Network attacks - Identify processes that are making unusual network access attempts. Examples include:

• Detect processes attempting to connect on non-standard ports or unusual outbound traffic from a cloud workAload
• Analyze cloud security groups to identify resources exposed to the public internet
• Remotely access the device/workload, terminate the process and check for lateral movement

Modified files - Find items that have been modified in an unexpected manner. Examples include:

• Identify process that have recently modified files or registry keys
• Remotely access the device, examine the changes and take appropriate action

Obfuscated scripts - Fileless, memory based attacks are an increasingly common attack vector. You can:

• Dig into the details of unexpected PowerShell executions
• Remotely access the device, run additional forensic tools and terminate suspect processes

Disguised processes - Some malicious processes can disguise themselves in order to avoid detection. Examples include:

• Detect processes that have disguised themselves as ‘services.exe’
• Remotely access the device and terminate the suspicious process and run forensic tools

MITRE ATT&CK framework - The MITRE ATT&CK framework is a commonly used template for identifying attack techniques. You can:

• Use your own or Sophos built in queries to identify potential attacks using common tactics and techniques by adversaries
• Based on the attack technique hone your investigation in on potential follow up attacks or areas to double check

Incident scope - Understand the impact of an incident and which devices and users were impacted. You can:

• Identify devices that clicked on a link from a phishing email
• See which devices downloaded files from the phishing site, remotely access them and perform cleanup