Detecting from Sophos UTM C2/Generic-A

Hello JasonCantos,

a C2/ detection indicates a potentially compromised endpoint. If the endpoint is protected and MTD is turned on you'll likely see corresponding C2/Generic-B alerts. AFAIK MTD is not available for UTM managed endpoints, thus Dealing with a C2 detection would be only of limited help.

scanning [...] didn't detect anything
this is no surprise - if the threat were known it wouldn't get as far as opening a network connection. Apparently whatever it is is constantly trying to connect and it should be possible to identify the process.

Christian

Hello JasonCantos,

a C2/ detection indicates a potentially compromised endpoint. If the endpoint is protected and MTD is turned on you'll likely see corresponding C2/Generic-B alerts. AFAIK MTD is not available for UTM managed endpoints, thus Dealing with a C2 detection would be only of limited help.

scanning [...] didn't detect anything
this is no surprise - if the threat were known it wouldn't get as far as opening a network connection. Apparently whatever it is is constantly trying to connect and it should be possible to identify the process.

Christian

Hi Christian,

I have tried Sophos removal tools which is recommended from sophos which is the same didn't detect anything....any idea how to remove this?

Regards,

Jason

Hello Jason,

let me try to rephrase:
You get a C2/Generic-A alert because either

• there is no AV on the endpoint which could detect and block a threat
• the AV on the endpoint does not detect the malicious process attempting the connection. In case Sophos is installed on the endpoint no other Sophos tool will detect a threat as they all use the same detection identities (I'm talking about running a tool in a normal Windows session - not Safe Mode or when booting from an external medium)
• some legitimate process is subverted and makes the connection. The subverting process could be some clever malware, a rogue browser add-on, a redirection from web-search results, or even a human typing a C&C URL into the browser's address bar (in which case it's perhaps not a subversion)

Thus it's likely a yet unknown "something" and you'd have to find the process making the connections. Sometimes it can be found by simply checking the list of running processes with the Task Manager. Depending on what the UTM does in response to an open attempt you might be able to see the TCP SYN_SENT with netstat -o.  A better (and actually quite simple) method though is monitoring network activity with Process Monitor. Once you've identified the rogue executable please submit it to Sophos.

Christian

Hi Christian,

I have Av on the endpoint which is I used SEPM and it is updated. both SEPM and Sophos removal tools didn't detect anything from it.

Regards,

Jason

Hello Jason,

sometimes you have to do some investigation yourself, either give Process Monitor a try - or otherwise reinstall the potentially compromised machine.

Christian 

Jason, you said it was a server that you scanned.  If that was your internal DNS server, you will need to look at its logs to discover which client(s) in your LAN requested name resolution for those domains.

Cheers - Bob

Hi Balfson

Yup I am now investigating from the DNS logs because I noticed that the attack is being made specially in the evening and nobody is here in the office by that time.

Regards,

Jason

Hi Christian

I got the machine who is sending the query to my local DNS server.  We are now taking action on this then observe again with our Sophos UTM.

Thanks for the advise and help.

Regards,

Jason