Attempt to communicate with a botnet is detected - My threat hunting thus far

Question

Hi everyone, 
 So like a lot of others here I've experienced where we get the notification that an attempt to communicate with a botnet or command and control server has been detected.

And its always these same three sites: 
 
 As you can see it's pinging our DNS provider (in this case Google) but also pings our DNS server (which is also our DC). 
 
 In checking out the site the only vendor that sees it was malicious is Sophos:

And checking Abuse IPDB doesn't pull up anything either:

When I open the site in a VM this is what I get:

So do you think that enabling deep scans for the server, and IPS would help with this situation? I'm just puzzled as to what's requesting this site on my network.

LuCar Toni · Answer

So that is the root cause - You can submit a re evaluation of those URLs: support.sophos.com/.../filesubmission

LHerzog · Answer

turn on DNS logging on the DNS Server of the DC and you will find the caller of that Hostname. 
 I assume it is something related with mail flow or a webserver.

Raphael Alganes · Answer

Hello there, 
 If an end machine behind Sophos Firewall generates traffic on that malicious domain then an alert may be triggered by ATP. If Sophos Firewall is not set as the DNS on the end machine, you might be able to see the actual source IP instead of the Public DNS (Google DNS) 
 A tcpdump on port53 (DNS) Sophos Firewall: How to TCPdump might also give insight of the actual source. 
 Also, if you have the source end machine verified on your network you may run a full/deep-scan and set a cleanup with your AV. 
 Hope this helps. Have a nice day and thank you for choosing Sophos 
 Cheers,

Attempt to communicate with a botnet is detected - My threat hunting thus far

Top Replies