Sophos UTM Advanced Threat Protection–Your Domain Controller is Botnet?

Some case you see the alert from Sophos UTM: Your Domain Controller is the Botnet.

The log:

2015:01:xx-xx:xx:10 SOPHOSUTM afcd[30448]: id=”2022″ severity=”warn” sys=”SecureNet” sub=”packetfilter” name=”Packet dropped (ATP)” srcip=”192.168.1.100″ dstip=”xxx.xxx.xxx.xxx” fwrule=”63001″ proto=”17″ threatname=”C2/Generic-A” status=”1″ host=”xyz.com” url=”-” action=”drop”

The alert email:

Advanced Threat Protection
A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name….: C2/Generic-A
Details……..: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time………..: 2015-01-xx xx:xx:15
Traffic blocked: yes
Internal source IP address or host: Your Domain Controller IP

You need to check who’s query DNS to Domain Controller with the malicious domain by enable DNS logging:

1. To get your Windows domain controller to log DNS lookups, follow the directions here:

 

  • Open DNS.
  • In the console tree, right-click the applicable DNS server, then click Properties.
  • Click the Debug Logging tab.
  • Select Log packets for debugging, and then select the events that you want the DNS server to record for debug logging.
  • Screenshot:

    image

    Once you see data in C:\windows\system32\dns\dns.log you know that it’s working. The output like this:

    The client query mail.com is: 172.16.16.10

    image

 

1 Trackback / Pingback

  1. ATP reports "C2/Generic-A" on local DC with DNS but scan results are good - Sophos User Bulletin Board

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.