Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attempt to communicate with a botnet is detected - My threat hunting thus far

Hi everyone,

So like a lot of others here I've experienced where we get the notification that an attempt to communicate with a botnet or command and control server has been detected.

And its always these same three sites:

As you can see it's pinging our DNS provider (in this case Google) but also pings our DNS server (which is also our DC). 

In checking out the site the only vendor that sees it was malicious is Sophos: 

And checking Abuse IPDB doesn't pull up anything either: 

When I open the site in a VM this is what I get: 

So do you think that enabling deep scans for the server, and IPS would help with this situation? I'm just puzzled as to what's requesting this site on my network. 

This thread was automatically locked due to age.
  • If you can pull up the log details of the ATP alert and see the exact time the log was generated, you can dig though your firewall logs and do a search for traffic matching the exact time it was allowed out, assuming you want to go that far and if you have a firewall rule logging the allowed outbound connection. It might tell what device it was.

  • It was categorized as Command and Control in 2018.  I don't know more details about why.
    May 15 2023 it was review due to your false positive reported and should no longer be triggering.

Reply Children
No Data