It appears the following rule has incorrect AND logic in it for detecting communication to Equation Group C2:
- Rule: Communication to EquationGroup C2 Tools
- Content Extension: IBM Security QRadar Techniques for Turla Content Extension
The source of this rule: https://detection.fyi/sigmahq/sigma/network/firewall/net_firewall_apt_equationgroup_c2/
The Sigma Code:
title: Equation Group C2 Communication
id: 881834a4-6659-4773-821e-1c151789d873
status: test
description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
references:
- https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
author: Florian Roth (Nextron Systems)
date: 2017/04/15
modified: 2021/11/27
tags:
- attack.command_and_control
- attack.g0020
- attack.t1041
logsource:
category: firewall
detection:
select_outgoing:
dst_ip:
- '69.42.98.86'
- '89.185.234.145'
select_incoming:
src_ip:
- '69.42.98.86'
- '89.185.234.145'
condition: 1 of select*
falsepositives:
- Unknown
level: high
The QRadar logic built for the rule:
APPLY Communication to EquationGroup C2 Tools on events which are detected by the LOCAL system
AND when an event matches any of the following BB:DeviceDefinition: Operating System
AND when the destination IP is one of the following 69.42.98.86, 89.185.234.145
AND when the source IP is one of the following 69.42.98.86, 89.185.234.145
The logic of this rule should be updated to:
AND when the destination IP or source IP is one of the following 69.42.98.86, 89.185.234.145
------------------------------
Adam McDonald
------------------------------