Emerging Threathightest

Equation Group C2 Communication

Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Sat Apr 15Updated Sat Nov 27881834a4-6659-4773-821e-1c151789d8732017

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Firewall

CategoryFirewall← raw: firewall

Detection Logic

detection:
    selection:
        - dst_ip:
              - '69.42.98.86'
              - '89.185.234.145'
        - src_ip:
              - '69.42.98.86'
              - '89.185.234.145'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0010 · Exfiltration TA0011 · Command and Control

Techniques

T1041 · Exfiltration Over C2 Channel

Groups

G0020 · G0020

Other

detection.emerging-threats

Rule Metadata

Rule ID

881834a4-6659-4773-821e-1c151789d873

Status

test

Level

high

Type

Emerging Threat

Created

Sat Apr 15

Modified

Sat Nov 27

Author

Florian Roth (Nextron Systems)

Path

rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml

Raw Tags

attack.exfiltrationattack.command-and-controlattack.g0020attack.t1041detection.emerging-threats

View on GitHub