Equation Group C2 Communication

 1title: Equation Group C2 Communication
 2id: 881834a4-6659-4773-821e-1c151789d873
 3status: test
 4description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
 5references:
 6    - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
 7    - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
 8author: Florian Roth (Nextron Systems)
 9date: 2017-04-15
10modified: 2021-11-27
11tags:
12    - attack.command-and-control
13    - attack.g0020
14    - attack.t1041
15    - detection.emerging-threats
16logsource:
17    category: firewall
18detection:
19    selection:
20        - dst_ip:
21              - '69.42.98.86'
22              - '89.185.234.145'
23        - src_ip:
24              - '69.42.98.86'
25              - '89.185.234.145'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation

  
  Read More

• ShadowBrokers: The NSA compromised the SWIFT Network

  

  This is by far, the most interesting release from Shadow Brokers as it does not only contain tools — but also materials describing the most…

  
  Read More

Related rules

• Potential Operation Triangulation C2 Beaconing Activity - DNS
• Potential Operation Triangulation C2 Beaconing Activity - Proxy
• DPRK Threat Actor - C2 Communication DNS Indicators
• Devil Bait Potential C2 Communication Traffic
• Equation Group DLL_U Export Function Load