc-genpkt is used as part of an integration with a network monitoring or packet capture tool (e.g., Wireshark, tcpdump) to generate test traffic.
Filter/Exclusion: Exclude processes where the command line includes a reference to a monitoring tool or where the parent process is a known monitoring service.
Scenario: Development environment usage for packet crafting
Description: Developers use bc-genpkt in a test environment to craft custom packets for application testing or protocol validation.
Filter/Exclusion: Exclude processes running from a development directory or where the user is part of the dev or test team, or where the command line includes --dev or --test flags.
Scenario: Legacy system maintenance using bc-genpkt
Description: An older system or legacy application uses bc-genpkt as part of its maintenance or data transfer process.
Filter/Exclusion: Exclude processes where the command line includes --legacy or --maintenance flags,