Applies to the following Sophos product(s) and version(s) Sophos Central Managed Server 1.5.6Sophos Endpoint Security and Control 10.8.4Central Windows Endpoint 10.8.2
The following sections are covered:
If a C2 detection alert has been triggered this means that the Sophos Endpoint has detected communication with a suspect Command and Control site.
A C2/Generic-B detection will lead to a High Severity Alert under the Overview > Alerts section:
Click on the Machine Name and under Events tab, you can find the detection event:
Any C2 detection will require manual investigation to identify the malicious process/executable and collect a sample to send to Sophos for further analysis.
If you are a Sophos Central customer, check Endpoint(or Server) Protection > Threat Cases and filter by the machine name. Click on the Threat Case pertaining to "C2/Generic-B" label and it will take you to a visual graph similar to shown below:
Clicking on the URL icon gave us the beacon event. Explorer was found out to be the Root Cause as we saw the Microsoft Scripting Engine wscript.exe communicating with the malicious URL.
This is a simple test conducted to check if Network Threat Protection(NTP, also known as Malicious Traffic Detection or MTD) is functional or not using this KBA - How to check if Sophos Malicious Traffic Detection is working
If the Root Cause is an executable file which doesn't seem legitimate, please Submit a Sample to Sophos and mention the C2 Threat Reference ID in the Description box.
If a detection is triggered an alert similar to the following will appear:
Type - Virus/spyware detected Name - C2\Generic-B Details - C:\Malware.exe
File C:\Malware.exe" belongs to virus/spyware 'C2/Generic-B'. Threat ID: 174378266
Many C2 detection alerts will highlight an application which is obviously malicious. However there are certain circumstances where a C2 detection may be triggered against seemingly legitimate applications such as 'svchost.exe'. In these cases it is likely that a malicious software program may have injected itself into these applications to avoid detection or to make identification more difficult for IT administrators.
Note: The Technical Support reference number maps to a known malicious URL and we hide it to prevent any accidental clicks on them. If you wish to know more the URL/IPs in question please contact Sophos Support.
In these instances you may wish to contact support for further assistance. For starters,please keep these logs ready for an investigation:
1. If the C2/Generic-B only triggers when a specific user is logged on, use this Login to proceed otherwise login as an Administrator. 2. Go to Autoruns for Windows and download autoruns.zip. 3. Extract the contents of the autoruns.zip run Autoruns.exe 4. Press the "Escape" (Esc) button to stop the automatic scan. 5. Click on "Options" and tick the option "Hide Microsoft and Windows Entries" 6. Click on "Options" select "Scan Options" then tick the options "Verify Code Signatures" and "Check VirusTotal.com" 7. Click on "File" and click on "Refresh" (or press F5) 8. Wait for the scan to finish (normally less than a minute) 10.Click on "File" and click on "Save" 11. Locate the saved file and share it with Sophos Support.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.