The detection identifies potential adversary use of the EQGRP Toolset Firewall module, specifically the file epicbanana_2.1.0.1.py, which may be used for network traffic manipulation or evasion. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that could lead to persistent network access or data exfiltration.
YARA Rule
rule EQGRP_epicbanana_2_1_0_1
{
meta:
description = "EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py"
author = "Florian Roth"
reference = "Research"
date = "2016-08-16"
hash1 = "4b13cc183c3aaa8af43ef3721e254b54296c8089a0cd545ee3b867419bb66f61"
strings:
$s1 = "failed to create version-specific payload" fullword ascii
$s2 = "(are you sure you did \"make [version]\" in versions?)" fullword ascii
condition:
1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using the epicbanana_2.1.0.1.py script as part of a scheduled maintenance job to update firewall rules.
Filter/Exclusion: Check for the presence of a scheduled task or cron job associated with the script, or filter by user (e.g., user = admin or user = root).
Scenario: A legitimate security tool, such as CrowdStrike Falcon, is using a script with a similar name (epicbanana_2.1.0.1.py) for automated threat detection and response.
Filter/Exclusion: Filter by process name or parent process, or check for known security tool signatures in the file hash or process tree.
Scenario: A developer is testing a Python script named epicbanana_2.1.0.1.py as part of a development environment setup, which includes firewall testing tools like iptables or nftables.
Filter/Exclusion: Filter by file path (e.g., /home/dev/ or /opt/dev/) or check for presence of a development environment marker in the file metadata.
Scenario: A system update or patching tool, such as Ansible, is deploying a script with the same name as part of a configuration management task.
Filter/Exclusion: Filter by process name (e.g., ansible-playbook) or check for presence of a known configuration management tool in the process tree.
Scenario: A legitimate network monitoring tool, such as Wireshark, is using a Python script with a similar name for packet analysis, which includes firewall rule validation.
Filter/Exclusion: Filter by process name or check for presence of Wireshark or related tools in the process tree.