Detects tool from EQGRP toolset - file installdate.pl

Hunt Hypothesis

The installdate.pl script is likely used by EQGRP to gather system information and establish persistence, indicating potential adversary presence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by EQGRP adversaries.

YARA Rule

rule EQGRP_installdate 
{

    meta:
        description = "Detects tool from EQGRP toolset - file installdate.pl"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-15"

    strings:
        $x1 = "#Provide hex or EP log as command-line argument or as input" fullword ascii
        $x2 = "print \"Gimme hex: \";" fullword ascii
        $x3 = "if ($line =~ /Reg_Dword:  (\\d\\d:\\d\\d:\\d\\d.\\d+ \\d+ - )?(\\S*)/) {" fullword ascii
        $s1 = "if ($_ =~ /InstallDate/) {" fullword ascii
        $s2 = "if (not($cmdInput)) {" fullword ascii
        $s3 = "print \"$hex in decimal=$dec\\n\\n\";" fullword ascii

    condition:
        filesize < 2KB and ( 1 of ($x*) or 3 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: System update or patching process using installdate.pl as part of a standard OS update
  Filter/Exclusion: Check for presence of known OS update directories (e.g., /var/log/update, /tmp/patching) or use a filter like:

  file.name != "installdate.pl" OR process.directory IN ("/usr/sbin", "/opt/osupdate")

• Scenario: Scheduled job running installdate.pl to generate installation date logs for compliance
  Filter/Exclusion: Filter by process name or command line arguments that include “compliance” or “audit”:

  process.name = "installdate.pl" AND command_line CONTAINS "compliance"

• Scenario: Admin task to verify installation dates of software packages using installdate.pl
  Filter/Exclusion: Use a filter based on the user or group running the process (e.g., root or admin):

  user.name = "root" OR user.group = "admin"

• Scenario: Legacy tool usage in a development environment for historical data analysis
  Filter/Exclusion: Filter by source IP or network segment associated with the development environment:

  source.ip IN ("192.168.10.0/24", "10.50.0.0/16")

• Scenario: Automated script that runs installdate.pl as part of a CI/CD pipeline for artifact tracking
  Filter/Exclusion: Filter by process path or command line containing CI/CD keywords (e.g., “jenkins”, “gitlab”):

  command_line CONTAINS "jenkins" OR command_line CONTAINS