Sophos Central: How to find malicious PowerShell implementations with Intercept X


  • Intercept X Advanced with EDR now captures all PowerShell executions so that they can be reviewed and analyzed.
  • This article will guide you how to find malicious PowerShell implementations with Intercept.

Is PowerShell bad?

  • Not necessarily. In fact, most PowerShell executions are not malicious, but PowerShell can be (and often is) taken advantage of.
  • Intercept X already blocks known malicious PowerShell activity. The Application Lockdown feature automatically terminates a protected application based on its behavior. For example, when an Office application is leveraged to launch PowerShell, access the WMI, run a macro to install arbitrary code, or manipulate critical system areas, Sophos Intercept X will block the malicious action – even when the attack doesn’t spawn a child process. It will also prevent malicious PowerShell code executions via Dynamic Data Exchange too. Learn more about exploit protection with Intercept X.

What to do

  • Login Sophos Central using your username and password.
  • Go to Threat Analysis Center > Threat Searcher and type PowerShell in box as shown below.
  • Press Enter and select Admin Tools and we have result as shown below.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.