This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Monitoring blocked Powershell events

Hello Community,

Currently we are blocking all powershell interaction on all clients in our company via the Application Control feature in sophos central.

We are aware that a lot of applications are using powershell for updating their services and stuff like that.

Currently we are missing any option to monitor the activity which process are trying to execute powershell.

In the Logs & Reports section we just see that the user tried to execute the powershell.exe but not which process.

On the Logs of the client itselfe we just get an entry "Powershell got blocked by the administrator".

With Sophos Live Discover we just see successfully executed Powershell commands so that doesnt help us as well.

Does someone know how we can review the processes which tried to execute powershell but got blocked by sophos?

Thanks in forward!

Sincerely Yours.

This thread was automatically locked due to age.

Parents

0 RichardP over 2 years ago

Application control doesn't record that sort of action because the call to powershell is blocked at the PS launch based on it being powershell. AppC doesn't care what the parameters passed are.

If you have XDR, that populates the datalake with the commands set so you could see them through that query system.

Is the idea that you want to allow some applications to call powershell? You aren't going to be able to have that granular control with AppC - it's an all or nothing sort of thing. The application is allowed to launch or not - there is no conditions.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Lukas R over 2 years ago in reply to RichardP

Hello Richard,

thanks for your answer.

But do we see that information in the datalake?

I thought that we only see data in the Live Discover section which got already executed and not blocked.

We are aware that the AppC is a all or nothing setting and we are fine with that.

We just want to see what applications are getting blocked and it could be a potential attack.

Greetings.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Lukas R over 2 years ago in reply to RichardP

Hello Richard,

thanks for your answer.

But do we see that information in the datalake?

I thought that we only see data in the Live Discover section which got already executed and not blocked.

We are aware that the AppC is a all or nothing setting and we are fine with that.

We just want to see what applications are getting blocked and it could be a potential attack.

Greetings.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 RichardP over 2 years ago in reply to Lukas R

If AppC blocks it - the command never runs so no data would be sent.

If your goal is to stop all PS execution and report on every attempt with parameters.... I will have to think of a way to do this. It isn't part of the out-of-the-box configuration we have. Let me mull it over and I will get back to you.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Lukas R over 2 years ago in reply to RichardP

Hello Richard,

thank you very much for your help!

I'm looking forward to hearing from you soon.

Lukas R.
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog over 2 years ago in reply to Lukas R

I like Lukas R 's approach. Would be cool to see what is blocked to take a deeper look what or who wanted to start a powershell command. Will probably cause issues during windows updates though.
Cancel
Vote Up 0 Vote Down

Cancel
0 Lukas R over 2 years ago in reply to RichardP

Hello Richard,

do you got any new informations for me?

Sincerely Yours

Lukas R.
Cancel
Vote Up 0 Vote Down

Cancel
0 RichardP over 2 years ago in reply to Lukas R

I have been trying to find some way to do this - but each option I have investigated fails out because the block happens before the params are passed to powershell. I don't think this is going to be possible.

The last thing I was going to look into was if the datalake hydration would capture it. I haven't had time to test it yet.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Lukas R over 2 years ago in reply to RichardP

Hello Richard,

Thanks for your information.

Is it poosible to create, based on that community post, an feature request?

Best regards

Lukas R.
Cancel
Vote Up 0 Vote Down

Cancel
0 Qoosh over 2 years ago in reply to Lukas R

You can use the following Sophos Ideas page to submit the feature request. I recommend posting under the "Endpoint Protection" section.

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Lukas R over 2 years ago in reply to Qoosh

Thanks you all for your help.

Here is the link of the feature request: https://ideas.sophos.com/forums/285723-endpoint-protection/suggestions/44366529-monitoring-blocked-powershell-events-if-blocked-by

Let's see if it gets implemented or not :).

Best regards

Lukas R.
Cancel
Vote Up 0 Vote Down

Cancel