How to investigate C2/Generic-C Detection

This article describes the steps to quickly identify the source of a C2/Generic-C alert on an Endpoint by investigating on the Sophos XG Firewall.

The following sections are covered:

Applies to the following Sophos products and versions

Central Mac Endpoint

Central Windows Endpoint

Sophos Central Managed Server 1.5.6

Sophos XG Firewall

C2/Generic Detection Explained article explains the types of C2/Generic-* detection Sophos products can generate.

If a machine goes into a Bad Health state on the Central Dashboard due to a C2/Generic-C detection it will show up in Events:

Note that the XG Firewall detected a communication attempt from an endpoint towards a known malicious website and not the Sophos Endpoint present on the machine. As soon as it detected this communication, it blocked the connection, flagged a C2/Generic-A on the XG firewall and passed this information via Heartbeat to the endpoint. A C2/Generic-C on the endpoint is the ultimate result of this process.

The Events on the Central Dashboard or Sophos logs on the endpoint may not help you to find out what triggered this detection.

The clue lies on the XG Firewall. Open your XG Dashboard and navigate to Monitor and Analyze > Reports > Networks and Threats.

Filter by Advanced Threat Protection and the date of the detection events:

This area helps us understand more about the detection.

IP of the Machine which caused the detection: ***.***.12.134

DNS server configured on the machine: ***.***.11.10

If you look closely at the Event Last Seen column, the time difference between the alerts are minimal. This proves that the endpoint had requested a DNS resolution of this malicious URL towards the DNS server. The resolution request from the DNS server was intercepted by the XG firewall and blocked. The IPS module of the XG also intercepted a malicious connection attempt from the machine.

On the Central Dashboard, if we further check the Events on the machine, we could see several URLs bypassed by the user:

Although the redacted URL above isn’t the same as the one categorized by us as a malicious website, we can deduce a conclusion based on the Top Level Domain in picture here which is .cz.

So it’s safe to assume that a user might have unknowingly landed on a webpage which resulted in this DNS resolution of a known malicious website.

  • Sophos advises to have a good Web Filtering solution in-place at the perimeter because the Endpoint Web Control protects you with basic security most of which revolves around their Categorization. If you’re actively using Endpoint Web Control, we advise configuration changes to only allow Productivity related categories.
  • A full system scan on the endpoint to ensure that there are no malware remnants followed by a reboot.
  • Go to Central Dashboard > Machine > Status > The Alert can be Mark as Resolved.

Note: This was a demonstration of quite a simple scenario. There could be potentially advanced attacks which the XG may be mitigating but this article serves as a base-line for IT administrators to kick-off their investigation. If the alerts persist on the XG or the Central Dashboard, please contact Sophos Support.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Leave a Reply