IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
It appears the following rule has incorrect AND logic in it for detecting communication to Equation Group C2:
The source of this rule: https://detection.fyi/sigmahq/sigma/network/firewall/net_firewall_apt_equationgroup_c2/
The Sigma Code:
title: Equation Group C2 Communicationid: 881834a4-6659-4773-821e-1c151789d873status: testdescription: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 toolsreferences: - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195author: Florian Roth (Nextron Systems)date: 2017/04/15modified: 2021/11/27tags: - attack.command_and_control - attack.g0020 - attack.t1041logsource: category: firewalldetection: select_outgoing: dst_ip: - '126.96.36.199' - '188.8.131.52' select_incoming: src_ip: - '184.108.40.206' - '220.127.116.11' condition: 1 of select*falsepositives: - Unknownlevel: high
The QRadar logic built for the rule:
APPLY Communication to EquationGroup C2 Tools on events which are detected by the LOCAL systemAND when an event matches any of the following BB:DeviceDefinition: Operating SystemAND when the destination IP is one of the following 18.104.22.168, 22.214.171.124AND when the source IP is one of the following 126.96.36.199, 188.8.131.52
The logic of this rule should be updated to:
AND when the destination IP or source IP is one of the following 184.108.40.206, 220.127.116.11
This should probably be logged Adam, if you haven't already done so. If needed, let me know and I can log this issue to ensure it is reviewed.
It is confirmed that this issue is reported and logged by IBM to an existing defect. Users who experience this issue can update their rule as discussed in this forum thread, but an official bug is logged to update the rule logic.