Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 47744 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP reports "C2/Generic-A" on local DC with DNS but scan results are good

STHN

Hello

some of our customers asked me about this so I think this will help others, too.

The issue:

ATP reports "C2/Generic-A" on local domain controller with DNS but a client scan doesn't find any threats

What is probably happening:

What is blocked here is not communication with a C&C server but the DNS lookup of the C&C server.
This means that your DC/DNS server is probably clean. There is likely a client that was looking up a known C&C server (for some reason that needs to be investigated).

What to do:

Usually you would perform the steps mentioned in this KBA.

What to do in case the UTM reports a ATP detection
https://www.sophos.com/en-us/support/knowledgebase/120725.aspx

I recommend to do that if you cannot solve the issue with the following steps:

1. Get the aptp as described in KBA 120725.
2. Verify that the source IPs belong to an internal DNS server.
3. Verify that the destination IPs belong to a public DNS server (http://mxtoolbox.com/DNSLookup.aspx) This shows it is a DNS request for the C&C server.
4. Find the causing client machine as described here:
Sophos UTM Advanced Threat Protection–Your Domain Controller is Botnet?
http://techbast.com/2015/02/sophos-utm-advanced-threat-protectionyour-domain-controller-is-botnet.html

If you have any feedback or additional information please post it here.

Thanks and have a great and cyber-secure day [:)]


STHN



This thread was automatically locked due to age.
Parents
  • Nice one, I had a better way of getting to the clients, redirecting all users to the UTM DNS with a forward lookup zone to the internal DNS server. This was a lot easier than the above suggested (if your network design and security rules allow you to do this).

    By forwarding I mean reconfigure the DHCP scope options to point to the UTM for DNS.
  • in reply to pedja

    pedja said:
    Nice one, I had a better way of getting to the clients, redirecting all users to the UTM DNS with a forward lookup zone to the internal DNS server. This was a lot easier than the above suggested (if your network design and security rules allow you to do this).

    By forwarding I mean reconfigure the DHCP scope options to point to the UTM for DNS.
     

    This is exactly what I was thinking of,

    When you set the DHCP scope options to point to the UTM, did you find that internal DNS lookups would fail or is your UTM DNS forwarders pointing to the internal DNS server (which has external forwarders)?

  • in reply to TylerNoble

    Tyler, you might want to consider DNS Best Practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML