Sophos EDR gives you the tools you need to track down evasive, subtle threats and quickly clean them up. Here are a few examples of the indicators of compromise you can hunt for:


Network attacks - Identify processes that are making unusual network access attempts. Examples include:

  • Detect processes attempting to connect on non-standard ports or unusual outbound traffic from a cloud workAload
  • Analyze cloud security groups to identify resources exposed to the public internet
  • Remotely access the device/workload, terminate the process and check for lateral movement

Modified files - Find items that have been modified in an unexpected manner. Examples include:

  • Identify process that have recently modified files or registry keys
  • Remotely access the device, examine the changes and take appropriate action

Obfuscated scripts - Fileless, memory based attacks are an increasingly common attack vector. You can:

  • Dig into the details of unexpected PowerShell executions
  • Remotely access the device, run additional forensic tools and terminate suspect processes


Disguised processes - Some malicious processes can disguise themselves in order to avoid detection. Examples include:

  • Detect processes that have disguised themselves as ‘services.exe’
  • Remotely access the device and terminate the suspicious process and run forensic tools

MITRE ATT&CK framework - The MITRE ATT&CK framework is a commonly used template for identifying attack techniques. You can:

  • Use your own or Sophos built in queries to identify potential attacks using common tactics and techniques by adversaries
  • Based on the attack technique hone your investigation in on potential follow up attacks or areas to double check

Incident scope - Understand the impact of an incident and which devices and users were impacted. You can:

  • Identify devices that clicked on a link from a phishing email
  • See which devices downloaded files from the phishing site, remotely access them and perform cleanup

Try it now for free. Contact us for a free 30-day evaluation, Demo session or a Quote.