Sophos keeps notifying c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Exec_28a (T1059.001) and Exec_6a (T1059.001)

Hello Everyone, I have tryied to search about this in the forum but couldn't find anything.

My scenario is  : XGS2100 Xstream protection + Endpoints with advanced Threat protection.

I keep receiving this two alerts but I have tried to see what to do and cannot undestand where is the cause.

In Sophos Central i find "root cause cannot be identified".

Process involved is windows powersheel but in traffic graphing there is nothing showing.

Notification that arrives from central says that it was impossible to remove the threat but if I log into the client and check sophos endpoint it says that threat has been removed.

did anybody encounter same behaviour?

thanks in advance

regards



Updated the tags
[edited by: Gladys at 9:20 AM (GMT -8) on 2 Jan 2024]
Parents
  • I would be interested to see what PowerShell is being called when the alert happens:

    Windows has a couple of Event logs that log PS activity, e.g;

    %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

    Is there something you can find that doesn't look right or unexpected in the history?

    This is all audited in the journals of Sophos if you have the full EDR component but for convenience I would check the above initially. 

Reply
  • I would be interested to see what PowerShell is being called when the alert happens:

    Windows has a couple of Event logs that log PS activity, e.g;

    %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

    Is there something you can find that doesn't look right or unexpected in the history?

    This is all audited in the journals of Sophos if you have the full EDR component but for convenience I would check the above initially. 

Children