security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
063bb57dfdabbefb7c84166b7a35dfdabd2b8c90
blue-team-tools/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml
T
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag
2023-02-01 11:14:59 +01:00

30 lines
860 B
YAML
Executable File
Raw Blame History

title: Equation Group C2 Communication
id: 881834a4-6659-4773-821e-1c151789d873
status: test
description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
references:
- https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
author: Florian Roth (Nextron Systems)
date: 2017/04/15
modified: 2021/11/27
tags:
- attack.command_and_control
- attack.g0020
- attack.t1041
logsource:
category: firewall
detection:
select_outgoing:
dst_ip:
- '69.42.98.86'
- '89.185.234.145'
select_incoming:
src_ip:
- '69.42.98.86'
- '89.185.234.145'
condition: 1 of select*
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink