Equation Group C2 Communication

Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools

Rule Content

- title: Equation Group C2 Communication
  id: 881834a4-6659-4773-821e-1c151789d873
  description: Detects communication to C2 servers mentioned in the operational notes
    of the ShadowBroker leak of EquationGroup C2 tools
  references:
  - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
  - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
  tags:
  - attack.command_and_control
  - attack.g0020
  author: Florian Roth
  logsource:
    category: firewall
    product: null
    service: null
  detection:
    outgoing:
      dst_ip:
      - 69.42.98.86
      - 89.185.234.145
    incoming:
      src_ip:
      - 69.42.98.86
      - 89.185.234.145
    condition: 1 of them
  falsepositives:
  - Unknown
  level: high

Querying Elasticsearch

Import Libraries



In [ ]:

    
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client



In [ ]:

    
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query



In [ ]:

    
s = searchContext.query('query_string', query='(dst_ip:("69.42.98.86" OR "89.185.234.145") OR src_ip:("69.42.98.86" OR "89.185.234.145"))')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results



In [ ]:

    
df.head()