Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 29 subscribers
  • Views 1007 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection research

William Capeless

I am having trouble determining what is happening here.  I see the source is google dns, the destination is my internal dns server. the threat is clickmatters.biz.  How do I track this down to find out what is going on.  I checked web logs to see if anyone went to this site, nothing found.  It all happened around 2:25am while the office was closed. Thanks for any direction.



This thread was automatically locked due to age.
Parents
  • +1

    I have reproduced it

    2022-03-18 18:53:58Advanced threat protectionmessageid="18010" log_type="ATP" log_component="IPS" log_subtype="Drop" user="" protocol="UDP" src_port="53" dst_port="60541" src_ip="10.10.200.5" dst_ip="10.10.200.20" url="clickmatters.biz" threat="C2/Generic-A" event_id="CA3D6034-486F-459F-8BDC-B75DFB7998A7" type="Standard" host_login_user="" host_process_user="" endpoint_id="" execution_path=""

    Is caching the DNS traffic

    200.5 is my DNS

    200.20 is the endpoint

    That dst_ip is your infected PC, so either your DNS is infected, or an endpoint has made that query to your DNS

  • 0 in reply to l0rdraiden

    Thank you! I'm pretty certain an endpoint made a DNS query.  All the logs show port 53 and the "source" is google DNS and a couple others.  I was able to reproduce it and it showed my username and ip address as source.  The problem is, I am in the middle of a domain migration and have 2 trusted domains. The firewall is only syncing with one.  This will be a challenge.

Reply
  • 0 in reply to l0rdraiden

    Thank you! I'm pretty certain an endpoint made a DNS query.  All the logs show port 53 and the "source" is google DNS and a couple others.  I was able to reproduce it and it showed my username and ip address as source.  The problem is, I am in the middle of a domain migration and have 2 trusted domains. The firewall is only syncing with one.  This will be a challenge.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?