Will automatic interception be added to SOPHOS detection mode MITRE ATT&CK in the future?

Now this mode only has observation mode, I hope to add interception mode in the future, for example, if the high risk level exceeds a certain score, automatic interception will be triggered and threat chart will be automatically built



Added Tags
[edited by: GlennSen at 7:13 AM (GMT -8) on 24 Jan 2023]
  • Hi Leung233,

    Thanks for reaching out to the Sophos Community Forum. 

    The detections you are seeing here typically require more analysis to determine all of what may be impacted on your environment. Creating an automated response based on the information Sophos ingests may be possible in the future, but I'm not aware of any immediate plans to develop something like this. The need to have a more intimate understanding of your network and environment is why incident response teams exist today.

    If the powershell command you've highlighted here is run by a user logged in normally into a workstation, a detection may not be raised. An adversary with elevated access to your systems running commands under the "normal user context" may not be detected by an antivirus due to the commands being seen as legitimate. 

    If there is another process on the system which tries to execute this PowerShell command, that will be detected as malicious. 

    Do let me know if this helps, and if I understood your question correctly.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids