The hypothesis is that the presence of false.exe, detected by the EQGRP toolset YARA rule, indicates potential adversary use of a malicious file to evade detection or execute payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by adversaries leveraging known malicious tooling.
YARA Rule
rule EQGRP_false
{
meta:
description = "Detects tool from EQGRP toolset - file false.exe"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
strings:
$s1 = { 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00
00 25 6C 75 2E 25 6C 75 2E 25 6C 75 2E 25 6C 75
00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00
00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00
00 25 32 2E 32 58 20 00 00 0A 00 00 00 25 64 20
2D 20 25 64 20 25 64 0A 00 25 64 0A 00 25 64 2E
0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 2E
0A 00 00 00 00 25 64 20 2D 20 25 64 0A 00 00 00
00 25 64 20 2D 20 25 64 }
condition:
uint16(0) == 0x5a4d and filesize < 50KB and $s1
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A legitimate system update or patching process uses a tool named false.exe as part of a scheduled maintenance job.
Filter/Exclusion: Check for process.parent_process containing “Task Scheduler” or “Windows Update” and filter by process.name matching “false.exe” in known update directories.
Scenario: A security tool or endpoint protection software runs a script named false.exe as part of its integrity check or log analysis.
Filter/Exclusion: Include process.parent_process containing the name of the security tool (e.g., “Windows Defender” or “Microsoft Defender”) and check for process.command_line containing known safe command-line arguments.
Scenario: A system administrator manually runs false.exe as a test or placeholder script during a script development or testing phase.
Filter/Exclusion: Filter by user.name being a known admin user (e.g., “Administrator”) and check for process.command_line containing “test” or “debug” keywords.
Scenario: A third-party application or service (e.g., a backup tool) includes a utility named false.exe as part of its internal toolset.
Filter/Exclusion: Check for process.parent_process containing the name of the third-party application and verify process.path is within the expected installation directory of that application.
Scenario: A scheduled backup or data synchronization job uses false.exe as a placeholder or dummy file during a migration or configuration phase.
Filter/Exclusion: Filter by process.parent_process containing “backup” or “sync” related services and verify process.path is within the known backup or sync tool directories.