Equation Group C2 Communication

calendar Oct 23, 2025 · attack.exfiltration attack.command-and-control attack.g0020 attack.t1041 detection.emerging-threats  ·
Share on: linkedin copy

Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools

Sigma rule (View on GitHub)

 1title: Equation Group C2 Communication
 2id: 881834a4-6659-4773-821e-1c151789d873
 3status: test
 4description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
 5references:
 6    - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
 7    - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
 8author: Florian Roth (Nextron Systems)
 9date: 2017-04-15
10modified: 2021-11-27
11tags:
12    - attack.exfiltration
13    - attack.command-and-control
14    - attack.g0020
15    - attack.t1041
16    - detection.emerging-threats
17logsource:
18    category: firewall
19detection:
20    selection:
21        - dst_ip:
22              - '69.42.98.86'
23              - '89.185.234.145'
24        - src_ip:
25              - '69.42.98.86'
26              - '89.185.234.145'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top