Equation Group C2 Communication
Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
Sigma rule (View on GitHub)
1title: Equation Group C2 Communication
2id: 881834a4-6659-4773-821e-1c151789d873
3status: test
4description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
5references:
6 - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
7 - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
8author: Florian Roth (Nextron Systems)
9date: 2017/04/15
10modified: 2021/11/27
11tags:
12 - attack.command_and_control
13 - attack.g0020
14 - attack.t1041
15 - detection.emerging_threats
16logsource:
17 category: firewall
18detection:
19 selection:
20 - dst_ip:
21 - '69.42.98.86'
22 - '89.185.234.145'
23 - src_ip:
24 - '69.42.98.86'
25 - '89.185.234.145'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- Potential Pikabot C2 Activity
- Potential Peach Sandstorm APT C2 Communication Activity
- Potential SocGholish Second Stage C2 DNS Query
- Diamond Sleet APT DNS Communication Indicators
- DarkGate - Autoit3.EXE File Creation By Uncommon Process