IBM Security QRadar

 View Only
Expand all | Collapse all

Incorrect rule logic in one of the Turla content pack rules for QRadar.

  • 1.  Incorrect rule logic in one of the Turla content pack rules for QRadar.

    Posted Thu September 21, 2023 01:33 PM

    It appears the following rule has incorrect AND logic in it for detecting communication to Equation Group C2:

    • Rule: Communication to EquationGroup C2 Tools
    • Content Extension: IBM Security QRadar Techniques for Turla Content Extension

    The source of this rule:  https://detection.fyi/sigmahq/sigma/network/firewall/net_firewall_apt_equationgroup_c2/

    The Sigma Code:

    title: Equation Group C2 Communication
    id: 881834a4-6659-4773-821e-1c151789d873
    status: test
    description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
    references:
        - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
        - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
    author: Florian Roth (Nextron Systems)
    date: 2017/04/15
    modified: 2021/11/27
    tags:
        - attack.command_and_control
        - attack.g0020
        - attack.t1041
    logsource:
        category: firewall
    detection:
        select_outgoing:
            dst_ip:
                - '69.42.98.86'
                - '89.185.234.145'
        select_incoming:
            src_ip:
                - '69.42.98.86'
                - '89.185.234.145'
        condition: 1 of select*
    falsepositives:
        - Unknown
    level: high

    The QRadar logic built for the rule:

    APPLY Communication to EquationGroup C2 Tools on events which are detected by the LOCAL system
    AND when an event matches any of the following BB:DeviceDefinition: Operating System
    AND when the destination IP is one of the following 69.42.98.86, 89.185.234.145
    AND when the source IP is one of the following 69.42.98.86, 89.185.234.145

    The logic of this rule should be updated to:

    AND when the destination IP or source IP is one of the following 69.42.98.86, 89.185.234.145



    ------------------------------
    Adam McDonald
    ------------------------------


  • 2.  RE: Incorrect rule logic in one of the Turla content pack rules for QRadar.

    Posted Fri September 29, 2023 09:25 AM

    This should probably be logged Adam, if you haven't already done so. If needed, let me know and I can log this issue to ensure it is reviewed.



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------



  • 3.  RE: Incorrect rule logic in one of the Turla content pack rules for QRadar.
    Best Answer

    Posted Fri September 29, 2023 11:39 AM

    It is confirmed that this issue is reported and logged by IBM to an existing defect. Users who experience this issue can update their rule as discussed in this forum thread, but an official bug is logged to update the rule logic. 



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------