This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos keeps notifying c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Exec_28a (T1059.001) and Exec_6a (T1059.001)

Hello Everyone, I have tryied to search about this in the forum but couldn't find anything.

My scenario is  : XGS2100 Xstream protection + Endpoints with advanced Threat protection.

I keep receiving this two alerts but I have tried to see what to do and cannot undestand where is the cause.

In Sophos Central i find "root cause cannot be identified".

Process involved is windows powersheel but in traffic graphing there is nothing showing.

Notification that arrives from central says that it was impossible to remove the threat but if I log into the client and check sophos endpoint it says that threat has been removed.

did anybody encounter same behaviour?

thanks in advance

regards



This thread was automatically locked due to age.
Parents
  • I would be interested to see what PowerShell is being called when the alert happens:

    Windows has a couple of Event logs that log PS activity, e.g;

    %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

    Is there something you can find that doesn't look right or unexpected in the history?

    This is all audited in the journals of Sophos if you have the full EDR component but for convenience I would check the above initially. 

Reply
  • I would be interested to see what PowerShell is being called when the alert happens:

    Windows has a couple of Event logs that log PS activity, e.g;

    %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

    Is there something you can find that doesn't look right or unexpected in the history?

    This is all audited in the journals of Sophos if you have the full EDR component but for convenience I would check the above initially. 

Children
  • Thanks, Yes I tried to check there and the funny thing is that I cannot see anything in those moments.... I only have some errors regarding Dell Softwares (it's a Dell Notebook) that are trying to upgrade or download some updates and those actions cannot complete. I don't know if Sophos could maybe interpret those actions as threats...

    I will keep searching...