The bc-parser tool from the EQGRP toolset is associated with potential adversary behavior related to data exfiltration or command and control activities. SOC teams should proactively hunt for this tool in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging known malicious tooling.
YARA Rule
rule EQGRP_bc_parser
{
meta:
description = "Detects tool from EQGRP toolset - file bc-parser"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
hash1 = "879f2f1ae5d18a3a5310aeeafec22484607649644e5ecb7d8a72f0877ac19cee"
strings:
$s1 = "*** Target may be susceptible to FALSEMOREL ***" fullword ascii
$s2 = "*** Target is susceptible to FALSEMOREL ***" fullword ascii
condition:
uint16(0) == 0x457f and 1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled job running bc-parser as part of a backup or data processing pipeline
Filter/Exclusion: process.parent_process_name : "backup-service" OR process.parent_process_name : "data-processor"
Scenario: System administrator using bc-parser to analyze log files for troubleshooting
Filter/Exclusion: process.user : "admin" AND process.command_line : "/usr/bin/bc-parser --log-analysis"
Scenario: Automated script execution by a CI/CD pipeline that uses bc-parser for code analysis
Filter/Exclusion: process.parent_process_name : "jenkins" OR process.parent_process_name : "gitlab-runner"
Scenario: Security tool or SIEM integration using bc-parser to parse custom log formats
Filter/Exclusion: process.command_line : "--parse-logs" OR process.command_line : "--siem-integration"
Scenario: Development team using bc-parser as part of a custom build or testing process
Filter/Exclusion: process.command_line : "--build-mode" OR process.command_line : "--test-run"