The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Sophos  > Carbanak+FIN7 Configuration


Sophos Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE Engenuity comments are included in italics.


Product Versions

Sophos Intercept X Advanced with EDR

Product Description

Intercept X Advanced with EDR is built on top of the world’s best endpoint protection, Intercept X stops breaches before they start. Intercept X Advanced with EDR allows you to ask any question about what has happened in the past, and what is happening now on your endpoints. Hunt threats to detect active adversaries, or leverage for IT operations to maintain IT security hygiene. Powerful, out-of-the-box, customizable SQL queries access up to 90 days of data on disk and in the cloud, giving you the information you need to make informed decisions. When an issue is found remotely respond with precision.

For additional information, please read the Sophos Intercept X datasheet or the Sophos Intercept X Advanced with EDR datasheet.

Product Configuration

Policy Configuration

  • All prevention layers were disabled to allow the simulated attack to proceed with only EDR monitoring enabled
  • Application control was configured to alert on the use of applications but to not perform any blocking

Detect ONLY Deployment

We had to turn off ALL protection capabilities.
With this configuration potential block events DO NOT generate a notification.

Threat protection policy:

The only features left enabled are:

  • Enable Threat Case creation
  • Allow computers to send data on suspicious files, network events, and admin tool activity to Sophos Central
These are required to enable and allow the data recorders to run for discovery and telemetry queries. All other protections are changed from the default of enabled to disabled

Peripheral Control policy:

This policy was set to MONITOR but not block all peripheral device connection

Application Control

This policy was set to MONITOR but not block all applications

Data Loss Prevention

This policy was left OFF

Web Control

This policy was set to MONITOR but not block all applications

MITRE PROTECTION Configuration

By default, on install protection features are default enabled unless they are part of an early access program. For this test we enabled the early access features.

Threat protection policy:

Features in EAP that were enabled include

Peripheral Control policy:

This policy was set to block all peripheral device connections

Application Control

This policy was set to block controlled applications with the following exceptions as specified by MITRE for the test

  • 7-zip
  • Microsoft Office 2016
  • Microsoft WSH CScript
  • Microsoft WSH WScript
  • Microsoft SQL Management Studio
  • MS Remote Desktop Connection
  • Remote Desktop Connection (V7 and higher)
  • Remote Desktop Connection 6.0
  • Remote Desktop Connection Manager
  • Microsoft Powershell
  • Microsoft Powershell ISE

Data Loss Prevention

This policy was left OFF

Web Control

This policy was set to BLOCK all web categories, and block all risky download types.