The Server EDR EAP now captures all PowerShell executions so that they can be reviewed and analysed.
Is PowerShell bad? Not necessarily. In fact, most PowerShell executions are not malicious, but PowerShell can be (and often is) taken advantage of.
The new Sophos EDR capabilities offer the ability to track down the malicious executions that otherwise may remain hidden. For example, executions which use the encoded command argument are more likely to be associated with bad behaviour and are less common in good executions.
Details being captured include:
• Command line arguments passed
• Time of the execution
• User who ran the process
• Parent process name
• Parent process hash
Learn more:
https://vimeo.com/330769513/f24084019f
Regards,
Stephen
This thread was automatically locked due to age.