Root Cause Analysis - Not showing network connections / lateral movement


We recently had a Coin Miner spread in our network.


This was performed by the infected machine dropping files into shared folders of other machines - thankfully Sophos does pick up the file once it was dropped,  however, the RCA does not show the machine / network connection that dropped the file?


Why is this? Surely this should be part of what the Data Recorder service should capture for detection of lateral movement - or is Sophos not capable of this? (not great if so)

  • Why do these type of posts always get ignored by the sophos staff who post on here. 

  • Can you recall what the detection name was or was it ML/PE ML/PUA (Deep Learning Detection) of the miner and/or dropper from patient zero? 

  • In reply to secronis:

    We haven't been able to work out patient zero - thats the problem. 

    The identification has changed a few times - it was PE-A first, but now its MAL/MINER-Y. 

  • In reply to LRB:

    Have you tried to look at the file sever logs and seeing where the first binary got written to? It also could have been a deliberate attempt by an employee.  

  • In reply to secronis:

    We have noticed a spike in internal attacks due to the ease of profit with monero cpu mining. Especially if the adversary could get it to run on many systems. 


    The ML scanner detected the payload before it could launch.