EQGRP Toolset Firewall - file tunnel_state_reader

Hunt Hypothesis

The tunnel_state_reader file may indicate the presence of the EQGRP toolset, which is used to establish covert communication channels through firewalls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration activities that evade traditional network defenses.

YARA Rule

rule EQGRP_tunnel_state_reader 
{

    meta:
        description = "EQGRP Toolset Firewall - file tunnel_state_reader"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "49d48ca1ec741f462fde80da68b64dfa5090855647520d29e345ef563113616c"

    strings:
        $s1 = "Active connections will be maintained for this tunnel. Timeout:" fullword ascii
        $s5 = "%s: compatible with BLATSTING version 1.2" fullword ascii

    condition:
        1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Scheduled Job for Tunnel State Monitoring
  Description: A legitimate scheduled job runs the tunnel_state_reader script as part of routine network monitoring or maintenance.
  Filter/Exclusion: Check for process.parent_process_name = "task scheduler" or process.command_line contains "scheduled" or "cron".

• Scenario: Admin Task to Debug Firewall Configuration
  Description: An administrator manually runs the tunnel_state_reader to troubleshoot or verify firewall tunnel states during a configuration review.
  Filter/Exclusion: Filter by process.user = "admin" or process.user = "root" and check for command_line contains "debug" or "verify".

• Scenario: Log Analysis Tool Processing Firewall Logs
  Description: A log analysis tool like Splunk or ELK Stack processes logs and invokes the tunnel_state_reader script to parse or analyze firewall state data.
  Filter/Exclusion: Check for process.parent_process_name = "splunkd" or "java" (ELK) or process.command_line contains "log" or "analyze".

• Scenario: Posture Assessment Tool Integration
  Description: A security posture assessment tool such as Tenable.io or Qualys uses the tunnel_state_reader to gather firewall state information for compliance checks.
  Filter/Exclusion: Filter by process.parent_process_name = "tenable" or "qualys" or process.command_line contains "assessment" or "compliance".

• Scenario: Automated Network Health Check
  Description: A network health check tool like PRTG or SolarWinds runs the tunnel_state_reader as part of an automated health monitoring routine.
  Filter/Exclusion: Check for `process.parent_process_name = “pr