Announcementshttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/atomTelligent Community (Build: 12.1.9.35025)2020-05-23T12:18:00ZNew XDR Features EAP now openhttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/xdr-detection-sensor-eap-now-open2022-08-14T17:14:00Z2022-08-14T17:14:00ZNote: Use of all features and functionalities provided under the Early Access Program is subject to the <a href="https://www.sophos.com/en-us/legal/sophos-end-user-terms-of-use">Sophos End User Terms of Use</a>.
We are excited to announce the opening of the New XDR Features Early Access Program (EAP). This EAP will...(<a href="https://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/xdr-detection-sensor-eap-now-open">read more</a>)<img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=1198&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">Kevin Kingstonhttps://stage-community-sophos-comV11.telligenthosting.net/members/kevin-kingstonHTTPS policy changeshttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/https-policy-changes2021-12-03T15:53:00Z2021-12-03T15:53:00ZHi all,
This weekend we are making some policy changes relating to the SSL/TLS decryption of HTTPS websites. We will be adding a toggle for SSL/TLS decryption into the Threat Protection policy for all customers.
This new setting will determine if En...(<a href="https://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/https-policy-changes">read more</a>)<img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=1068&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">StephenMcKayhttps://stage-community-sophos-comV11.telligenthosting.net/members/stephenmckayIntercept X updates in the Early Access Programhttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/intercept-x-updates-in-the-early-access-program2021-11-04T10:13:00Z2021-11-04T10:13:00ZHi all,
As you will have read in the <a href="/intercept-x-endpoint/early-access-program/f/recommended-reads/130871/new-hmpa-version-3-8-3-release-to-eap-today">Recommended Read</a> from last week; we released an update to Intercept X, 2.0.23. This week we will start enabling new features that are part of the update for devices that are running in the New Endpoint/Server...(<a href="https://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/intercept-x-updates-in-the-early-access-program">read more</a>)<img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=1048&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">StephenMcKayhttps://stage-community-sophos-comV11.telligenthosting.net/members/stephenmckaySSL/TLS decryption of HTTPS websiteshttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/ssl-tls-decryption-of-https-websites2021-10-15T09:17:00Z2021-10-15T09:17:00ZHi all,
HTTPS inspection is being enabled by default for devices in the EAP now that the roll out has finished, (both Endpoint and Server).
When users visit websites via browsers the Sophos endpoint will decrypt HTTPS network traffic for the pur...(<a href="https://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/ssl-tls-decryption-of-https-websites">read more</a>)<img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=1035&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">StephenMcKayhttps://stage-community-sophos-comV11.telligenthosting.net/members/stephenmckayXDR - Detection and Investigation Early Access Programhttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/xdr---detection-and-investigation-early-access-program2021-10-10T12:06:00Z2021-10-10T12:06:00ZWe are excited to announce the opening of the Detections and Investigations Early Access Program (EAP). The EAP begins with the introduction of the Detections dashboard which provides a prioritized list of suspicious activity for further invest...(<a href="https://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/xdr---detection-and-investigation-early-access-program">read more</a>)<img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=1005&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">Kevin Kingstonhttps://stage-community-sophos-comV11.telligenthosting.net/members/kevin-kingstonImportant Changes to the Endpoint/Server Protection and EDR Features Early Access Programhttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/important-changes-to-the-endpoint-server-protection-and-edr-features-early-access-program2021-06-11T08:44:00Z2021-06-11T08:44:00ZHi all,
We have some exciting changes coming to the Endpoint/Server Protection and EDR Features Early Access Program over the next few weeks. One of the biggest changes is the decrypt and re-encrypt of HTTPS traffic between the browser and the w...(<a href="https://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/important-changes-to-the-endpoint-server-protection-and-edr-features-early-access-program">read more</a>)<img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=931&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">StephenMcKayhttps://stage-community-sophos-comV11.telligenthosting.net/members/stephenmckayNew Endpoint/Server Protection early access features now generally availablehttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/new-endpoint-server-protection-early-access-features-now-generally-available2021-01-01T14:01:00Z2021-01-01T14:01:00ZThis blog post contains a listing and details on features that have previously been released to the New Endpoint/Server Protection Features early access program and are now generally available to all customers.
19/08/2020 - IPS for Windows Ser...(<a href="https://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/new-endpoint-server-protection-early-access-features-now-generally-available">read more</a>)<img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=1038&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">Kevin Kingstonhttps://stage-community-sophos-comV11.telligenthosting.net/members/kevin-kingstonLicense changes to New Endpoint and Server Protection and EDR Features early access programshttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/license-changes-to-new-endpoint-and-server-protection-and-edr-features-early-access-programs2020-10-23T15:12:00Z2020-10-23T15:12:00ZWith having completed the early access testing on our new EDRv3 capabilities and with the upcoming features that will be entering the New Endpoint and Server Protection and EDR Features early access program being more protection rather than EDR relat...(<a href="https://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/license-changes-to-new-endpoint-and-server-protection-and-edr-features-early-access-programs">read more</a>)<img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=750&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">Kevin Kingstonhttps://stage-community-sophos-comV11.telligenthosting.net/members/kevin-kingstonNotice for next EAP updatehttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/notice-for-next-eap-update2020-09-15T09:39:00Z2020-09-15T09:39:00ZHello all,
We are due to update our EAP agent during the week of 21st September; this update has some small fixes in it and will allow us to start enabling IPS and our new behavioral engine.
Note: After this update you need to reboot devices to...(<a href="https://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/notice-for-next-eap-update">read more</a>)<img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=720&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">StephenMcKayhttps://stage-community-sophos-comV11.telligenthosting.net/members/stephenmckayExploring Windows Events and Security groups with Live Discoverhttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/exploring-security-groups-with-live-discover2020-07-06T18:43:00Z2020-07-06T18:43:00Z<p><span>For query assistance, please see the following </span><a href="/intercept-x-endpoint/f/recommended-reads/128529/best-practices-on-using-live-discover-response-query-forum#mcetoc_1f8ovtfbt4">Best Practices</a><span> guide</span></p>
<hr />
<p>The Sophos UK Sales engineering team has been getting familiar with live discover. In the work they explored group policy and provided the following queries:</p>
<p><strong>Deleted security groups</strong> -</p>
<p>Variable to specify the number of days to check<br />Windows</p>
<p><span style="font-family:'courier new', courier;">/* Deleted Security Groups */<br />SELECT<br /></span><span style="font-family:'courier new', courier;"> source, <br /> eventid, <br /></span><span style="font-family:'courier new', courier;"> CAST(datetime(time, 'unixepoch') AS TEXT) AS 'Change Made',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS 'Who Made The Change',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.TargetUserName') AS 'Deleted Groups'<br /></span><span style="font-family:'courier new', courier;">FROM sophos_windows_events<br /></span><span style="font-family:'courier new', courier;">WHERE time > STRFTIME('%s','NOW','-$$Number of days to check$$ DAYS') </span><span style="font-family:'courier new', courier;">AND <br /> source = 'Security' </span><span style="font-family:'courier new', courier;">AND eventid IN('4730', '</span><span style="font-family:'courier new', courier;">4734', '</span><span style="font-family:'courier new', courier;">4758');</span></p>
<p><span style="font-family:tahoma, arial, helvetica, sans-serif;"><strong>Locked Accounts -</strong></span></p>
<p>Variable to specify the number of days to check<br />Windows</p>
<p><span style="font-family:'courier new', courier;">/* Locked Accounts */<br /></span><span style="font-family:'courier new', courier;">SELECT<br /></span><span style="font-family:'courier new', courier;"> source, <br /> eventid,<br /></span><span style="font-family:'courier new', courier;"> CAST(datetime(time, 'unixepoch') AS TEXT) AS 'Change Made',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS 'Who Made The Change',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.TargetUserName') AS 'Locked Account'<br /></span><span style="font-family:'courier new', courier;">FROM sophos_windows_events<br /></span><span style="font-family:'courier new', courier;">WHERE time > STRFTIME('%s','NOW','-$$Number of days to check$$ DAYS') <br /></span><span style="font-family:'courier new', courier;"> AND source = 'Security' <br /></span><span style="font-family:'courier new', courier;"> AND eventid = 4740;</span></p>
<p><strong>New Security Groups -</strong></p>
<p>Variable to specify the number of days to check<br />Windows</p>
<p><span style="font-family:'courier new', courier;">SELECT<br /></span><span style="font-family:'courier new', courier;"> source, <br /> eventid,<br /></span><span style="font-family:'courier new', courier;"> CAST(datetime(time, 'unixepoch') AS TEXT) AS 'Change Made',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS 'Who Made The Change',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.TargetUserName') AS 'New Group'<br /></span><span style="font-family:'courier new', courier;">FROM sophos_windows_events<br /></span><span style="font-family:'courier new', courier;">WHERE time > STRFTIME('%s','NOW','-$$Number of days to check$$ DAYS')<br /></span><span style="font-family:'courier new', courier;"> AND source = 'Security'<br /></span><span style="font-family:'courier new', courier;"> AND eventid IN ('4727', '4754', '4731');</span></p>
<p><strong>New User Accounts -</strong></p>
<p>Variable to specify the number of days to check<br />Windows</p>
<p><span style="font-family:'courier new', courier;">SELECT<br /></span><span style="font-family:'courier new', courier;"> source, <br /> eventid,<br /></span><span style="font-family:'courier new', courier;"> CAST(datetime(time, 'unixepoch') AS TEXT) AS 'Change Made',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS 'Who Made The Change',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.TargetUserName') AS 'New User'<br /></span><span style="font-family:'courier new', courier;">FROM sophos_windows_events<br /></span><span style="font-family:'courier new', courier;">WHERE time > STRFTIME('%s','NOW','-$$Number of days to check$$ DAYS')<br /></span><span style="font-family:'courier new', courier;"> AND source = 'Security'<br /></span><span style="font-family:'courier new', courier;"> AND eventid = 4720;</span></p>
<p><strong>Unlocked Accounts -</strong></p>
<p>Variable to specify the number of days to check<br />Windows</p>
<p><span style="font-family:'courier new', courier;">SELECT<br /></span><span style="font-family:'courier new', courier;"> source,<br /> eventid,<br /></span><span style="font-family:'courier new', courier;"> CAST(datetime(time, 'unixepoch') AS TEXT) AS 'Change Made',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS 'Who Made The Change',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.TargetUserName') AS 'Unlocked Account'<br /></span><span style="font-family:'courier new', courier;">FROM sophos_windows_events<br /></span><span style="font-family:'courier new', courier;">WHERE time > STRFTIME('%s','NOW','-$$Number of days to check$$ DAYS')<br /></span><span style="font-family:'courier new', courier;"> AND source = 'Security'<br /></span><span style="font-family:'courier new', courier;"> AND eventid = 4767;</span></p>
<p><strong>User Account was disabled -</strong></p>
<p>Variable to specify the number of days to check<br />Windows</p>
<p><span style="font-family:'courier new', courier;">SELECT<br /></span><span style="font-family:'courier new', courier;"> source,<br /> eventid,<br /></span><span style="font-family:'courier new', courier;"> CAST(datetime(time, 'unixepoch') AS TEXT) AS 'Change Made',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS 'Who Made The Change',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.TargetUserName') AS 'Disabled Account'<br /></span><span style="font-family:'courier new', courier;">FROM sophos_windows_events<br /></span><span style="font-family:'courier new', courier;">WHERE time > STRFTIME('%s','NOW','-$$Number of days to check$$ DAYS')<br /></span><span style="font-family:'courier new', courier;"> AND source = 'Security'<br /></span><span style="font-family:'courier new', courier;"> AND eventid = 4725;</span></p>
<p><strong>User Account was enabled-</strong></p>
<p>Variable to specify the number of days to check<br />Windows</p>
<p><span style="font-family:'courier new', courier;">SELECT<br /></span><span style="font-family:'courier new', courier;"> source,<br /> eventid,<br /></span><span style="font-family:'courier new', courier;"> CAST(datetime(time, 'unixepoch') AS TEXT) AS 'Change Made',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS 'Who Made The Change',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.TargetUserName') AS 'Enabled Account'<br /></span><span style="font-family:'courier new', courier;">FROM sophos_windows_events<br /></span><span style="font-family:'courier new', courier;">WHERE time > STRFTIME('%s','NOW','-$$Number of days to check$$ DAYS')<br /></span><span style="font-family:'courier new', courier;"> AND source = 'Security'<br /></span><span style="font-family:'courier new', courier;"> AND eventid = 4722;</span></p>
<p> </p>
<p><strong>User password reset-</strong></p>
<p>Variable to specify the number of days to check<br />Windows</p>
<p><span style="font-family:'courier new', courier;">SELECT<br /></span><span style="font-family:'courier new', courier;"> source,<br /> eventid,<br /></span><span style="font-family:'courier new', courier;"> CAST(datetime(time, 'unixepoch') AS TEXT) AS 'Change Made',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS 'Who Made The Change',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.TargetUserName') AS 'user password reset'<br /></span><span style="font-family:'courier new', courier;">FROM sophos_windows_events<br /></span><span style="font-family:'courier new', courier;">WHERE time > STRFTIME('%s','NOW','-$$Number of days to check$$ DAYS')<br /></span><span style="font-family:'courier new', courier;"> AND source = 'Security'<br /></span><span style="font-family:'courier new', courier;"> AND eventid IN ('4723','4724');</span></p>
<p> </p>
<p><strong>User Added to Security Group-</strong></p>
<p>Variable to specify the number of days to check<br />Windows</p>
<p><span style="font-family:'courier new', courier;">SELECT<br /></span><span style="font-family:'courier new', courier;"> source,<br /> eventid,<br /></span><span style="font-family:'courier new', courier;"> CAST(datetime(time, 'unixepoch') AS TEXT) AS 'Change Made',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS 'Who Made The Change',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.MemberName') AS 'User/Group Added',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.TargetUserName') AS 'Group Changed'<br /></span><span style="font-family:'courier new', courier;">FROM sophos_windows_events<br /></span><span style="font-family:'courier new', courier;">WHERE time > STRFTIME('%s','NOW','-$$Number of days to check$$ DAYS')<br /></span><span style="font-family:'courier new', courier;"> AND source = 'Security'<br /></span><span style="font-family:'courier new', courier;"> AND eventid IN ('4728','4732','4756');</span></p>
<p> </p>
<p><strong>User Removed from Security Group-</strong></p>
<p>Variable to specify the number of days to check<br />Windows</p>
<p><span style="font-family:'courier new', courier;">SELECT<br /></span><span style="font-family:'courier new', courier;"> source,<br /> eventid,<br /></span><span style="font-family:'courier new', courier;"> CAST(datetime(time, 'unixepoch') AS TEXT) AS 'Change Made',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS 'Who Made The Change',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.MemberName') AS 'User/Group Added',<br /></span><span style="font-family:'courier new', courier;"> JSON_EXTRACT(data, '$.EventData.TargetUserName') AS 'Group Changed'<br /></span><span style="font-family:'courier new', courier;">FROM sophos_windows_events<br /></span><span style="font-family:'courier new', courier;">WHERE time > STRFTIME('%s','NOW','-$$Number of days to check$$ DAYS')<br /></span><span style="font-family:'courier new', courier;"> AND source = 'Security'<br /></span><span style="font-family:'courier new', courier;"> AND eventid IN ('4729','4733','4757');</span></p><div style="clear:both;"></div><img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=679&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">Karl_Ackermanhttps://stage-community-sophos-comV11.telligenthosting.net/members/karl_5f00_ackermanDetecting Glupteba malware with Sophos EDRhttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/detecting-glupteba-malware-with-sophos-edr2020-06-29T14:38:00Z2020-06-29T14:38:00Z<p>Last week SophosLabs <a href="https://news.sophos.com/en-us/2020/06/24/glupteba-report/">published a report</a> about the Glupteba malware. According to Sophos Labs this malware family has been growing in numbers. "This malware, with its hard-to-pronounce name, has been getting regular updates and feature enhancements that seem to be focused on its ability to conceal itself from detection on infected computers....The core malware is, in essence, a dropper with extensive backdoor functionality, but it is a dropper that goes to great efforts to keep itself, and its various components, hidden from view by the human operator of an infected computer, or the security software charged with its protection"</p>
<p>In addition to the article SophosLabs published a <a href="https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final.pdf">detailed report</a>.</p>
<p> </p>
<p>To help detect Glupteba indicators with Intercept X the team created a new Live Query: <a href="https://gist.github.com/andrewmundellsophos/ed42d0d6d3dc4c9e8dae0b4de301ad38">https://gist.github.com/andrewmundellsophos/ed42d0d6d3dc4c9e8dae0b4de301ad38</a></p>
<p> </p>
<p>-----------------------------------------</p>
<p> </p>
<pre>-- IOCs complied from https://github.com/sophoslabs/IoCs/blob/master/Trojan-Glupteba
-- Collected 2020-06-26, 4pm US Eastern time
-- Create temp table with necessary columns
CREATE TABLE glupteba (domain text, SHA text, reg text, file text);
INSERT INTO glupteba (domain,SHA,reg,file) VALUES ('domain','SHA','reg','file');
-- Search Sophos DNS journal over the last 90 days for domain IOCs
UPDATE glupteba SET domain = (SELECT CAST(CASE WHEN COUNT(*) > 0 THEN 1 ELSE 0 END AS BIT) as 'Exists' FROM sophos_dns_journal WHERE (
name like '%1.podcast.best%' OR
name like '%anotheronedom.com%' OR
name like '%bestblues.tech%' OR
name like '%easywbdesign.com%' OR
name like '%gamedate.xyz%' OR
name like '%getfixed.xyz%' OR
name like '%gfixprice.xyz%' OR
name like '%maxbook.space%' OR
name like '%robotatten.com%' OR
name like '%sleepingcontrol.com%' OR
name like '%sndvoices.com%' OR
name like '%whitecontroller.com%' OR
name like '%myonetime.top%' OR
name like '%venoxcontrol.com%')
AND time > STRFTIME('%s','NOW','-90 days'));
-- Search Sophos file hash journal over the last 90 days for SHA IOCs
UPDATE glupteba SET SHA = (SELECT CAST(CASE WHEN COUNT(*) > 0 THEN 1 ELSE 0 END AS BIT) as 'Exists' FROM sophos_file_hash_journal WHERE (
sha256 = '73fddd441a764e808ed6d6b8f3d0d13713e61221aa3cfef7da91cdaf112fe061' OR
sha256 = '414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0' OR
sha256 = '04d71e8af8b5cbec912b82b6ebef7c19c5b888873dfd4609b1e38b2a6c398b2e' OR
sha256 = '0b2a84359501923d1aa6ccd4e03b3f1b619e01d978efae45feea34a4d0ffed04' OR
sha256 = '20e983e90144c385996eeb2edb584d654d898c34725e149682170f870ee12870' OR
sha256 = '407c70f0c1a1e34503dae74dd973cf037d607e3c4deb8f063d33f2142f1baf71' OR
sha256 = '6b0d90a0571ec870fa26372a1c5d83d06e8febca130a8f710e0c389a3054e05c' OR
sha256 = '83bbe9e7b7967ecbc493f8ea40947184c6c7346c6084431fceea0401a6279d29' OR
sha256 = '8d19c59db26a3e0a3251c5f05e143558bf009ed0b46fb9b6151f98441407ae8b' OR
sha256 = '5e541d1ab46ab3d58e4889b08f5f4427d38afe8320582a63d992eda172af6c7f' OR
sha256 = '9e4f09faee3eba3ae271b241cbaf0cb3621845ef83608a8abb3df8791e6c36e1' OR
sha256 = 'dec11036bca8384f81c0c1d534e1f37fd2864c974dad020f32b835af3c7c4e28' OR
sha256 = 'eb35bb221de38f5953f923cd349b4c85a50145329152a8aaa01e4cd8602a560e' OR
sha256 = '469953521e9b64eac07f02fecf3488406c65ec1f3d5c182363c8ba0664a4b640')
AND time > STRFTIME('%s','NOW','-90 days'));
-- Search Sophos registry journal over the last 1 day for registry IOCs
UPDATE glupteba SET reg = (SELECT CAST(CASE WHEN COUNT(*) > 0 THEN 1 ELSE 0 END AS BIT) as 'Exists' FROM sophos_registry_journal WHERE (
keyname like '%InstallKey%' OR
keyname like '%RegisterAppOk%' OR
keyname like '%RegisterAppProcessing%' OR
keyname like '%TestApp%')
AND time > STRFTIME('%s','NOW','-1 days'));
-- Search Sophos file journal over the last 4 hours for file IOCs being created
UPDATE glupteba SET file = (SELECT CAST(CASE WHEN COUNT(*) > 0 THEN 1 ELSE 0 END AS BIT) as 'Exists' FROM sophos_file_journal WHERE (
pathname like '%cloudnet.exe%' OR
pathname like '%dsefix.exe%' OR
pathname like '%e7.exe%' OR
pathname like '%windefender.exe%' OR
pathname like '%Winmon.sys%' OR
pathname like '%WinmonFS.sys%' OR
pathname like '%WinmonFS32.sys%' OR
pathname like '%WinmonFS64.sys%' OR
pathname like '%WinmonProcessMonitor32.sys%' OR
pathname like '%WinmonProcessMonitor64.sys%' OR
pathname like '%WinmonSystemMonitor-10-64.sys%' OR
pathname like '%WinmonSystemMonitor-7-10-32.sys%' OR
pathname like '%WinmonSystemMonitor-7-64.sys%' OR
pathname like '%deps.zip%')
AND time > STRFTIME('%s','NOW','-4 hours'));
-- Compile results and make display more friendly
SELECT
CASE domain
WHEN '0' THEN 'Domain IOC NOT present'
WHEN '1' THEN 'Domain IOC IS present'
ELSE 'Error'
END AS 'Domain IOC present',
CASE SHA
WHEN '0' THEN 'SHA IOC NOT present'
WHEN '1' THEN 'SHA IOC IS present'
ELSE 'Error'
END AS 'SHA IOC present',
CASE reg
WHEN '0' THEN 'Registry IOC NOT present'
WHEN '1' THEN 'Registry IOC IS present'
ELSE 'Error'
END AS 'Registry IOC present',
CASE file
WHEN '0' THEN 'File IOC NOT present'
WHEN '1' THEN 'File IOC IS present'
ELSE 'Error'
END AS 'File IOC present'
FROM glupteba where (domain = '1' OR SHA = '1' OR reg = '1' OR file = '1');
-- Clean up temp table
DROP TABLE glupteba;</pre><div style="clear:both;"></div><img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=673&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">Seth Geftichttps://stage-community-sophos-comV11.telligenthosting.net/members/seth-gefticLive Discover for LINUX.... Videohttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/live-discover-for-linux-video-9525426112020-06-11T23:14:00Z2020-06-11T23:14:00Z<p>In the next two weeks we will be fully launching the EDR Live Discover for LINUX.</p>
<p>The capabilities on Linux are simply astounding, we have been busy creating the prebuilt queries and finishing the last bit of work before this is fully available.</p>
<p>In the video, Ethan Vince-Urwin, one of the core linux developers who has been building the features we all love takes the product for a test drive and shows off some of the power and simplicity of Live Discover for Linux.</p>
<p>Ethan shows how to use a query that leverages lenses to parse configuration files to check if the linux system allows password based authentication for root users over ssh. To top it off he then uses the Live Response feature (coming on Linux later this summer) to go fix the problem remotely and then run the query again to confirm the problem has been fixed. </p>
<p><a href="https://vimeo.com/428304806">https://vimeo.com/428304806</a></p>
<p> </p>
<p>Enjoy.</p><div style="clear:both;"></div><img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=653&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">Karl_Ackermanhttps://stage-community-sophos-comV11.telligenthosting.net/members/karl_5f00_ackermanKingMiner non-deterministic indicators of compromisehttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/kingminer-non-deterministic-indicators-of-compromise2020-06-10T10:32:00Z2020-06-10T10:32:00Z<p><span>For query assistance, please see the following </span><a href="/intercept-x-endpoint/f/recommended-reads/128529/best-practices-on-using-live-discover-response-query-forum#mcetoc_1f8ovtfbt4">Best Practices</a><span> guide</span></p>
<hr />
<p>See the story from SophosLabs Uncut on KingMiner: <a href="https://news.sophos.com/en-us/2020/06/09/kingminer-report/">https://news.sophos.com/en-us/2020/06/09/kingminer-report/</a></p>
<p>The article is both educational and enlightening. One of the aspects of KingMiner that is common with other attacks is that many of the indicators of compromise are non-deterministic. The domain names and URLs they use are all auto generated. I read through the article and crafted a query to check if you have experienced a Kingminer attack but because the indicators are not sufficient to convict with 100% accuracy I suspect we will have some false positive detections. Even with the FP rate above 0 each of the detections requires a deeper investigation. See below for the query.</p>
<p>-------------------------------------- QUERY TEXT BELOW --------------------------------------------</p>
<p><span style="color:#0000ff;font-family:'courier new', courier;">/************************************************************\</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">| IOC Partial list for Kingminer from SophosLabs Uncut |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">\************************************************************/</span></p>
<p><span style="font-family:'courier new', courier;">/* Build the list of IOCs from the article */</span><br /><span style="font-family:'courier new', courier;">WITH kingminer_IOCs(attribution, Conviction, method, ioc, notes) AS (</span><br /><span style="font-family:'courier new', courier;"> VALUES </span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> /*****************************************************************************************\</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | These servers used domain names that were generated from the value of the current date |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | and time. This method has the advantage that the downloaders don’t have to carry |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | hardcoded server names, rather those server names are dynamically generated and keep |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | changing with time. This way, if one of the download servers is shut down, the operators|</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | don’t have to release new versions of the downloader with the updated server names. |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | Instead, they just register the next domain name, and when the time comes, the botnet |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | will automatically switch to the new download servers. |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | The generated domain names have the following structure: 3615.30713fdae.tk |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | The fdae.tk part is the core of the domain name. In the observed cases it was either |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | fdae.tk, fdae.com or fghh.com, but the strings found in the side-loading DLLs suggest |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | that additionally the fdae.ga and fdae.cf domain cores could potentially be used, or |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | were planned to be used at some point |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> \*****************************************************************************************/</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'domain_name', '%fdae.tk', 'Time-coded DGA - These servers used domain names that were generated from the value of the current date and time.'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'domain_name', '%fdae.com', 'Time-coded DGA - These servers used domain names that were generated from the value of the current date and time.'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'domain_name', '%fghh.com', 'Time-coded DGA - These servers used domain names that were generated from the value of the current date and time.'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'domain_name', '%fgae.ga', 'Time-coded DGA - These servers used domain names that were generated from the value of the current date and time.'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'domain_name', '%fghh.cf', 'Time-coded DGA - These servers used domain names that were generated from the value of the current date and time.'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'domain_name', '%a.qwerr.ga', 'Time-coded DGA - These servers used domain names that were generated from the value of the current date and time.'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'domain_name', '%lu4n.com', 'The lu4n.com site also hosted a few SQL brute forcing command injection tools'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Deterministic', 'domain_name', '%ip.yototoo.com', 'encrypted backdoor connection'),</span><br /> <br /><span style="font-family:'courier new', courier;"><span style="color:#0000ff;"> /******************************************************************************************\</span></span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | We have found over 20 Github user accounts that were used to deliver the contents of the |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | Kingminer botnet over the time. |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> \******************************************************************************************/</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%cvffdscccss%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%xieliang3%', 'Github repositories used to deliver contents of kingminer botnet'), </span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%hansho23%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%paishi45276%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%oit847996%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%muzhuoyiyue%', 'Github repositories used to deliver contents of kingminer botnet'), </span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%daonaoyef%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%leishi9%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%yut42929%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%shazhuangq%', 'Github repositories used to deliver contents of kingminer botnet'), </span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%zaiya00387%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%gghhjjjj%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%gghhhhgh%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%haj08341%', 'Github repositories used to deliver contents of kingminer botnet'), </span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%qipu872262484%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%jiaoyi7992%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%huitun237%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%zaiya00387%', 'Github repositories used to deliver contents of kingminer botnet'), </span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%fff%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%chigutuiche%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%zhizi471%', 'Github repositories used to deliver contents of kingminer botnet'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'URL', '%github%jiaoshq %', 'Github repositories used to deliver contents of kingminer botnet'), </span><br /> <br /><span style="color:#0000ff;font-family:'courier new', courier;"> /*****************************************************************************************\</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | Usually the first activity that we observed after a successful infection was the |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | execution of a PowerShell script spawned from the sqlservr.exe process |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | !!! TO_DO !!! Build detection method for this type of IOC |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> \*****************************************************************************************/</span><br /><span style="font-family:'courier new', courier;"> <span style="color:#0000ff;">/* ('kingminer', 'NON-deterministic', 'Powershell_Parent', '%sqlserver.exe%', 'successful infection was the execution of a PowerShell script spawned from the sqlservr.exe process'), */</span></span><br /> <br /><span style="font-family:'courier new', courier;"> <span style="color:#0000ff;">/*****************************************************************************************\</span></span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | Copy of powershell.exe running under anothername |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> \*****************************************************************************************/</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'NON-deterministic', 'Powershell_renamed', '%powershell%', 'A powershell process runing under another name'),</span><br /> <br /><span style="color:#0000ff;font-family:'courier new', courier;"> /*****************************************************************************************\</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | In one of the cases, we were able to observe the network traffic of an initial infection|</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | attempt, which helped us reconstruct the majority of the infection process. The attack |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | in that case came from the IP address 185.234.216.223. | </span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> \*****************************************************************************************/</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'IP', '185.234.216.223', 'this server is part of the Kingminer infrastructure'), </span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'IP', '9.9.9.9', 'The malicious loader contains the IP addresses of a few DNS servers'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'IP', '1.1.1.1', 'The malicious loader contains the IP addresses of a few DNS servers'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'IP', '119.29.29.29', 'The malicious loader contains the IP addresses of a few DNS servers'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'IP', '8.8.4.4', 'The malicious loader contains the IP addresses of a few DNS servers'),</span><br /> <br /><span style="font-family:'courier new', courier;"> <span style="color:#0000ff;">/*****************************************************************************************\</span></span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | this script is saved to a couple of locations, typically C:\Users\Public\Music\1.vbs. |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> \*****************************************************************************************/</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'file_path', 'C:\Users\Public\Music\1.vbs', 'VBscript downloader'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'file_path', 'C:\Users\Public\Music\2.vbs', 'VBscript downloader'),</span></p>
<p><span style="font-family:'courier new', courier;"> <span style="color:#0000ff;">/*****************************************************************************************\</span></span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | some cmd line options used |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> \*****************************************************************************************/</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'cmdline', '%whoami%', 'luan_exec reference'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'cmdline', '%vbscript:GetObject(%script:hxxp://ww.3113cfdae[.]com/r1.txt?', 'Kingminer executes this simple downloader command'),</span></p>
<p><span style="font-family:'courier new', courier;"> <span style="color:#0000ff;">/*****************************************************************************************\</span></span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | There were a handful of legit programs that were abused by Kingminer, coming from |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> | different software vendors |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;"> \*****************************************************************************************/</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'processname', 'fix.exe', 'Clean executable may be used to trigger malware via side loading'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'processname', 'alger.exe', 'Clean executable may be used to trigger malware via side loading'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'processname', 'powered.exe', 'Clean executable may be used to trigger malware via side loading'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'processname', 'repair.exe', 'Clean executable may be used to trigger malware via side loading'),</span><br /><span style="font-family:'courier new', courier;"> ('kingminer', 'Non-Deterministic', 'processname', 'dwmer.exe', 'Clean executable may be used to trigger malware via side loading')</span><br /><span style="font-family:'courier new', courier;"> )</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">/**********************************************************************\</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">| The admin may want to search a large amount of data in the tables so |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">| split time into 20 min chunks given the number hours specified |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">\**********************************************************************/</span><br /><span style="font-family:'courier new', courier;">, for(x) AS (</span><br /><span style="font-family:'courier new', courier;"> VALUES ( ( SELECT CAST (strftime ('%s', 'now','-$$Hours to look back$$ hours') AS INT) ) )</span><br /><span style="font-family:'courier new', courier;"> UNION ALL</span><br /><span style="font-family:'courier new', courier;"> SELECT x+1200 FROM for WHERE x < (SELECT CAST (strftime ('%s', 'now') AS INT))</span><br /><span style="font-family:'courier new', courier;"> )</span></p>
<p><span style="color:#0000ff;font-family:'courier new', courier;">/****************************************************************************\</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">| Check for matching domain or URL info seen in the specified lookback period|</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">\****************************************************************************/</span><br /><span style="font-family:'courier new', courier;">SELECT</span><br /><span style="font-family:'courier new', courier;"> CAST( datetime(spa.time,'unixepoch') AS TEXT) DATE_TIME,</span><br /><span style="font-family:'courier new', courier;"> km.attribution,</span><br /><span style="font-family:'courier new', courier;"> km.Conviction,</span><br /><span style="font-family:'courier new', courier;"> spa.subject,</span><br /><span style="font-family:'courier new', courier;"> spa.SophosPID,</span><br /><span style="font-family:'courier new', courier;"> CAST ( (select replace(spa.pathname, rtrim(spa.pathname, replace(spa.pathname, '\', '')), '')) AS TEXT) process_name,</span><br /><span style="font-family:'courier new', courier;"> spa.action,</span><br /><span style="font-family:'courier new', courier;"> spa.object,</span><br /><span style="font-family:'courier new', courier;"> spa.url,</span><br /><span style="font-family:'courier new', courier;"> km.method,</span><br /><span style="font-family:'courier new', courier;"> km.ioc,</span><br /><span style="font-family:'courier new', courier;"> km.notes</span><br /><span style="font-family:'courier new', courier;">FROM for</span><br /><span style="font-family:'courier new', courier;"> LEFT JOIN kingminer_IOCs km ON km.method IN('domain_name', 'url')</span><br /><span style="font-family:'courier new', courier;"> LEFT JOIN sophos_process_activity spa ON spa.subject IN ('Http','Url','Network') AND spa.time >= for.x and spa.time <= for.x+1200 </span><br /><span style="font-family:'courier new', courier;">WHERE spa.url LIKE km.ioc</span></p>
<p><span style="font-family:'courier new', courier;">UNION ALL</span></p>
<p><span style="color:#0000ff;font-family:'courier new', courier;">/****************************************************************************\</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">| Check for matching IP info seen in the specified lookback period |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">\****************************************************************************/</span><br /><span style="font-family:'courier new', courier;">SELECT</span><br /><span style="font-family:'courier new', courier;"> CAST( datetime(spa.time,'unixepoch') AS TEXT) DATE_TIME,</span><br /><span style="font-family:'courier new', courier;"> km.attribution,</span><br /><span style="font-family:'courier new', courier;"> km.Conviction,</span><br /><span style="font-family:'courier new', courier;"> spa.subject,</span><br /><span style="font-family:'courier new', courier;"> spa.SophosPID,</span><br /><span style="font-family:'courier new', courier;"> CAST ( (select replace(spa.pathname, rtrim(spa.pathname, replace(spa.pathname, '\', '')), '')) AS TEXT) process_name,</span><br /><span style="font-family:'courier new', courier;"> spa.action,</span><br /><span style="font-family:'courier new', courier;"> spa.object,</span><br /><span style="font-family:'courier new', courier;"> spa.url,</span><br /><span style="font-family:'courier new', courier;"> km.method,</span><br /><span style="font-family:'courier new', courier;"> km.ioc,</span><br /><span style="font-family:'courier new', courier;"> km.notes</span><br /><span style="font-family:'courier new', courier;">FROM for</span><br /><span style="font-family:'courier new', courier;"> LEFT JOIN kingminer_IOCs km ON km.method IN('ip')</span><br /><span style="font-family:'courier new', courier;"> LEFT JOIN sophos_process_activity spa ON spa.subject IN ('Http','Ip','Network') AND spa.time >= for.x and spa.time <= for.x+1200 </span><br /><span style="font-family:'courier new', courier;">WHERE spa.source LIKE km.ioc OR spa.destination LIKE km.ioc</span></p>
<p><span style="font-family:'courier new', courier;">UNION ALL</span></p>
<p><span style="color:#0000ff;font-family:'courier new', courier;">/***********************************************************************************\</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">| Check for matching cmdline or file_path info seen in the specified lookback period|</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">\***********************************************************************************/</span><br /><span style="font-family:'courier new', courier;">SELECT</span><br /><span style="font-family:'courier new', courier;"> CAST( datetime(spa.time,'unixepoch') AS TEXT) DATE_TIME,</span><br /><span style="font-family:'courier new', courier;"> km.attribution,</span><br /><span style="font-family:'courier new', courier;"> km.Conviction,</span><br /><span style="font-family:'courier new', courier;"> spa.subject,</span><br /><span style="font-family:'courier new', courier;"> spa.SophosPID,</span><br /><span style="font-family:'courier new', courier;"> CAST ( (select replace(spa.pathname, rtrim(spa.pathname, replace(spa.pathname, '\', '')), '')) AS TEXT) process_name,</span><br /><span style="font-family:'courier new', courier;"> spa.action,</span><br /><span style="font-family:'courier new', courier;"> spa.object,</span><br /><span style="font-family:'courier new', courier;"> spa.url,</span><br /><span style="font-family:'courier new', courier;"> km.method,</span><br /><span style="font-family:'courier new', courier;"> km.ioc,</span><br /><span style="font-family:'courier new', courier;"> km.notes</span><br /><span style="font-family:'courier new', courier;">FROM for</span><br /><span style="font-family:'courier new', courier;"> LEFT JOIN kingminer_IOCs km ON km.method IN('cmdline','file_path')</span><br /><span style="font-family:'courier new', courier;"> LEFT JOIN sophos_process_activity spa ON spa.subject IN ('FileBinaryChanges','FileBinaryReads','FileDataChanges','FileDataReads','FileOtherChanges','FileOtherReads', 'Image','Process') AND </span><br /><span style="font-family:'courier new', courier;"> spa.time >= for.x and spa.time <= for.x+1200 </span><br /><span style="font-family:'courier new', courier;">WHERE spa.pathname LIKE km.ioc OR spa.cmdline LIKE km.ioc</span></p>
<p><span style="font-family:'courier new', courier;">UNION ALL</span></p>
<p><span style="color:#0000ff;font-family:'courier new', courier;">/***********************************************************************************\</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">| Check for powershell rename events |</span><br /><span style="color:#0000ff;font-family:'courier new', courier;">\***********************************************************************************/</span><br /><span style="font-family:'courier new', courier;">SELECT</span><br /><span style="font-family:'courier new', courier;"> CAST( datetime(spa.time,'unixepoch') AS TEXT) DATE_TIME,</span><br /><span style="font-family:'courier new', courier;"> km.attribution,</span><br /><span style="font-family:'courier new', courier;"> km.Conviction,</span><br /><span style="font-family:'courier new', courier;"> spa.subject,</span><br /><span style="font-family:'courier new', courier;"> spa.SophosPID,</span><br /><span style="font-family:'courier new', courier;"> CAST ( (select replace(spa.pathname, rtrim(spa.pathname, replace(spa.pathname, '\', '')), '')) AS TEXT) process_name,</span><br /><span style="font-family:'courier new', courier;"> 'Powershell renamed',</span><br /><span style="font-family:'courier new', courier;"> spa.object,</span><br /><span style="font-family:'courier new', courier;"> spa.url,</span><br /><span style="font-family:'courier new', courier;"> km.method,</span><br /><span style="font-family:'courier new', courier;"> km.ioc,</span><br /><span style="font-family:'courier new', courier;"> km.notes</span><br /><span style="font-family:'courier new', courier;">FROM for</span><br /><span style="font-family:'courier new', courier;"> LEFT JOIN kingminer_IOCs km ON km.method IN('Powershell_renamed')</span><br /><span style="font-family:'courier new', courier;"> LEFT JOIN sophos_process_activity spa ON spa.subject IN ('FileBinaryChanges','FileOtherChanges') AND </span><br /><span style="font-family:'courier new', courier;"> spa.time >= for.x and spa.time <= for.x+1200 </span><br /><span style="font-family:'courier new', courier;">WHERE spa.pathname LIKE km.ioc</span></p>
<p> </p>
<p><span style="font-family:'courier new', courier;">--------------------------------------- END SQL SCRIPT -------------------------------------</span></p>
<p> </p>
<p><span style="font-family:'courier new', courier;"><a href="/cfs-file/__key/communityserver-blogs-components-weblogfiles/00-00-00-00-32/pastedimage1591787080609v1.png"><img alt=" " src="/resized-image/__size/960x720/__key/communityserver-blogs-components-weblogfiles/00-00-00-00-32/pastedimage1591787080609v1.png" /></a></span></p><div style="clear:both;"></div><img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=650&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">Karl_Ackermanhttps://stage-community-sophos-comV11.telligenthosting.net/members/karl_5f00_ackermanNew Sophos Table - Sophos_process_activityhttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/new-sophos-table---sophos_5f00_process_5f00_activity2020-05-26T13:20:00Z2020-05-26T13:20:00Z<p><span>For query assistance, please see the following </span><a href="/intercept-x-endpoint/f/recommended-reads/128529/best-practices-on-using-live-discover-response-query-forum#mcetoc_1f8ovtfbt4">Best Practices</a><span> guide</span></p>
<hr />
<p>We have added a new table to the sophos forensics journals. The sophos_process_activity table.</p>
<p>Often as part of an investigation you need to to get a quick view of what a process did in the past and this table provides a quick lookup location for that information.</p>
<p>This table contains a subject for each of the other Sophos 'journals' and collects some of the more useful information like Registry Key/Values for the registry journal, IP/Port/Protocol for the various network activity journals and much more.</p>
<p><strong>JOURNALS consolidated into the Sophos_process_activity table</strong></p>
<ul>
<li>DirectoryChanges</li>
<li>Dns</li>
<li>File
<ul>
<li>BinaryChanges</li>
<li>BinaryReads</li>
<li>DataChanges</li>
<li>DataReads</li>
<li>OtherChanges</li>
<li>OtherReads</li>
</ul>
</li>
<li>Http</li>
<li>Image</li>
<li>Ip</li>
<li>Network</li>
<li>Process</li>
<li>Registry</li>
<li>Thread</li>
<li>Url</li>
</ul>
<p>A process can generate thousands of recorded actions and can be running for several days so using this table requires us set some limits on how much data we want. Below is an example that requires three variables to ensure we do not try and collect too much data. </p>
<p><a href="/cfs-file/__key/communityserver-blogs-components-weblogfiles/00-00-00-00-32/pastedimage1590505737912v1.png"><img alt=" " src="/resized-image/__size/960x720/__key/communityserver-blogs-components-weblogfiles/00-00-00-00-32/pastedimage1590505737912v1.png" /></a></p>
<p> </p>
<p><span style="font-family:'courier new', courier;">/* Collect the process name and cmdline of the target process */</span></p>
<p><span style="font-family:'courier new', courier;">WITH Target_process(process_name, process_cmdLine) </span><br /><span style="font-family:'courier new', courier;"> AS (</span><br /><span style="font-family:'courier new', courier;"> SELECT replace(spj.pathname, rtrim(spj.pathname, replace(spj.pathname, '\', '')), '') process_name, spj.cmdline process_cmdline </span><br /><span style="font-family:'courier new', courier;"> FROM sophos_process_journal spj WHERE spj.SophosPID = CAST ('$$SophosPID$$' AS TEXT) AND </span><br /><span style="font-family:'courier new', courier;"> time = replace('$$SophosPID$$', rtrim('$$SophosPID$$', replace('$$SophosPID$$', ':', '')), '') / 10000000 - 11644473600 </span><br /><span style="font-family:'courier new', courier;"> LIMIT 1)</span><br /> <br /><span style="font-family:'courier new', courier;"> SELECT </span><br /><span style="font-family:'courier new', courier;"> subject,</span><br /><span style="font-family:'courier new', courier;"> DateTime(time,'Unixepoch') Time_of_activity,</span><br /><span style="font-family:'courier new', courier;"> Target_process.process_name,</span><br /><span style="font-family:'courier new', courier;"> Target_process.process_cmdline,</span><br /><span style="font-family:'courier new', courier;"> action,</span><br /><span style="font-family:'courier new', courier;"> replace(object, rtrim(object, replace(object, '\', '')), '') Object_name,</span><br /><span style="font-family:'courier new', courier;"> object Object_Path, fileid File_ID, pathname, filesize, targetpathname, url, source, sourcePort, destination, destinationPort, protocol, targetSophosPID, cmdLine, keyname, valuename, value, sophosTID</span><br /><span style="font-family:'courier new', courier;">FROM sophos_process_activity JOIN Target_process </span><br /><span style="font-family:'courier new', courier;"> WHERE SophosPID = '$$SophosPID$$' AND </span><br /><span style="font-family:'courier new', courier;"> time > replace('$$SophosPID$$', rtrim('$$SophosPID$$', replace('$$SophosPID$$', ':', '')), '') / 10000000 - 11644473600 </span><br /><span style="font-family:'courier new', courier;"> + CAST ('$$Begin collection N Minutes after process start$$' AS INT) AND</span><br /><span style="font-family:'courier new', courier;"> time < replace('$$SophosPID$$', rtrim('$$SophosPID$$', replace('$$SophosPID$$', ':', '')), '') / 10000000 - 11644473600 </span><br /><span style="font-family:'courier new', courier;"> + CAST ('$$Begin collection N Minutes after process start$$' AS INT) </span><br /><span style="font-family:'courier new', courier;"> + CAST ('$$Number of minutes of activity to collect$$' AS INT)</span><br /><span style="font-family:'courier new', courier;">;</span></p>
<p> </p>
<p><span style="font-family:arial, helvetica, sans-serif;">Also check out the query to show ALL system activity from up to 90 days in the past (Depends on when EDR was deployed on the device and some tables may exceed their storage limits on machines that have higher activity)</span></p>
<p><span style="font-family:arial, helvetica, sans-serif;"><a href="/products/intercept/early-access-program/f/live-discover-queries/120672/live-discover-query-all-system-activity-for-n-seconds-from-a-date-time">https://community.sophos.com/products/intercept/early-access-program/f/live-discover-queries/120672/live-discover-query-all-system-activity-for-n-seconds-from-a-date-time</a></span></p><div style="clear:both;"></div><img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=642&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">Karl_Ackermanhttps://stage-community-sophos-comV11.telligenthosting.net/members/karl_5f00_ackermanLive Discover Queries - Review Processhttps://stage-community-sophos-comv11.telligenthosting.net/intercept-x-endpoint/early-access-program/b/blog/posts/live-discover-queries---review-process2020-05-23T16:18:00Z2020-05-23T16:18:00Z<p>Posting a query to the Live Discover Queries board will now include a review process. This will allow us to review any question and proposed answer prior to it being visible by others. We are adding this to ensure that the content of the queries do not contain anything inappropriate and that the query has been reviewed and tested and is not believed to cause harm. as for how well it does what it says. we advise administrators to test any query they get from the forum or other sites on one device first to ensure it is behaving as expected. </p>
<p>Queries that have been reviewed will have </p>
<p><strong><a href="/cfs-file/__key/communityserver-blogs-components-weblogfiles/00-00-00-00-32/pastedimage1590250979477v1.png"><img src="/resized-image/__size/320x240/__key/communityserver-blogs-components-weblogfiles/00-00-00-00-32/pastedimage1590250979477v1.png" alt=" " /></a> <span style="color:#000080;font-size:150%;">REVIEWED by Sophos</span></strong><strong> </strong></p>
<p>at the top.</p>
<p>All this is in preparation for the general availability of the product, expected in early June for those already in the EAP, and others will have the features enabled through out the month.</p>
<p>Thanks</p>
<p>Karl</p><div style="clear:both;"></div><img src="https://stage-community-sophos-comv11.telligenthosting.net/aggbug?PostID=641&AppID=32&AppType=Weblog&ContentType=0" width="1" height="1">Karl_Ackermanhttps://stage-community-sophos-comV11.telligenthosting.net/members/karl_5f00_ackerman