Hi,
I have events triggered to a known CnC server. I see the events triggered on my NIDS from my internal sources (running Endpoint Advanced) and looking at the Sophos Firewall logs I see that swi_fc.exe connected to the IP address of the CnC server but nothing else besides that. Note that the CnC was taken down but the malware is still somewhere on my devices possibly triggered through Chrome.
I've attached the firewall log below. You can see that Chrome did something directly before swi_fc.exe connected to the CnC.
How do I identify what is causing the daily connections to the CnC server?
Regards,
Danie
This thread was automatically locked due to age.
