This article describes the steps to quickly identify the source of a C2/Generic-C alert on an Endpoint by investigating on the Sophos XG Firewall. The following sections are covered:
Applies to the following Sophos products and versions Central Mac EndpointCentral Windows EndpointSophos Central Managed Server 1.5.6 Sophos XG Firewall
C2/Generic Detection Explained article explains the types of C2/Generic-* detection Sophos products can generate.
If a machine goes into a Bad Health state on the Central Dashboard due to a C2/Generic-C detection it will show up in Events:
The Events on the Central Dashboard or Sophos logs on the endpoint may not help you to find out what triggered this detection.
The clue lies on the XG Firewall. Open your XG Dashboard and navigate to Monitor and Analyze > Reports > Networks and Threats.
Filter by Advanced Threat Protection and the date of the detection events:
This area helps us understand more about the detection.
IP of the Machine which caused the detection: ***.***.12.134 DNS server configured on the machine: ***.***.11.10
If you look closely at the Event Last Seen column, the time difference between the alerts are minimal. This proves that the endpoint had requested a DNS resolution of this malicious URL towards the DNS server. The resolution request from the DNS server was intercepted by the XG firewall and blocked. The IPS module of the XG also intercepted a malicious connection attempt from the machine.
On the Central Dashboard, if we further check the Events on the machine, we could see several URLs bypassed by the user:
Although the redacted URL above isn't the same as the one categorized by us as a malicious website, we can deduce a conclusion based on the Top Level Domain in picture here which is .cz.
So it's safe to assume that a user might have unknowingly landed on a webpage which resulted in this DNS resolution of a known malicious website.
Note: This was a demonstration of quite a simple scenario. There could be potentially advanced attacks which the XG may be mitigating but this article serves as a base-line for IT administrators to kick-off their investigation. If the alerts persist on the XG or the Central Dashboard, please contact Sophos Support.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.