EQGRP Toolset Firewall - file create_dns_injection.py

Hunt Hypothesis

The detection identifies the creation of the create_dns_injection.py file, which is associated with the EQGRP toolset and may indicate DNS injection activity used to exfiltrate data or manipulate network traffic. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversarial use of DNS channels for command and control or data exfiltration.

YARA Rule

rule EQGRP_create_dns_injection
{

    meta:
        description = "EQGRP Toolset Firewall - file create_dns_injection.py"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "488f3cc21db0688d09e13eb85a197a1d37902612c3e302132c84e07bc42b1c32"

    strings:
        $s1 = "Name:   A hostname: 'host.network.com', a decimal numeric offset within" fullword ascii
        $s2 = "-a www.badguy.net,CNAME,1800,host.badguy.net \\\\" fullword ascii

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Ansible to deploy a configuration update that includes a script named create_dns_injection.py as part of a legitimate DNS configuration task.
  Filter/Exclusion: Check for presence of ansible in the process name or command line, or filter by user (e.g., root or admin).

• Scenario: A scheduled job runs nightly to generate DNS records using a script named create_dns_injection.py as part of a DNS automation tool like PowerDNS or Bind9.
  Filter/Exclusion: Filter by time window (e.g., only during scheduled maintenance hours) or check for presence of known DNS management tools in the process tree.

• Scenario: A security tool like OSSEC or Tripwire generates a script named create_dns_injection.py as part of its own configuration or remediation process.
  Filter/Exclusion: Check for presence of the security tool’s process name or check the file’s location against known security tool directories.

• Scenario: A devops team uses Jenkins to deploy a Python script named create_dns_injection.py as part of a CI/CD pipeline that manages DNS configurations.
  Filter/Exclusion: Filter by Jenkins process name or check for presence of CI/CD tooling in the command line or environment variables.

• Scenario: A network team uses Python scripts to automate DNS injection for internal testing or validation, such as during a DNSSEC rollout or DNS tunneling simulation.
  Filter/Exclusion: Check for presence of testing tools like dnsmasq, nsupdate, or dig in the process or command line.