EQGRP Toolset Firewall - file MixText.py

Hunt Hypothesis

The detection identifies potential adversary use of the MixText.py script associated with the EQGRP toolset, which may be used for obfuscating or exfiltrating data through firewall traffic. SOC teams should proactively hunt for this behavior to identify early-stage malicious activity leveraging network evasion techniques in their Azure Sentinel environment.

YARA Rule

rule EQGRP_MixText 
{

    meta:
        description = "EQGRP Toolset Firewall - file MixText.py"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "e4d24e30e6cc3a0aa0032dbbd2b68c60bac216bef524eaf56296430aa05b3795"

    strings:
        $s1 = "BinStore enabled implants." fullword ascii

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: System update or patching process
  Description: A legitimate system update or patching task may include the transfer of MixText.py as part of a configuration or script deployment.
  Filter/Exclusion: Exclude files with a known source, such as those located in a trusted update directory (e.g., /var/update/), or files with a known hash from a trusted source.

• Scenario: Scheduled job for log processing
  Description: A scheduled job may use MixText.py to process log files as part of a log normalization or analysis task.
  Filter/Exclusion: Exclude files executed from a known log processing directory (e.g., /opt/log-processing/) or files with a known execution time aligned with scheduled jobs.

• Scenario: Admin task for configuration backup
  Description: An administrator may run a script named MixText.py to backup or manipulate configuration files as part of a routine maintenance task.
  Filter/Exclusion: Exclude files executed from a known admin script directory (e.g., /root/scripts/) or files with a known user or group owner (e.g., root or admin).

• Scenario: Third-party tool integration
  Description: A third-party tool, such as Ansible or Chef, may include MixText.py as part of its module or playbook for text manipulation.
  Filter/Exclusion: Exclude files that are part of a known third-party tool’s directory (e.g., /usr/share/ansible/) or files with a known process name (e.g., ansible-playbook).

• Scenario: Development or testing environment usage
  Description: Developers may use MixText.py in a test environment to process text data during testing or development of new applications.
  Filter/Exclusion: Exclude files executed from a known development directory