Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 14 subscribers
  • Views 7133 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Monitoring blocked Powershell events

Lukas R

Hello Community,

Currently we are blocking all powershell interaction on all clients in our company via the Application Control feature in sophos central.

We are aware that a lot of applications are using powershell for updating their services and stuff like that.

Currently we are missing any option to monitor the activity which process are trying to execute powershell.

In the Logs & Reports section we just see that the user tried to execute the powershell.exe but not which process.

On the Logs of the client itselfe we just get an entry "Powershell got blocked by the administrator".

With Sophos Live Discover we just see successfully executed Powershell commands so that doesnt help us as well.

Does someone know how we can review the processes which tried to execute powershell but got blocked by sophos?

Thanks in forward!

Sincerely Yours.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Application control doesn't record that sort of action because the call to powershell is blocked at the PS launch based on it being powershell. AppC doesn't care what the parameters passed are.

    If you have XDR, that populates the datalake with the commands set so you could see them through that query system. 

    Is the idea that you want to allow some applications to call powershell? You aren't going to be able to have that granular control with AppC - it's an all or nothing sort of thing. The application is allowed to launch or not - there is no conditions.

  • 0 in reply to FormerMember

    Hello Richard,

    thanks for your answer.

    But do we see that information in the datalake?

    I thought that we only see data in the Live Discover section which got already executed and not blocked.

    We are aware that the AppC is a all or nothing setting and we are fine with that.

    We just want to see what applications are getting blocked and it could be a potential attack.

    Greetings.

  • FormerMember
    0 FormerMember in reply to Lukas R

    If AppC blocks it - the command never runs so no data would be sent.

    If your goal is to stop all PS execution and report on every attempt with parameters.... I will have to think of a way to do this. It isn't part of the out-of-the-box configuration we have. Let me mull it over and I will get back to you.

  • 0 in reply to FormerMember

    Hello Richard,

    thank you very much for your help!

    I'm looking forward to hearing from you soon.

    Lukas R.

  • 0 in reply to Lukas R

    I like  's approach. Would be cool to see what is blocked to take a deeper look what or who wanted to start a powershell command. Will probably cause issues during windows updates though.

  • 0 in reply to FormerMember

    Hello Richard,

    do you got any new informations for me?

    Sincerely Yours

    Lukas R.

  • FormerMember
    0 FormerMember in reply to Lukas R

    I have been trying to find some way to do this - but each option I have investigated fails out because the block happens before the params are passed to powershell. I don't think this is going to be possible. 

    The last thing I was going to look into was if the datalake hydration would capture it. I haven't had time to test it yet.

  • 0 in reply to FormerMember

    Hello Richard,

    Thanks for your information.

    Is it poosible to create, based on that community post, an feature request?

    Best regards

    Lukas R.

Reply Children
Unfiltered HTML