EQGRP Toolset Firewall - file eligiblecandidate.py

Hunt Hypothesis

The detection identifies potential adversary use of the eligiblecandidate.py script as part of the EQGRP toolset to establish or maintain network access. SOC teams should proactively hunt for this behavior to uncover covert persistence mechanisms and early-stage compromise in their Azure Sentinel environment.

YARA Rule

rule EQGRP_eligiblecandidate 
{

    meta:
        description = "EQGRP Toolset Firewall - file eligiblecandidate.py"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "c4567c00734dedf1c875ecbbd56c1561a1610bedb4621d9c8899acec57353d86"

    strings:
        $o1 = "Connection timed out. Only a problem if the callback was not received." fullword ascii
        $o2 = "Could not reliably detect cookie. Using 'session_id'..." fullword ascii
        $c1 = "def build_exploit_payload(self,cmd=\"/tmp/httpd\"):" fullword ascii
        $c2 = "self.build_exploit_payload(cmd)" fullword ascii

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled Job for User Provisioning
  Description: A legitimate scheduled job runs eligiblecandidate.py as part of an automated user provisioning process managed by the Identity and Access Management (IAM) tool like Azure AD Connect or Okta.
  Filter/Exclusion: Exclude files executed from known IAM tools or scheduled tasks with specific job names (e.g., UserProvisioningJob).

• Scenario: CI/CD Pipeline Artifact Processing
  Description: The script eligiblecandidate.py is part of a Continuous Integration/Continuous Deployment (CI/CD) pipeline, such as Jenkins or GitHub Actions, used to validate or process artifacts before deployment.
  Filter/Exclusion: Exclude files executed from CI/CD environments or with specific environment variables like CI=true or GITHUB_ACTIONS=true.

• Scenario: System Health Check Script
  Description: The script is used by a system health monitoring tool like Nagios or Zabbix to check firewall configurations or system eligibility for updates.
  Filter/Exclusion: Exclude files executed by monitoring tools or with specific command-line arguments indicating health checks (e.g., --health-check).

• Scenario: Admin Task for Firewall Rule Testing
  Description: A system administrator manually runs eligiblecandidate.py to test or debug firewall rule configurations using tools like iptables or firewalld.
  Filter/Exclusion: Exclude files executed by users with administrative privileges or with specific command-line flags like --test or --debug.

• Scenario: Log Analysis Tool Processing
  Description: The script is used by a log analysis tool like ELK Stack or Splunk to process firewall logs and identify eligible candidates for further analysis.
  Filter/Exclusion: Exclude files executed by log analysis tools