ATP reports "C2/Generic-A" :

Question

Hello some of our customers asked me about this so I think this will help others, too.

2021-10-18 10:24:07

192.168.36.181

enabaonag_laptop

192.168.36.1

C2/Generic-A

www.google.com.512542883555094.windows-display-service.com

DNS

Drop

18010

2021-10-18 10:27:16Advanced threat protectionmessageid="18010" log_type="ATP" log_component="DNS" log_subtype="Drop" user="enabaonag_laptop" protocol="UDP" src_port="49584" dst_port="53" src_ip="192.168.36.181" dst_ip="192.168.36.1" url="www.google.com.512542883555094.windows-display-service.com" threat="C2/Generic-A" event_id="19AB3C00-B993-495E-9638-D7FD6F46BE7B" type="Standard" host_login_user="" host_process_user="" endpoint_id="" execution_path="" 
 Any remedy for this?

emmosophos · Accepted Answer

Hello, 
 Labs team has gotten back to me, this is not a FP. 
 "This does not seem to be an FP, a huge number of child URIs just like the one mentioned above have been seen very recently involved in cryptominer campaign, also the domain itself is newly created, not popular, hosting dodgy content, multiple dodgy child URI containing malicious JS embedded in iframe." 
 Regards,

emmosophos · Answer

Hello Nilesh, 
 Thank you for contacting the Sophos Community. 
 The domain windows-display-service.com is classified as Malware so the ATP is is intercepting this connection. 
 Do you think this is a False Positive? 
 I have opened a ticket for Labs to confirm if the URL in question is Malware of a FTP. 
 Regards,

ATP reports "C2/Generic-A" :

Top Replies