Mal/Polazert-A Removal?

It looks like an encrypted command is being passed to powershell upon startup. I'd recommend using Microsoft Autoruns to see if you can find anything that looks out of the ordinary on the device in question. 

The following video from our TechVids team provides some guidance on what to look out for. 
- Active Malware Remediation

Sophos is stopping the execution of this command whenever it tries to run, though I do recommend trying to take a closer look into this as soon as possible. If no files are being found even when a full system scan is being run, this may indicate that the malware is hiding within the Windows WMI databank. 

What may also provide additional information is gathering a boot Process monitor log. IGuidance on how to do so can be found in the following article.
- Gather system events using Process Monitor

If you're looking for assistance with an RCA, or if you would like hands-on assistance with remediation, the Sophos MTR team would be the best team to assist you.

I took a look at Autorun and Process Explorer. Nothing looked out of the ordinary in Autoruns.

I'm mostly curious why Sophos EP isn't removing the malware and instead only telling me about it. The other product we use for threat detection didn't even see it, but now here we have Sophos showing it to me and not cleaning it up. That's just as frustrating. 

-Mike

Hi, Mj,

Based on further checking the said detection is trojan a type of malware that performs activities without the user’s knowledge. These activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes. For our recommendation you can Isolate this device as of now while where under investigation. Also we can see that you have raise a support case for the said detection and more updates will be posted on the case as well. 

Thank you GlennSen for this information, but as stated I am not looking for information on the malware. That was already established from the start.

I want to know why Sophos Intercept X with XDR has not removed the malware. Do I need to use a different vendor to clean the malware?

Isolating the device is not an option. This computer is used daily in a busy dental office. It's already been two days since I opened the support ticket. The only help I am getting is from this forum, no replies to the ticket. With no idea when Sophos will reply and no timeline on when I can expect resolution, I can not leave this computer isolated from the network and unavailable for use.

I hope you can understand the difficult situation your request puts us in and why we can't do so.

-Mike

Sophos support informed me that I will have to pay additional costs to have this malware removed. That was their final answer.

-Mike

Hmm, here is an example that might help. 

If I create a scheduled task to run powershell.exe with a command line argument that is an AMSI bypass I get an alert at the endpoint:

All there is at the client to remove is the scheduled task.  There is nothing else to delete, powershell.exe is good.

So what do we have in Sophos Central to work with to help...

The threat graph gives us a little info:

In the details of the alert, from the Events view in Central there is a little more info:

So we know the PID of the Powershell.exe process that ran and we know the parent PID.

One option at this point is to run an endpoint query for PowerShell commands run on the computer, this could be a quick way to locate it as we know the time it ran.

"List and decode PowerShell commands"

from the SophosPID I can pivot to "Process tree for a Sophos PID (Windows)"

This shows me the process tree.  I can see from this that the process that launched the PowerShell.exe process of interest was a svchost process.  From the command line I can see this svchost was running the Schedule service.

So I know now that this was probably launched from a scheduled task.

There is a query for Scheduled tasks, called "Scheduled tasks", here it is:

So I now know that there is a scheduled task called ps that runs this command.

To "clean" this computer and stop this alert, I just need to delete this scheduled task. I can do this from Live Response.

Check the tasks to be sure:

Delete the task.

I hope this helps offer some options for you to resolve the computer remotely.

The computer could also be off to discover most of this as this level of detail is in the data lake. It would of course need to be on to delete the scheduled task.

Thank you Sophos User930. This interface is new to me, but I was able to work through those steps.

I wasn't able to find a scheduled task in those queries, but I did find the PowerShell command it was running:

However, this Polazert appears to be up to other nefarious activities other than a scheduled task. See this screenshot:

The details of the PowerShell command provide the path to the files it is executing. I feel that if I remove these temp files and other files it is calling, it will remove Polazert from the system.

Do you think there is anything I am missing?

-Mike

Hi Mike,

Well the Powershell.exe process of interest is launched from Explorer.exe when op05 logs in:

Note: The other csc.exe and cvtres.exe is part of the .NET code in the PS command being "compiled" as the script runs. No need to worry about these for a minute, as soon as you can prevent the Powershell process from running, these will not get launched.

The main thing is to know how Explorer.exe is launching this process as this is the "persistence".

The first query I would run to try and find this Powershell.exe process start-up location is:

"Applications in the startup section of the registry"

This covers your standard "run" keys, "runonce" keys and start-up folders.  There might be multiple pages so you could always export the data to a CSV and view it in Excel.  The Export link is at the top right of the results.

An entry here would generate a child process of Explorer so it's a good place to start.

Can you see the Powershell.exe entry?

If so, we can use Live Reponse to delete the startup entry.

The previous suggestion to run Autoruns is a good one.  You can potentially do this over Live Response using the command line version of Autoruns.

See: Autoruns for Windows - Windows Sysinternals | Microsoft Docs for info on possible switches, but as a starting point, in the remote command prompt from Live Response you can run:

powershell

This will get you a PowerShell prompt rather than just CMD.

Then create a new working directory called C:\Autoruns by running:

New-Item -Path "c:\" -Name "Autoruns" -ItemType "directory"

Enter the directory using CD:

cd \Autoruns\

You can download Autoruns on the command line using the Invoke-WebRequest cmdlet:

Invoke-WebRequest live.sysinternals.com/autorunsc64.exe -UseBasicParsing -OutFile autorunsc64.exe

The URL got converted to a link so above is an image of the command.

This should put the file in C:\autoruns\autorunsc64.exe

You can run it with the command:

&"./autorunsc64.exe" /accepteula

By default this will print some standard start-up locations back to the screen.

You can use the /a switch to expand the search. You may want to log this to a file:

&"./autorunsc64.exe" /a * > all.txt

You can then run:

more all.txt

to step through the file or run:

Select-String .\all.txt -Pattern "powershell.exe"

to see if you can see a line containing Powershell.exe for example.

Beyond this, if I had the computer in front of me, I would probably disconnect it from the network.  Run Process Monitor Process Monitor - Windows Sysinternals | Microsoft Docs and capture a boot trace.

Then open the boot trace, find where Powershell.exe is launched by Explorer. The Process Tree view will help locate it.

For the CreateProcess Event from Explorer.exe, check the stack, with Symbols loaded to find if there is a module making the CreateProcess API call or whatever the API call is to launch the powershell.exe process.  This could help.  If not, from that point, just work up the trace to see how it got called.

Hope it helps.

Thank you Sophos User930. You have definitely been very helpful to me, thank you for taking the time from your schedule to assist me.

I haven't had a chance to run all of these commands, but I found this in Autorun, and removed it from the startup folder, the registry, as well as all the temp files and folders for this user account:

Both PC's are online. I am several hundred miles away from them, but it may be possible to arrange a site visit with one of our local resources if this malware persists. So far since I removed this entry, Sophos has not been detecting any malware on the PC.

I still want to complete the rest of the steps you provided so I can be sure it's gone.

I also found the malicious MSI file that I believe introduced this malware to the PC, delete it so the user doesn't open it again, but kept a copy for myself, but I do not have a sandbox or test environment to run it.

-Mike

I forgot to add, this one was easier to find since this PC does not have an NVIDIA video card. That entry looked wrong right as soon as I saw it.

-Mike

This is great, glad you may have found a persistence entry.  That is certainly the idea.

As for the MSI, I would start with uploading it to Virus Total:

VirusTotal - Home

If you can paste back the URL, I'd be interested to see the results of the vendors.

Other than that, message back if you need any further assistance.  Not sure if you're able to provide the full command line argument in the PowerShell command.  I'd be happy to work out what it actually did/does.

This is great, glad you may have found a persistence entry.  That is certainly the idea.

As for the MSI, I would start with uploading it to Virus Total:

VirusTotal - Home

If you can paste back the URL, I'd be interested to see the results of the vendors.

Other than that, message back if you need any further assistance.  Not sure if you're able to provide the full command line argument in the PowerShell command.  I'd be happy to work out what it actually did/does.

One MSI: https://www.virustotal.com/gui/file/1ed9469724b3ba2891dc0efee29b1de93054601cb44aaf433c2b5860884dfa71

This one was downloaded as 'Dental-Consent-Form-For-Poor-Prognosis.msi' for one client and as 'Adult-Social-Behavior-Questionnaire.msi' for the second client.

I will work on the PowerShell command in a little bit. I really appreciate your contributions and assistance. Thank you again.

-Mike

Well that's appears to be related to the file lnk file referenced, you showed in Autoruns:

ab3a7c450f6438b0df5a3a34d38c0.LNk

In the VT analysis, on the relations page we see the same file:

VirusTotal - File - 1ed9469724b3ba2891dc0efee29b1de93054601cb44aaf433c2b5860884dfa71

So that matches up.

I think it would be worth sending in the same file to SophosLabs and see what they say.

FileSubmission (sophos.com)

Sophos User930 I still haven't run that PowerShell command. I am finding that task a little challenging, but I will keep trying.

I submitted the file to Sophos, who provided the following analysis:

As per the SophosLabs team, both zips contain the same sample.

_p5_1 => identity associated (New detection:  Troj/PS-JV)

Decoded.bin => detected as  Mal/Polazert-A 

The endpoints for this client have not detected any further malicious activity, but the ATP log on the firewall continues to receive these alerts which generate emails that I investigate:

We have DNS on the firewall set to Google, which is why we see 8.8.8.8 and 8.8.4.4. Although I am unclear why we aren't seeing that come from the actual attacker.

The 192.168.25.6 address is the domain controller for our client .I have scanned this server multiple times with Sophos, Kaspersky, and SentinelOne. No malware found. Nothing suspicious in Autorun either.

Am I right to assume this is a malicious website trying to contact an endpoint inside the client network and ATP is doing its job by blocking and dropping the traffic as I instructed it to? If so, I suppose there is nothing else I can do at this point besides wait and hope they stop trying?

-Mike

Hi Mike, sorry for the delay.

I see that after hitting re-analyze for that hash: 1ed9469724b3ba2891dc0efee29b1de93054601cb44aaf433c2b5860884dfa71, on Virus Total - we now have - VirusTotal - Analysing file

Sophos - Troj/Deimos-R

There are still quite a few other vendors that don't detect it, e.g. BitDefender, F-Secure, McAfee, to name a few.

I'm not sure about the DNS request/response seemingly ending up in a C2 detection.

I can understand a malicious process on a client, making a request to fdfdfdf.info for example, this would likely result in a DNS query to the local DNS server, in this case the 192.168.25.6.  This isn't going to be authoritative so will forward on the query to a specified forwarder, which I could image could be Google's DNS.  This results would come back into the local DNS server from Google and trigger the incoming alert on the XG.

So it does seem to suggest there is a host on the inside at least going through the resolution steps prior to making the connection of that .info domain.

I think I would start by trying to understand the client or clients looking up that domain and ideally get back to a process, can you do that from the XG logs I suspect so but I don't know the XG that well.  Maybe it would be worth posting in the XG forum.

I am aware of ways at the endpoint, such as those described here in order to log processes making the connection:

Steps to enable DNS Query Logging on Windows systems (windowsreport.com)

You can enable Sysmon on the endpoints as mentioned above, you can use Sophos Central to centrally query the event logs of Sysmon. For example for Event ID 1 - Process creation the following LiveQuery would work:

SELECT
--strftime('%Y-%m-%dT%H:%M:%SZ',datetime) AS Datetime,
JSON_EXTRACT(data, '$.EventData.UtcTime') as UtcTime,
JSON_EXTRACT(data, '$.EventData.ProcessId') as ProcessId,
JSON_EXTRACT(data, '$.EventData.CommandLine') as CommandLine,
JSON_EXTRACT(data, '$.EventData.User') as User,
JSON_EXTRACT(data, '$.EventData.ParentProcessId') as ParentProcessId,
JSON_EXTRACT(data, '$.EventData.ParentCommandLine') as ParentCommandLine,
JSON_EXTRACT(data, '$.EventData.Image') as Image,
JSON_EXTRACT(data, '$.EventData.FileVersion') as FileVersion,
JSON_EXTRACT(data, '$.EventData.Description') as Description,
JSON_EXTRACT(data, '$.EventData.Product') as Product,
JSON_EXTRACT(data, '$.EventData.Company') as Company,
JSON_EXTRACT(data, '$.EventData.OriginalFileName') as OriginalFileName,
JSON_EXTRACT(data, '$.EventData.ProcessGuid') as ProcessGuid ,
JSON_EXTRACT(data, '$.EventData.CurrentDirectory') as CurrentDirectory,
JSON_EXTRACT(data, '$.EventData.LogonGuid') as LogonGuid,
JSON_EXTRACT(data, '$.EventData.LogonId') as LogonId,
JSON_EXTRACT(data, '$.EventData.TerminalSessionId') as TerminalSessionId,
JSON_EXTRACT(data, '$.EventData.IntegrityLevel') as IntegrityLevel,
JSON_EXTRACT(data, '$.EventData.Hashes') as Hashes,
JSON_EXTRACT(data, '$.EventData.ParentProcessGuid') as ParentProcessGuid,
JSON_EXTRACT(data, '$.EventData.ParentImage') as ParentImage
FROM
sophos_windows_events where source = 'Microsoft-Windows-Sysmon/Operational'
and eventid = 1

Just tested it by downloading Sysmon from:

Sysmon - Windows Sysinternals | Microsoft Docs

Put sysmon.exe in C:\tools\ and ran from an admin prompt:

sysmon.exe -c .\sysmon-dns.xml

Where sysmon-dns.xml is a file I created based on sysmon-config/sysmonconfig-export.xml at master · SwiftOnSecurity/sysmon-config · GitHub but just targeting the DNS section. So it's down to:

<Sysmon schemaversion="4.50">
	<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>  
         <EventFiltering>
		<DnsQuery onmatch="exclude">
			<!--Network noise-->
			<QueryName condition="end with">.arpa.</QueryName> <!--Design decision to not log reverse DNS lookups. You will need to decide.-->
			<QueryName condition="end with">.arpa</QueryName> <!--Design decision to not log reverse DNS lookups. You will need to decide.-->
			<QueryName condition="end with">.msftncsi.com</QueryName> <!--Microsoft proxy detection | Microsoft default exclusion-->
			<QueryName condition="is">..localmachine</QueryName>
			<QueryName condition="is">localhost</QueryName>
			<!--Microsoft-->
			<QueryName condition="end with">-pushp.svc.ms</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
			<QueryName condition="end with">.b-msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
			<QueryName condition="end with">.bing.com</QueryName> <!-- Microsoft | Microsoft default exclusion -->
			<QueryName condition="end with">.hotmail.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.live.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.live.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.s-microsoft.com</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.microsoft.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.microsoftonline.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.microsoftstore.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.ms-acdc.office.com</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
			<QueryName condition="end with">.msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
			<QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.skype.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.skype.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.windows.com</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.windows.net.nsatc.net</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.windowsupdate.com</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.xboxlive.com</QueryName> <!--Microsoft-->
			<QueryName condition="is">login.windows.net</QueryName> <!--Microsoft-->
			<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image> <!--Microsoft: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/network-protection -->
			<!--Microsoft:Office365/AzureAD-->
			<QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> <!--Microsoft: AzureAD-->
			<QueryName condition="end with">.aria.microsoft.com</QueryName> <!--Microsoft: OneDrive/SharePoint-->
			<QueryName condition="end with">.msauth.net</QueryName>
			<QueryName condition="end with">.msftauth.net</QueryName>
			<QueryName condition="end with">.office.net</QueryName> <!--Microsoft: Office-->
			<QueryName condition="end with">.opinsights.azure.com</QueryName> <!--Microsoft: AzureAD/InTune client event monitoring-->
			<QueryName condition="end with">.res.office365.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="is">acdc-direct.office.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="is">atm-fp-direct.office.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="is">loki.delve.office.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="is">management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
			<QueryName condition="is">messaging.office.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS-->
			<QueryName condition="is">portal.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
			<QueryName condition="is">protection.outlook.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="is">substrate.office.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="end with">.measure.office.com</QueryName> <!--Microsoft: Office-->
			<!--3rd-party applications-->
			<QueryName condition="end with">.adobe.com</QueryName> <!--Adobe-->
			<QueryName condition="end with">.adobe.io</QueryName> <!--Adobe-->
			<QueryName condition="end with">.mozaws.net</QueryName> <!--Mozilla-->
			<QueryName condition="end with">.mozilla.com</QueryName> <!--Mozilla-->
			<QueryName condition="end with">.mozilla.net</QueryName> <!--Mozilla-->
			<QueryName condition="end with">.mozilla.org</QueryName> <!--Mozilla-->
			<QueryName condition="end with">.spotify.com</QueryName> <!--Spotify-->
			<QueryName condition="end with">.spotify.map.fastly.net</QueryName> <!--Spotify-->
			<QueryName condition="end with">.wbx2.com</QueryName> <!--Webex-->
			<QueryName condition="end with">.webex.com</QueryName> <!--Webex-->
			<QueryName condition="is">clients1.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients2.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients3.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients4.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients5.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients6.google.com</QueryName> <!--Google-->
			<QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google-->
			<!--Goodlist CDN-->
			<QueryName condition="end with">.akadns.net</QueryName> <!--AkamaiCDN, extensively used by Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.netflix.com</QueryName>
			<QueryName condition="end with">aspnetcdn.com</QueryName> <!--Microsoft [ https://docs.microsoft.com/en-us/aspnet/ajax/cdn/overview ]-->
			<QueryName condition="is">ajax.googleapis.com</QueryName>
			<QueryName condition="is">cdnjs.cloudflare.com</QueryName> <!--Cloudflare: Hosts popular javascript libraries-->
			<QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts-->
			<QueryName condition="end with">.typekit.net</QueryName> <!--Adobe fonts-->
			<QueryName condition="is">cdnjs.cloudflare.com</QueryName>
			<QueryName condition="end with">.stackassets.com</QueryName> <!--Stack Overflow-->
			<QueryName condition="end with">.steamcontent.com</QueryName>
			<QueryName condition="is">play.google.com</QueryName>
			<QueryName condition="is">content-autofill.googleapis.com</QueryName>
			<!--Web resources-->
			<QueryName condition="end with">.disqus.com</QueryName> <!--Microsoft default exclusion-->
			<QueryName condition="end with">.fontawesome.com</QueryName>
			<QueryName condition="is">disqus.com</QueryName> <!--Microsoft default exclusion-->
			<!--Ads-->
			<QueryName condition="end with">.1rx.io</QueryName> <!--Ads-->
			<QueryName condition="end with">.2mdn.net</QueryName> <!--Ads: Google | Microsoft default exclusion-->
			<QueryName condition="end with">.3lift.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.adadvisor.net</QueryName> <!--Ads: Neustar [ https://better.fyi/trackers/adadvisor.net/ ] -->
			<QueryName condition="end with">.adap.tv</QueryName> <!--Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ] -->
			<QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] -->
			<QueryName condition="end with">.adform.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads: AppNexus | Microsoft default exclusion-->
			<QueryName condition="end with">.adroll.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.adrta.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.adsafeprotected.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.adsrvr.org</QueryName> <!--Ads-->
			<QueryName condition="end with">.adsymptotic.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.advertising.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.agkn.com</QueryName> <!--Ads | [ https://www.home.neustar/privacy ] -->
			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.analytics.yahoo.com</QueryName> <!--Ads:Yahoo-->
			<QueryName condition="end with">.aol.com</QueryName> <!--Ads | Microsoft default exclusion -->
			<QueryName condition="end with">.betrad.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.bidswitch.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.casalemedia.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.chartbeat.net</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ]-->
			<QueryName condition="end with">.cnn.com</QueryName> <!-- Microsoft default exclusion-->
			<QueryName condition="end with">.convertro.com</QueryName> <!--Ads:Verizon-->
			<QueryName condition="end with">.criteo.com</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
			<QueryName condition="end with">.criteo.net</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
			<QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] -->
			<QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.domdex.com</QueryName>
			<QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] -->
			<QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: Google-->
			<QueryName condition="end with">.emxdgt.com</QueryName> <!--Ads: EMX-->
			<QueryName condition="end with">.everesttech.net</QueryName> <!--Ads | [ https://better.fyi/trackers/everesttech.net/ ] -->
			<QueryName condition="end with">.exelator.com</QueryName> <!--Ads:Nielson Marketing Cloud-->
			<QueryName condition="end with">.google-analytics.com</QueryName> <!--Ads:Google | Microsoft default exclusion-->
			<QueryName condition="end with">.googleadservices.com</QueryName> <!--Google-->
			<QueryName condition="end with">.googlesyndication.com</QueryName> <!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
			<QueryName condition="end with">.googletagmanager.com</QueryName> <!--Google-->
			<QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion-->
			<QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion-->
			<QueryName condition="end with">.gvt1.com</QueryName> <!--Google-->
			<QueryName condition="end with">.gvt2.com</QueryName> <!--Google-->
			<QueryName condition="end with">.ib-ibi.com</QueryName> <!--Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ] -->
			<QueryName condition="end with">.jivox.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.krxd.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.lijit.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
			<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.moatpixel.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.mookie1.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.netmng.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.openx.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.optimizely.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.outbrain.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.pardot.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.phx.gbl</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
			<QueryName condition="end with">.pubmatic.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.quantcount.com</QueryName>
			<QueryName condition="end with">.quantserve.com</QueryName>
			<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
			<QueryName condition="end with">.rfihub.net</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.rlcdn.com</QueryName> <!--Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ] -->
			<QueryName condition="end with">.rubiconproject.com</QueryName> <!--Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ] -->
			<QueryName condition="end with">.scdn.co</QueryName> <!--Spotify-->
			<QueryName condition="end with">.scorecardresearch.com</QueryName> <!--Ads: Comscore | Microsoft default exclusion-->
			<QueryName condition="end with">.serving-sys.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.sharethrough.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.simpli.fi</QueryName>
			<QueryName condition="end with">.sitescout.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.snapads.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.spotxchange.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.taboola.com</QueryName> <!--Ads:Taboola-->
			<QueryName condition="end with">.taboola.map.fastly.net</QueryName> <!--Ads:Taboola-->
			<QueryName condition="end with">.tapad.com</QueryName>
			<QueryName condition="end with">.tidaltv.com</QueryName> <!--Ads: Videology [ https://better.fyi/trackers/tidaltv.com/ ] -->
			<QueryName condition="end with">.trafficmanager.net</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.tremorhub.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.tribalfusion.com</QueryName> <!--Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ] -->
			<QueryName condition="end with">.turn.com</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/turn.com/ ] -->
			<QueryName condition="end with">.twimg.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.tynt.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.w55c.net</QueryName> <!--Ads:dataxu-->
			<QueryName condition="end with">.ytimg.com</QueryName> <!--Google-->
			<QueryName condition="end with">.zorosrv.com</QueryName> <!--Ads:Taboola-->
			<QueryName condition="is">1rx.io</QueryName> <!--Ads-->
			<QueryName condition="is">adservice.google.com</QueryName> <!--Google-->
			<QueryName condition="is">ampcid.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
			<QueryName condition="is">googleadapis.l.google.com</QueryName> <!--Google-->
			<QueryName condition="is">imasdk.googleapis.com</QueryName> <!--Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ] -->
			<QueryName condition="is">l.google.com</QueryName> <!--Google-->
			<QueryName condition="is">ml314.com</QueryName> <!--Ads-->
			<QueryName condition="is">mtalk.google.com</QueryName> <!--Google-->
			<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
			<QueryName condition="is">www.googletagservices.com</QueryName> <!--Google-->
			<!--SocialNet-->
			<QueryName condition="end with">.pscp.tv</QueryName> <!--Twitter:Periscope-->
			<!--OSCP/CRL Common-->
			<QueryName condition="end with">.amazontrust.com</QueryName>
			<QueryName condition="end with">.digicert.com</QueryName>
			<QueryName condition="end with">.globalsign.com</QueryName>
			<QueryName condition="end with">.globalsign.net</QueryName>
			<QueryName condition="end with">.intel.com</QueryName>
			<QueryName condition="end with">.symcb.com</QueryName> <!--Digicert-->
			<QueryName condition="end with">.symcd.com</QueryName> <!--Digicert-->
			<QueryName condition="end with">.thawte.com</QueryName>
			<QueryName condition="end with">.usertrust.com</QueryName>
			<QueryName condition="end with">.verisign.com</QueryName>
			<QueryName condition="end with">ocsp.identrust.com</QueryName>
			<QueryName condition="end with">pki.goog</QueryName>
			<QueryName condition="is">msocsp.com</QueryName> <!--Microsoft:OCSP-->
			<QueryName condition="is">ocsp.comodoca.com</QueryName>
			<QueryName condition="is">ocsp.entrust.net</QueryName>
			<QueryName condition="is">ocsp.godaddy.com</QueryName>
			<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
			<QueryName condition="is">ocsp.msocsp.com</QueryName> <!--Microsoft:OCSP-->
			<QueryName condition="end with">pki.goog</QueryName>
			<QueryName condition="is">ocsp.godaddy.com</QueryName>
			<QueryName condition="end with">amazontrust.com</QueryName>
			<QueryName condition="is">ocsp.sectigo.com</QueryName>
			<QueryName condition="is">pki-goog.l.google.com</QueryName>
			<QueryName condition="end with">.usertrust.com</QueryName>
			<QueryName condition="is">ocsp.comodoca.com</QueryName>
			<QueryName condition="is">ocsp.verisign.com</QueryName>
			<QueryName condition="is">ocsp.entrust.net</QueryName>
			<QueryName condition="end with">ocsp.identrust.com</QueryName>
			<QueryName condition="is">status.rapidssl.com</QueryName>
			<QueryName condition="is">status.thawte.com</QueryName>
			<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
		</DnsQuery>


	</EventFiltering>
</Sysmon>

Waited for the computer to generate some data for this in the Sysmon Event log, then in Sophos Central, create a new Live Query with the following:

SELECT
--strftime('%Y-%m-%dT%H:%M:%SZ',datetime) AS Datetime,
JSON_EXTRACT(data, '$.EventData.UtcTime') as UtcTime,
JSON_EXTRACT(data, '$.EventData.ProcessId') as ProcessId,
JSON_EXTRACT(data, '$.EventData.QueryName') as QueryName,
JSON_EXTRACT(data, '$.EventData.QueryStatus') as QueryStatus,
JSON_EXTRACT(data, '$.EventData.QueryResults') as QueryResults,
JSON_EXTRACT(data, '$.EventData.Image') as Image,
JSON_EXTRACT(data, '$.EventData.User') as User
FROM
sophos_windows_events where source = 'Microsoft-Windows-Sysmon/Operational'
and eventid = 22

This created a report of the data.

So for a given address, you could either filter for it in the Symon config or filter for it in the LiveQuery query,

E.g. With an added clause in the filter for processes that have made a DNS request for "adservice.google.com" shows MsEdge.exe performed 2 queries for this domain.

Sophos User930

I haven't been able to get Sysmon installed and configured for this office endpoints, but I did notice there is a DNS Client log built into Windows by default now, Microsoft-Windows-DNS-Client/Operational.

I tired enabling that on some PC's and running a variation of the query above, but it always shows me no results. Intercept X and Kaspersky show no infections on any PC in the office.

They have two WiFi SSID's running both from the APX320 and the XG115. Guest is set up as 'Separate Zone' and Private is set up as 'Bridge to AP LAN'. 

DNS on the XG115 is set to Google. Could it be that perhaps someone on the WiFi has an infected device that is creating this traffic? The traffic is still the same as it was in my screenshot a couple weeks ago. It's not everyday, just during the week, during business hours. All office PC's stay on and connected to the internet.

-Mike

The following Live Query query, having enabled the built in operation event log: "Microsoft-Windows-DNS-Client/Operational" works OK.

I have created a string variable called domain, in this example to make editing the domain "external" to the query:

SELECT
datetime, 
JSON_EXTRACT(data, '$.EventData.QueryName') as QueryName,
JSON_EXTRACT(data, '$.EventData.QueryType') as QueryType,
JSON_EXTRACT(data, '$.EventData.DnsServerIpAddress') as DnsServerIpAddress,
JSON_EXTRACT(data, '$.EventData.ClientPID') as ClientPID
FROM
sophos_windows_events where source = 'Microsoft-Windows-DNS-Client/Operational'
and eventid = 3010
and QueryName like '$$domain$$'

This does give a PID but the benefit of Sysmon being it also provides the process. That said, if you're initially just interested in the domain.

I suspect if an application used sockets to construct it's own DNS query rather than using a DNS API then the windows DNS resolver wouldn't see it.

It might be worth you creating a new post in the XG part of the forum. The people there might be better placed to respond on how to approach such alerts.

Thanks.

Hi Sophos User930

I was finally able to visit this again. I can't get Sysmon to work. I ran the query you posted, it worked!

I think the Sysmon tool would be much better. Do you think we could work together to get my Sysmon working please?

-Mike

Hello,

I suppose we can tackle it step by step.

First thing would be to decide how to deploy it, if you're using Live Response as a test I would so as before with autoruns:

1. Type:

Powershell

Enter, to start a PowerShell prompt.

2. Make a temp directory for Sysmon in the root of the C drive, type the following as you're in a PowerShell prompt:

New-Item -Path "c:\" -Name "Sysmon" -ItemType "directory"

3. change to that new directory:

CD \Sysmon

4. Download Sysmon from Sysinternals.com to the same directory, by running:

Invoke-WebRequest live.sysinternals.com/Sysmon.exe -UseBasicParsing -OutFile sysmon.exe

5. Download the config file for logging DNS requests to the directory also. I've copied the above XML into a new Pastebin resource so it's publicly available:

Invoke-WebRequest https://pastebin.com/raw/ve9M84wZ  -OutFile sysmon-config-dns.xml

6. Install Sysmon by running:

&"./sysmon.exe" /accepteula -i

7. Configure it with the config.file downloaded to the same directory:

&"./sysmon.exe" -c .\sysmon-config-dns.xml

8. Optionally, run:
Fltmc.exe 

This will confirm the SymonDrv is running.

At this point you should be able to start running the queries to use the Symon Event log.

Hope it helps.

To make it easier, you could just launch LiveReponse. Run PowerShell.exe to get a PS prompt and then paste:

New-Item -Path "c:\" -Name "Sysmon" -ItemType "directory"
CD \Sysmon
Invoke-WebRequest live.sysinternals.com/Sysmon.exe -UseBasicParsing -OutFile sysmon.exe
Invoke-WebRequest https://pastebin.com/raw/ve9M84wZ  -OutFile sysmon-config-dns.xml
&"./sysmon.exe" /accepteula -i
&"./sysmon.exe" -c .\sysmon-config-dns.xml
Fltmc.exe 

This will carry out all the commands in one go.