Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 22 replies
  • Answers 3 answers
  • Subscribers 44 subscribers
  • Views 6227 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attempt to communicate with a botnet is detected - My threat hunting thus far

Hey Help Desk Guy

Hi everyone,

So like a lot of others here I've experienced where we get the notification that an attempt to communicate with a botnet or command and control server has been detected.

And its always these same three sites:

As you can see it's pinging our DNS provider (in this case Google) but also pings our DNS server (which is also our DC). 

In checking out the site the only vendor that sees it was malicious is Sophos: 

And checking Abuse IPDB doesn't pull up anything either: 

When I open the site in a VM this is what I get: 

So do you think that enabling deep scans for the server, and IPS would help with this situation? I'm just puzzled as to what's requesting this site on my network. 



This thread was automatically locked due to age.
Parents
  • 0

    If you can pull up the log details of the ATP alert and see the exact time the log was generated, you can dig though your firewall logs and do a search for traffic matching the exact time it was allowed out, assuming you want to go that far and if you have a firewall rule logging the allowed outbound connection. It might tell what device it was.

  • 0 in reply to alan weir

    I'm going to peruse these logs now. Can I get these through Sophos central or should I go through each Firewall (we have three) logs? 

  • 0 in reply to Hey Help Desk Guy

    I  don't have enough experience with sophos Central to know for sure. I am using it, but SFOS firewall doesn't seem to be sending any firewall logs to it so I don't know exactly how it works when it comes to logs.

    If you go to Log Viewer, Advanced Threat Detection logs, and click on Add filter at the top, go to field-->Threat URL/IP

    and search for revotg.com, it will show you the time the log was created and the IP address of the device.

    Or you can search for Field-->Threat--->C2/Generic-A

    Good luck, you may be able to do the same for the firewall/web filter logs instead of just ATP too if the device's activity is logged.

    Also, it is not very helpful when the ATP alerts generated don't provide the time of the alert. Why does Sophos do this.... provide such an obscure message...? ??

  • 0 in reply to alan weir

     So it just happened again and the only device that it's reporting is my domain controller (which I've masked the IP of below). I guess I need to look at the DC DNS logs now. 

  • 0 in reply to Hey Help Desk Guy

    It does support logs. You have to log into Sophos Central->Firewall-> firewall Management->Report Generator->select your firewall, then choose Report Template that you can see what component you want to see alerts for.

  • 0 in reply to alan weir

    Hey Alan,

    Thanks for the reply. 

    I ran the report and couldn't find anything as the Process User field is blank. 

  • 0 in reply to Hey Help Desk Guy

    turn on DNS logging on the DNS Server of the DC and you will find the caller of that Hostname.

    I assume it is something related with mail flow or a webserver.

Reply Children
Unfiltered HTML