Demo of SDR Exporter and RCA Threat Case investigation:
For the attack to get as far as it did I had to turn off 90% of the Sophos endpoint protections. In the scenario the adversary compromises the endpoint and downloads multiple malware tools only one of which is caught. The RCA will show both the convicted software and the suspect files downloaded that did not trigger a detection.The SDR Exporter can be used to see the command line options used in the attack and how the adversary established the initial control.
Check out the Video https://vimeo.com/281641808
In the video we want to use the SLQ version of the data recorder information to find out how notepad.exe was launched because the Threat Case information in Central appears to stop too early to identify the root cause.
This video will show you how to convert a snapshot to SQL and load that into a SQLite browser to hunt for additional information like the command line used on a powershell or the parent process of a suspect executable.
Explore the Threat case and submit files to Sophos Labs for more information, then use the SDR Exporter to get more detailed information than is available in the threat case.
Have fun and feel free to post questions on the forum on this or any other topic related to the EAP for EDR.