This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

About C2_10a (T1071.001) Detected on the server

Endpoint appears as malicious behavior, but shouldn't detecting c2 be the purview of IPS? Why is it showing malicious behavior?

Or is the ips module already involved?



This thread was automatically locked due to age.
Parents
  • Thank you for reaching out to the community forum.

    Regarding this detection, you may refer to those documents regarding this and to how the naming convention has been given to those detections. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks for your reply. I read the content of the article and it shows that it is based on behavior analysis detection, but isn't c&c detection done by ips?

    Will behavioral analysis detect network traffic?

  • The behavioral C2 detections are made by our behavioral engine. The behavioral engine draws signals from multiple product components, including file analysis, process activity, script activity, online lookups, and other sources. In this case, the reputation of the URL being looked up would have been a factor in the detection.

    The last section of this knowledgebase article can help you identify more info about the specific detection.

  • hello, as mentioned in the article, the detection of C2 will not prevent, but will trigger a memory scan, and if the memory scan is determined to be malicious, it will be cleaned. I am curious, why did c2 not immediately block the connection and prompt? Or, why is c2 not detected? If the memory scan is secure, isn't it a successful hack? If you indicate at the c2 connection stage, we can make up the payment even if the memory scan miss

Reply
  • hello, as mentioned in the article, the detection of C2 will not prevent, but will trigger a memory scan, and if the memory scan is determined to be malicious, it will be cleaned. I am curious, why did c2 not immediately block the connection and prompt? Or, why is c2 not detected? If the memory scan is secure, isn't it a successful hack? If you indicate at the c2 connection stage, we can make up the payment even if the memory scan miss

Children