cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this post

L6 Presenter

If you reslove the URLs in those DNS queries you will get IPs of C&C servers.

 

The original source of the infection will not be so easy to find.

For start check threat logs with IPs of the infected machines as source or destination. You might also want to check URL logs if it visited some of the suspicious categories (malware, unknown..) if these aren't blocked. If you pinpoint the moment of infection from system logs on the infected device maybe check traffic logs as well. That's as much as you can check on FW. But if the source infection was encrypted connection or USB stick you won't find much info on firewall. 

 

 

Who rated this post