title: Equation Group C2 Communication
description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
references:
    - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation'
    - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195'
tags:
    - attack.command_and_control
    - attack.g0020
author: Florian Roth
logsource:
    category: firewall
detection:
    outgoing:
        dst_ip:
            - '69.42.98.86'
            - '89.185.234.145'
    incoming:
        src_ip:
            - '69.42.98.86'
            - '89.185.234.145'
    condition: 1 of them
falsepositives:
    - Unknown
level: high