• Information regarding HAFNIUM

    On March 2nd, zero-day vulnerabilities affecting Microsoft Exchange were publicly disclosed. These vulnerabilities are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state. Sophos customers are protected ...
  • Scheduled maintenance for SophosLabs Intelix (US region) - January, 16th 2021 @ 0900 UTC

    SophosLabs will be performing scheduled maintenance for two hours starting January, 16th 2021 from 0900 UTC. Date / Time Saturday 16th January 0900 – 1100 (UTC) Systems affected US static and dynamic analysis environment (only) During th...
  • Scheduled Maintenance for Intelix

    Scheduled maintenance for SophosLabs Intelix (EU region) SophosLabs will be performing scheduled maintenance for two hours starting December 6th, 2020 from 0000 – 0200 UTC. During this time there may be disruption to getting status (4xx or 5xx)...
  • PowerShell Command History Forensics


    - Overview

    • Powershell and Windows Events
    • Get-History
    • Console History File

    - Adversarial Tactics

    • Clear-History
    • Backup/Restore Histroy
    • Delete File History
    • Change PSReadline Configuration

    - Investigation Tips


    PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions…

  • Malicious DNS Queries by APT - A Case Study

    Hello Everyone,

    Ever got any malicious URLs? Couldn’t figure out what’s going on?

    This email documents suspicious DNS query attempts which were allegedly malicious according to an Advisory shared by the Australian Government.


    The Australian Govt. shared an advisory with a customer which has a very competent team of IT security experts.


    The only SHA value mentioned in their advisory was a DLL which…

  • Decoding Malicious PowerShell Activity - A Case Study

    IT Administrators and Security Specialists often run into a suspicious looking PowerShell command; sometimes they succeed in decoding them but often, they are reliant on researchers. This blog should serve as a guidance to identify the purpose of suspicious entries found in:

    • Scheduled Tasks
    • RUN Keys in the Registry
    • Static PowerShell Scripts
    • Proxy Logs if a Web Server is exploited for a Remote Code Execution


  • Requests to re-categorize by third parties for PUA/Adware detections (possible Deceptor component)

    Hi Everyone, 

    The below article provides details about how we categorize PUA/Adware detections and how to provide us with the information we need to determine if a re-categorization is required.

  • Watch Locky Ransomware in action and learn how Sophos stops it

    Hi everyone,

    We have just published a new video taking a look at how ransomware works. You can find it here: https://www.youtube.com/watch?v=ajTcYRIwoqU 

    In this video we are going to show you what happens when Locky Ransomware attacks a computer. You will see what a typical user would see if they were the victim of such an attack. We will then show you several scenarios demonstrating how Sophos protects the computers and…