Hi,
There is a new REF4578 attack that can disable endpoints according to the article.
Is there a way for us to identify if Sophos endpoint affected from this type of attack?
Best regards,
Kubilay
Hi,
There is a new REF4578 attack that can disable endpoints according to the article.
Is there a way for us to identify if Sophos endpoint affected from this type of attack?
Best regards,
Kubilay
Hi MEHMET,
Thanks for reaching out to the Sophos Community Forum.
It is not made entirely clear in the article if this is form of miner is also aimed at circumventing antivirus solutions, as only the term EDR is mentioned. While I have not seen mention of this specific malware/miner internally, a number of protection features in Sophos Endpoint are aimed at catching the behaviour that is mentioned.
Shellcode Injection: Sophos Central Admin: Dynamic Shellcode
DLL Protection: Sophos Intercept X: LoadLib
Additional attack techniques covered by Sophos Endpoint: Exploit Mitigation
If attempts are made to disable or restrict Sophos Endpoint's ability to protect a device, self healing features will re-enable/reload protection features as needed as well.
You can perform additional checks on any environment running Sophos Intercept X Advanced by querying for PowerShell history. This is further explained in the following article. If you wish to ensure you're as well protected as possible, I'd suggest inquiring into Sophos MDR. The MDR team will actively monitor your environment, including running these types of checks for suspicious behaviour.
- PowerShell Command History Forensics
