This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Root Cause Analysis - Not showing network connections / lateral movement

Hi,

We recently had a Coin Miner spread in our network.

This was performed by the infected machine dropping files into shared folders of other machines - thankfully Sophos does pick up the file once it was dropped, however, the RCA does not show the machine / network connection that dropped the file?

Why is this? Surely this should be part of what the Data Recorder service should capture for detection of lateral movement - or is Sophos not capable of this? (not great if so)

This thread was automatically locked due to age.

Parents

secronis over 6 years ago

Can you recall what the detection name was or was it ML/PE ML/PUA (Deep Learning Detection) of the miner and/or dropper from patient zero?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

secronis over 6 years ago

Can you recall what the detection name was or was it ML/PE ML/PUA (Deep Learning Detection) of the miner and/or dropper from patient zero?
Cancel
Vote Up 0 Vote Down

Cancel

Children

LRB over 6 years ago in reply to secronis

We haven't been able to work out patient zero - thats the problem.

The identification has changed a few times - it was PE-A first, but now its MAL/MINER-Y.
Cancel
Vote Up 0 Vote Down

Cancel
secronis over 6 years ago in reply to LRB

Have you tried to look at the file sever logs and seeing where the first binary got written to? It also could have been a deliberate attempt by an employee.
Cancel
Vote Up 0 Vote Down

Cancel
secronis over 6 years ago in reply to secronis

We have noticed a spike in internal attacks due to the ease of profit with monero cpu mining. Especially if the adversary could get it to run on many systems.

The ML scanner detected the payload before it could launch.
Cancel
Vote Up 0 Vote Down

Cancel