Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 10451 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced threat C2/Generic-A

GerardJuarez

Hi We have 2 Domain Controllers that some times a day did something that produce this message, what can be??

ns2.uniregistrymarket.link C2/Generic-A
ns1.uniregistrymarket.link C2/Generic-A

Regards,



This thread was automatically locked due to age.
Parents
  • 0

    It could one of the workstations on your network is trying to do a DNS lookup for that domain.

    1. A client is sending the DNS request to your DC,
    2. then your DC is forwarding that request to an outside DNS server.
    3. As that request goes over the UTM, the APT system is picking it up and flagging your DC as the source.
    4. The UTM blocks that DNS request, and the DC returns response to the client that it could not resolve the name
    5. The client then tries its second DNS server, your other DC, and steps 1-4 repeat.

    We need to find that client, you can log DNS requests on your DC and find the IP issuing the request.


    If this event is happening around the time of day your executive reports are made, the UTM could be stuck in a loop trying to resolve the IP of the APT from the day before, then throwing another APT.

  • 0 in reply to NewImage

    Seems that it coluld be a message sent to mail system.

    Regards,

Reply Children
No Data