This knowledge base article provides examples of Sophos Threat Cases (previously called Root Cause Analysis) that have been automatically created due to a malware detection. The purpose of a threat case is to help admins understand what happened on the affected computer before the detection occurred. Using this information can help you understand ongoing infections, as well as how to further improve your security against similar attacks in the future.
Please note this article only applies to customers licensed to use Sophos Central Intercept X (CIX) or Sophos Endpoint Detection and Response (EDR).
This article is part of a series of example Threat Cases. The start of each article includes a detailed description of all the different sections in a Threat Case, if you are already familiar with this information we suggest you skip to the Example Threat Case walkthroughs at the bottom. For more information please see the Related information section.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Intercept X Sophos Endpoint Detection and Response Sophos Central Admin
Threat cases are automatically created after a malicious detection occurs. The purpose of these is to help an admin understand what happened before the detection occurred. For example, a detection on a Microsoft Word file, could have generated a Threat Case that shows this file was written to the computer by Outlook.exe, indicating that the user received and opened a malicious attachment on an email. With this information you may be able to identify gaps in your security that could be improved.
Note: Threat cases are only created for malicious detections; this does not include detections for PUAs, Application Control, Device Control, Web Control. Additionally if Sophos isn't able to automatically confirm a root cause, a Threat Case may not be generated.
Threat cases can be found by logging into the Sophos Central Admin console and clicking the Endpoint Protection or Server Protection menu link in the My products section:
The most recent Threat Cases are displayed at the top of the Dashboard page:
For Sophos Intercept X customers (without Sophos EDR) a full list of Threat Cases can also be found by going to either Endpoint Protection or Server Protection, then under the Analyze section there will be a link to Threat Cases
For customers with Sophos EDR, the full list of Threat Cases can be found in the below locations:
To view a Threat Case click on the detection Name:
Note: Customers with Intercept X will only see Threat Cases that have been automatically generated. These are displayed under the Sophos generated tab. Customers using Sophos EDR will also see the Admin generated tab for Threat Cases that they have manually created.
At the top of every Sophos generated threat case (excludes Admin generated) you will see the simplified events chain. This gives you the very basic details of what happened.
Every Threat Case will have a Summary section that displays the basic information. This includes the detection name, root cause, possible data involved, the user and device name, and when the detection happened. Depending on the detection there maybe additional information shown.
This section provide automated advice on the possible next actions you can take. The advice displayed is dependent on the type of detection and the information that was collected. It includes the ability to set the priority and status of the Case record for this Threat Case, this is covered in more detail later. For Sophos EDR customers you will have the additional option to isolate this computer. For more information on computer isolation please see: Sophos Central - Computer Isolation Overview
The Analyze tab contains the majority of the Threat Case information. Here you will be presented with a graph of what Sophos has detected, which is referred to as the Beacon and what we have determined was the Root Cause. The Beacon and Root Cause will be linked by a chain of events that are known as the attack chain. Below is an example attack chain:
Attack chains include several different icons to help you quickly identify what happened and the most suspicious events to investigate.
By clicking on an event in the attack chain, a menu on the right hand side will be displayed, this will include additional information and options for that event. For example in the below picture we have selected a file called 431.exe. In the right hand menu we can see the path of this file.
The information and options provided are covered in more detail later, in the Threat Intelligence section.
All of the information provided in the attack chain graph is also listed in a table. This can be found below the graph on the Analyze tab. The items in the table are referred to as Artifacts. By selecting artifacts their additional information is displayed in the right hand menu. You are also able to search the artifacts list and use the filter options to help your investigation.
The ability to create Forensic Snapshots means that customers with Sophos EDR can request endpoints to generate a snapshot on demand so that you can perform a detailed analysis on an endpoints activity. To analyse the snapshot you'll need to convert it into a usable format using a tool that Sophos provides. For more information on this please see: Sophos Intercept X Advanced with EDR: Help with Forensic Snapshots
The export to CSV option is available in the top right of the artifacts list, it will export all the event information including file names, paths, registry keys, PIDs, SHA-256 and other information. Below is an example of exported CSV data in Microsoft Excel.
By selecting events in the analyze graph the right hand menu will be displayed providing additional information. If you select the root cause, beacon or any of the processes you will be presented with SophosLabs Threat Intelligence information.
Please note: The information provided to customers using Intercept X is limited compared to customers who additionally have EDR. For this reason the sections below have been split into two categories:
For more information please see: Intercept X Advanced with EDR
For any processes that ran and are displayed in the attack chain, you will have additional options available to you in the right hand menu when you select the process in the graph. These options are also available for the beacon event. For example in the below we have selected the root cause event, which has already been identified as the browser Internet Explorer. On the right hand menu we can see the reputation of the file at the point the threat case was generated, as well as information such as the filename, path, SHA-256 hash, when the file was run and for how long.
By selecting the Request Latest Intelligence button the file will be submitted to SophosLabs, this will result in a report being generated a couple of minutes later and additional information being displayed. Below is an example of a SophosLabs Threat Intelligence report for a Sophos Intercept X customer (without EDR).
Customers licensed for Sophos EDR benefit from several additional features, one of these is the detailed SophosLabs Threat Intelligence reports. These reports provide you with a more in-depth analysis of the file, which can help you decide if the file is malicious or clean. Full details of what is available in these reports can be found here: Sophos Central: Threat intelligence overview
Below are some examples.
For portable executable (PE) files (such as .exe, .dll) Sophos EDR customers are able to use the Search functionality which will launch a Threat Search for the selected file. This can be used to identify if a specific file has been seen on other computers in your environment. For more details on this please see: Sophos Central: Threat Searches overview
The search option is available for all PE files that have an uncertain or bad reputation.
Sophos customers licensed for EDR are able to use the clean and block feature. This allows you to immediately detect and remove potentially malicious files from every Sophos protected computer in your environment. This feature is currently limited to PE files that have an uncertain or bad reputation.
Any PE files that have a uncertain or bad reputation that are marked for Clean and block, will be added to the Blocked items list in Global Settings.
A case record is created for every threat case, it can be used by admins to add comments about the investigation. This can be useful if you have multiple admins looking at threat cases and wanting to record notes.
In the next section we will take real Threat Cases that are showing different types of malware detection's, using the information provided we will investigate what additional actions could be taken to further improve your security. Please note that many real world threat cases wont necessarily provide options to improve your security, they can also just act as a record of what happened.
After clicking on the new threat case for a ML/PE-A detection we are presented with the simplified events chain. In this example it shows the computer WIN7 had the route cause of the email client Outlook.exe and a beacon event on a file called 431.exe, this file was detected on November 14th and cleaned.
Looking at the analyze attack chain graph below we can see several events linking the root cause (Outlook) on the left hand side, to the beacon event (431.exe) on the right. We can also see that the beacon file also has an uncertain reputation.
Before we dig any deeper into this, lets get a better overview of what happened, we can select the Show direct path option from the drop down menu on the right hand side.
This hides most of the events leaving only the ones that directly link the root cause to the beacon. It is now easy to see that Outlook wrote a word document called rgnr-avr111205-85.doc, we can also see that Outlook launched a Microsoft Office application, which read the doc file.
We can already see that the Microsoft Office event does not have a reputation icon, which means it has a good reputation.
Note: Reputation is only calculated for Portable Executable (PE) files, for example .exe, .dll. It is not shown for other file types such as .doc, .pdf, .png.
By selecting the Microsoft Office event, we can see that SophosLabs Threat Intelligence information is already available and confirms that it does have a good reputation, we can also see the path and name of the file indicates this is the Microsoft Word application.
For customers using Sophos EDR, we can also see that on the File breakdown tab the file is signed by Microsoft. We could look at the other tabs to further verify the legitimacy of this file, however it is pretty clear this is the real Microsoft Word application.
This tells us the user most likely received an email with the word document attached and that they opened the attachment. Lets look at the next event.
We can see that Microsoft Office launches Windows Command Processes (CMD), again by selecting this event we can see it has a good reputation and we are happy this is the legitimate version of CMD.exe. What is suspicious though is the command line information it was launched with.
By selecting the see all link we can see the full command.
Looking at this code you will most likely not have any idea what it is designed to do, however that is exactly the idea. This is a heavily obfuscated bit of code. Obfuscation is very typical in malicious code and is designed to hide the true goal behind the code as well as make it harder for security software to analyze. We may not know what it is doing but we are certain it is very suspicious.
We can also see that when CMD was launched it then launched another copy of CMD, this one with a similar suspicious command line.
This second CMD is used to launch Microsoft Powershell.
We can also see that Powershell has been launched with an obfuscated and very suspicious command line.
Powershell has then written the 431.exe file which was detected by Sophos Deep Learning as ML/PE-A.
By selecting the beacon event we can see confirmation that it has an uncertain reputation, as well as that it was written to the users AppData location, this location is typically meant for data not executable's so this is also suspicious.
Important: Customers who are not using Sophos EDR, you will only see the one Process details tab.
For customers using Sophos EDR, by pressing the Request latest intelligence button, the file will be retrieved out of the Sophos quarantine and submitted to SophosLabs. A couple of minutes later the four other tabs (Report summary, Machine learning analysis, File properties, File breakdown) pictured will be displayed. The purpose of these these additional tabs is to help display the various properties of the file in a simple way. This can be useful for various reasons, one of them is to feel confident that the file is indeed malicious and not something you want in your environment. For more information on SophosLabs Threat Intelligence, please see: Sophos Central: Threat intelligence overview.
Now that we understand that the file was malicious and that it came from an email, which then used Microsoft Word, CMD and Powershell to execute the attack chain, we can decide what could be done to help prevent this type of attack happening again.
Firstly a spam email with a malicious attachment got into your network, which means it got past any email spam scanning software you have, as well as avoiding detection for the malicious word document. Regularly reviewing your email security policies to ensure you are following best practice and using the latest protection is recommended. If you are not already a customer we recommend the Sophos XG firewall to handle your email protection, combined with Sophos Sandstorm to add the protection of a sandbox environment to safely execute potential email threats before they enter your environment.
You also have a user that opened the suspicious word document on the spam email, with better user education this potentially could have been avoided. Sophos Phish Threat allows you to create realistic email phishing campaigns to send to your users. Tracking which users fall for the spam email and directing them to training material.
The next layer of protection you could look at is using Sophos Application Control, which is already included in all Sophos Central Endpoint and Server Advanced licenses, as well as Sophos Intercept X Advanced with EDR. With Application Control you could choose to block your users for running specific applications. While you are unlikely going to stop them from running Microsoft Word, do they really need to be able to run Powershell? This could be blocked with Application Control.
For customers using Sophos EDR there are additional steps you could take right away. For example you could use the Search for item option to see if any other Sophos protected endpoints in your environment had seen the 431.exe file. This search will report back any computer that had ever had this file. For more information on Threat Searches please see: Sophos Central: Threat Searches overview
If you were concerned that the computer was still infected, or just wanted to be safe until you had spoken to the user. You could use the Isolate this computer option in the Suggested next steps section. This would disable all TCP and UDP traffic on the computer other than communication to Sophos. For more information on computer isolation please see: Sophos Central - Computer Isolation Overview
If you would like to look at other Threat Case examples, please see the links in the Related information section below. You can also use the community forum to post questions about any threat cases you have and would like advice on.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.