EQGRP Toolset Firewall - file networkProfiler_orderScans.sh

Hunt Hypothesis

The networkProfiler_orderScans.sh script may be used by adversaries to gather network information and identify potential targets within the environment. SOC teams should proactively hunt for this behavior to detect early-stage reconnaissance activities associated with the EQGRP toolset in their Azure Sentinel environment.

YARA Rule

rule EQGRP_networkProfiler_orderScans 
{

    meta:
        description = "EQGRP Toolset Firewall - file networkProfiler_orderScans.sh"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "ea986ddee09352f342ac160e805312e3a901e58d2beddf79cd421443ba8c9898"

    strings:
        $x1 = "Unable to save off predefinedScans directory" fullword ascii
        $x2 = "Re-orders the networkProfiler scans so they show up in order in the LP" fullword ascii

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate system maintenance job runs the networkProfiler_orderScans.sh script as part of a routine infrastructure update.
  Filter/Exclusion: Check for the presence of a scheduled job identifier (e.g., cron job with @daily or @weekly), or filter by user (e.g., root or system account) and check for known maintenance scripts in /etc/cron.d/ or /var/spool/cron/.

• Scenario: Admin Task to Order Network Scans
  Description: A network administrator manually executes the script to order scans as part of a network assessment or security audit.
  Filter/Exclusion: Filter by user (e.g., admin or network_ops) and check for the presence of a task description in the command line (e.g., --dry-run or --audit-mode).

• Scenario: CI/CD Pipeline Execution
  Description: The script is part of a CI/CD pipeline that automates network profiling as part of a security testing workflow.
  Filter/Exclusion: Check for environment variables like CI=true or GITHUB_ACTIONS=true, or filter by the execution context (e.g., docker, kubernetes, or jenkins).

• Scenario: Third-Party Tool Integration
  Description: The script is used by a third-party tool (e.g., Nessus, OpenVAS, or Qualys) to coordinate network scans as part of a security monitoring setup.
  Filter/Exclusion: Filter by the presence of known third-party tool identifiers in the command line or environment variables (e.g., QUALYS_TOKEN, NESSUS_HOST).

• Scenario: Legacy Script Retention
  Description: The script is retained