This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Malicious process not detected

We had an internal pen test done by a 3rd party and the following remote admin tool was used against us the Sophos didn't block or detect.  Another tool we have running in the environment picked it up and alerted.  Please advise as to what we have mis-configured or if there is a flaw in your detection.

 

https://www.virustotal.com/en/file/3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71/analysis/1503517235/

 



This thread was automatically locked due to age.
  • Sophos does detect this file. It is classed as a 'Controlled Application' meaning you can choose to block tools like this if you want.

     

    If you look in your 'Application Control' policies you will have the ability to block the category of 'Remote management tool'. If you had this enabled the tool wouldn't have been able to run.

     

    https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications/RemCom.aspx 

  • Thank you Peter. Is there a recommended list of Application control items to block out of the box? this would be helpful as nothing is turned on by default

     

    Also.  Mimikatz was used against us as well. Sophos Detected it but let it run. I would have expected the process of writing it to our system would be prevented. again is there a setting we are missing?

  • Regarding recommended Application Control categories to block, no there isn't a recommended list. The reason for this is everything under Application Control are not considered malicious and that they all have genuine reasons for being used in a customers environment. So we let you decide what you wish to block.

    However as you can see we detect Mimikatz as a Potentially Unwanted Application (PUA) as this is commonly used in pen tests as well as maliciously.

     

    Can you confirm exactly what happened when you put the Mimikatz file on the machine, the detection you show in the screenshot should stop the file from running as well as remove the file from the machine. 

     

     

    Are you doing a trial or are you a licensed customer, if so it would be worth raising a support ticket so we can look at this properly.

  • We are a long time licensed customer. I have reached out to our account manager and will also open a ticket. Mimikatz was pushed and run without issue(except for that alert). The file still exists on my machine even after running an on demand scan.

  • Ok in that case can you please open a support ticket and provide a sample of the Mimikatz file for us to look at.

    If you can also collect the SDU logs from the machine you did this test on that will help us understand what happened.

     

    Sophos Diagnostic Utility (SDU): Using the utility and sending files to Sophos Technical Support