Guest User!

You are not Sophos Staff.

Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • PrintNightMare Registry Fix Check

    Jainidh Rajpal
    • Approved on
    • 0 Comments
    -- Check Print Server Registry Fix SELECT DISTINCT 'Check Registry Fix' Test, CAST(GROUP_CONCAT(name, ' '||CHAR(10)) AS TEXT) Result, CASE ​ WHEN name = 'RestrictDriverInstallationToAdministrators' THEN 'Fix Applied...

  • PrintNightMare Spooler Service Check

    Jainidhya
    • Approved on
    • 0 Comments
    -- FIND SYSTEMS WITH PRINT SPOOLER RUNNING SELECT name, status, start_type, user_account, CASE WHEN status = 'RUNNING' THEN ' Exposed to unpatched vulnerabilities inc. PrintNightmare ' WHEN status = 'STOPPED' THEN ' NOT exposed to unpatched...

  • Adobe Vulnerability - CVE-2021-28550

    Patrick Moubarak
    • Under Review on
    • 1 Comment
    EDR query to identify the endpoints affected by the Adobe vulnerability CVE-2021-28550 Adobe Security Bullitin: https://helpx.adobe.com/security/products/acrobat/apsb21-29.html Windows: SELECT CASE WHEN ( (SELECT 1 FROM programs WHERE name LIKE...

  • Threat Hunting - Discovery of Password Policies

    AndyM
    • Under Review on
    • 0 Comments
    A simple query to look for executions of net.exe that make use of the account switch. These are sometimes used by adversaries to discover the local and domain password policies that are in enforced. -- Account Discovery: Password Policies -- T1201 looking...

  • Printnightmare Hunting Query (Data Lake)

    reg1nleifr
    • Under Review on
    • 9 Comments
    We've created a hunting query for possible infected cve-2021-1675 Hosts, based on this Sigma Rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/av_printernightmare_cve_2021_1675.yml The input variable "C:\Windows\System32\spool...

  • PrintNightmare PrintSpooler Service Check

    Jainidhya
    • Under Review on
    • 0 Comments
    --PrintNightMare Print Spooler Service Check SELECT display_name, status, start_type, user_account, CASE WHEN status = 'RUNNING' THEN ' Exposed to unpatched vulnerabilities inc. PrintNightmare' WHEN status ='STOPPED' THEN ' NOT exposed to unpatched...

  • Printnightmare Hunting Query (Live Discovery/Windows)

    reg1nleifr
    • Under Review on
    • 0 Comments
    Similar to the Data Lake Query (which seems to be having issues since it's not detecting all dll files in all folders) we've also created a Live-Discovery Query for Windows Systems on the Printnightmare Vulnerability. The Query could be scheduled via...

  • Receiving ACL for SAM file not working

    Dennis Barnekow
    • Under Review on
    • 0 Comments
    Hi, I created this query to check which of our systems are effected by serious SAM vulnerability. When I fire the query I not receive any data back. Does someone know what I did wrong? SELECT * FROM ntfs_acl_permissions WHERE path like 'C:\Windows...

  • CVE-2021-40444 MSHTML and other potential malicious processes originating from MS products (Data Lake)

    reg1nleifr
    • Under Review on
    • 1 Comment
    Query we've used for looking for possible MSHTML related activity. You can add additional programs to the where clause and filter out false positives using the having clause. The rule is mainly based on the idea of this sigma rule: https://github.com...

  • Rare process trees with a LOLBIN tool

    Karl_Ackerman
    • Approved on
    • 0 Comments
    With leadless threat hunting where you are simply looking for strange activity in the environment to determine if it is an as yet undiscovered adversary it is often valuable identify things that are RARE or UNIQUE. With the Rare Tree query below we...

  • List all NIX processes during a boot session

    Karl_Ackerman
    • Approved on
    • 0 Comments
    Given a time we want to list all processes that ran during the boot session. -- This will take a few steps. First lets narrow down the time range ---------------------- -- DETERMINE THE LOWER AND UPPER TIME LIMITS FOR THE SOPHOS_PID -------...

  • Query for emerging threat - Check your Pulse

    Karl_Ackerman
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Yesterday I got one of those alerts that I suspect many of you also receive, another security advisory. This one was for folks who have the Pulse Secure VPN and mentioned that even after applying the patch the adversary could be getting...

  • Top threat indicators on Windows devices with exclusion list

    AitorBF
    • Under Review on
    • 0 Comments
    Hello World! I think is a great idea modify the default query "Top threat indicators on Windows devices" with a exclusion list of paths. I tried to add a pastebin link with the list of exceptions but it does not work for me. WHERE query_name...

  • Detecting Kingminer IOCs

    Karl_Ackerman
    • Approved on
    • 2 Comments
    REVIEWED by Sophos See the story from Sophos Labs Uncut on KingMiner: https://news.sophos.com/en-us/2020/06/09/kingminer-report/ The article is both educational and enlightening. One of the aspects of KingMiner that is common with other attacks is...

  • Threat Hunting - Account Discovery

    AndyM
    • Approved on
    • 0 Comments
    Here is a simple query that can be used to look for any executions of the net.exe command. These are often used by threat actors and malware alike to discover the username and group memberships of local as well as domain accounts. -- Account Discovery...

  • Query for CVE-2021-40444 MSHTML Process Event

    JeramyKopacko
    • Approved on
    • 0 Comments
    This query will look for a process event that has been associated with this attack. WinWord.exe has launched a child process called "control.exe" and has been seen in the wild with this vulnerability. This does NOT guarantee you've been breached but...

  • Live Discover Query - Vulnerability check for ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

    Karl_Ackerman
    • Approved on
    • 2 Comments
    REVIEWED by Sophos Windows has a zero-day that won’t be patched for weeks Well another day another zero day vulnerability. Today I am looking at how to best create a vulnerability check given information in a CVE and a Microsoft Notification. In this...

  • Live Discover Query - SDBot Malware - RAT

    Jordon Carpenter
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Here is a specific query identifying SDBot Malware used by the TA505 hacking group: SELECT DISTINCT srj.time AS event_timestamp, srj.keyName, srj.value, srj.eventType, srj.sophosPID, srj.valueName, 'REG_BINARY' AS valueType, 'SDBbot...

  • Live Discover Query - Malware persistence

    Guido Denzler
    • Approved on
    • 2 Comments
    REVIEWED by Sophos Below are a few basic queries for pulling back data from places that malware likes to use for persistence. First up Registry Run keys: SELECT r . path , r . name , r . data , REPLACE ( REPLACE ( REPLACE ( REGEX_SPLIT ( r . data...

  • Live Discover Query - That nasty Microsoft DNS bug - SigRED a.k.a CVE-2020-1350

    AzRoN
    • Approved on
    • 1 Comment
    REVIEWED by Sophos As the title says, Microsoft recently advised a of a nasty bug within MS DNS servers. NakedSecurity has a great write up with suggested actions, PATCH NOW. Or implement a work around. https://nakedsecurity.sophos.com/2020/07/15...
Unfiltered HTML