Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 19273 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using Sophos Enterprise to monitor End point user account

silentjess

Hi All,

I was asked about the possibility of Sophos to manage/monitor the End point local account creation.

For example, a staff creates a local user on PC1 and sophos is able to track that such an action was done OR to prompt that this user account creation request has been blocked or disallowed.

Sophos will create a local account called SophosSAUComputerName during installation on end point but would sophos also be aware of other local accounts being created?

Is it even possible?

I've tried to google similar when i was asked about this but i don't think this is part of Sophos functionality?

Could anyone verify?

Appreciate it!

:56023


This thread was automatically locked due to age.
Parents
  • 0

    Hello silentjess,

    there are other, less conspicuous, ways to "ensure" remote access to a computer than creating a local account - especially when you have been able to elevate your privileges. It's not clear what their actual purpose could be.

    You can check if and when the accounts have been logged on with net user accountname (there's unfortunately no interface provided to obtain their creation date). It would also be strange if users on several workstations and servers as well would have encountered the same malware. More likely (though equally strange) would be that only one computer downloaded some malware which then reached out (from "inside") to the other computers (still there's no explanation for the accounts created). 

    Is there any suspicious activity? Have the accounts been used, are new ones created if you delete them? Is there an unusually high number of detections (you'd have to run a report, SEC displays only outstanding alerts and not those which have been dealt with)?

    Christian   

    :56106
Reply
  • 0

    Hello silentjess,

    there are other, less conspicuous, ways to "ensure" remote access to a computer than creating a local account - especially when you have been able to elevate your privileges. It's not clear what their actual purpose could be.

    You can check if and when the accounts have been logged on with net user accountname (there's unfortunately no interface provided to obtain their creation date). It would also be strange if users on several workstations and servers as well would have encountered the same malware. More likely (though equally strange) would be that only one computer downloaded some malware which then reached out (from "inside") to the other computers (still there's no explanation for the accounts created). 

    Is there any suspicious activity? Have the accounts been used, are new ones created if you delete them? Is there an unusually high number of detections (you'd have to run a report, SEC displays only outstanding alerts and not those which have been dealt with)?

    Christian   

    :56106
Children
No Data