This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos keeps notifying c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Exec_28a (T1059.001) and Exec_6a (T1059.001)

Matteo Vinti 7 months ago

Hello Everyone, I have tryied to search about this in the forum but couldn't find anything.

My scenario is : XGS2100 Xstream protection + Endpoints with advanced Threat protection.

I keep receiving this two alerts but I have tried to see what to do and cannot undestand where is the cause.

In Sophos Central i find "root cause cannot be identified".

Process involved is windows powersheel but in traffic graphing there is nothing showing.

Notification that arrives from central says that it was impossible to remove the threat but if I log into the client and check sophos endpoint it says that threat has been removed.

did anybody encounter same behaviour?

thanks in advance

regards

This thread was automatically locked due to age.

0 SayFriedLight 7 months ago

Ciao Matteo,

please check doc.sophos.com/.../index.html
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 7 months ago

I would be interested to see what PowerShell is being called when the alert happens:

Windows has a couple of Event logs that log PS activity, e.g;

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Is there something you can find that doesn't look right or unexpected in the history?

This is all audited in the journals of Sophos if you have the full EDR component but for convenience I would check the above initially.
Cancel
Vote Up 0 Vote Down

Cancel
0 Matteo Vinti 7 months ago in reply to SayFriedLight

Thanks Say, I red that but it's not helping me on how to investigate..
Cancel
Vote Up 0 Vote Down

Cancel
0 Matteo Vinti 7 months ago in reply to Sophos User930

Thanks, Yes I tried to check there and the funny thing is that I cannot see anything in those moments.... I only have some errors regarding Dell Softwares (it's a Dell Notebook) that are trying to upgrade or download some updates and those actions cannot complete. I don't know if Sophos could maybe interpret those actions as threats...

I will keep searching...
Cancel
Vote Up 0 Vote Down

Cancel