I have a hash like: 6ea2c9276c122222222222f9ae2 i want to search on the clients for this hash. is there a posibility to search with Sophos EP?
This thread was automatically locked due to age.
I have a hash like: 6ea2c9276c122222222222f9ae2 i want to search on the clients for this hash. is there a posibility to search with Sophos EP?
OK is there any documentation on how to search for it if you have XDR.
I believe it requires a Live Discover query of the endpoints themselves. Unfortunately I'm not an expert in Live Discover queries (or SQL). It looks like the table you want to query is called hash: https://osquery.io/schema/5.4.0#hash
You may have better luck in the XDR forum with finding help on writing the query.
Sophos provides access to the osquery tables in a Live Query, which includes the tables:
https://osquery.io/schema/5.12.1/#file
https://osquery.io/schema/5.12.1/#hash
The Hash "table" is more of a function where you pass it a path and it will return the various types of hash for the file, so you need the path. It doesn't have an accessible database of all files.
You could use the file and hash table in combination, but you will be generating the hashes in real-time, they aren't stored.
For example, if you wanted to see if the md5 hash 074819a9d664d6b409ab5a9048e07f5a existed under C:\windows\system32\ you could run:
SELECT f.path, h.md5, h.sha256 FROM file f JOIN hash h ON f.path = h.path WHERE f.directory = 'C:\Windows\System32\' --AND f.filename like '%.exe' AND h.md5='074819a9d664d6b409ab5a9048e07f5a'
So it will report that this is wsl.exe. I've left the commented line in if you wanted to filter to just exe files for example.
The File Table: Osquery's Secret Weapon (kolide.com) might offer some more ideas.
The Sophos journals contain the history of files accessed, processes started, etc and the Sophos extensions to osquery provide access to this data. For example:
https://docs.sophos.com/central/References/schemas/index.html?schema=endpoint_schema
They have sha256 and pesha256 but I don't see any reference to md5 if I download the schema as json from this url:
https://docs.sophos.com/central/References/schemas/schemas/endpoint_schema.json
I assume you don't have the file and someone only has provided the md5. You could search on sites such as VirusTotal to provide some sort of reverse lookup to get a sha256. e.g. https://www.virustotal.com/gui/search/6ea2c9276c122222222222f9ae2 but I assume as for me this returns nothing for this example.
It's a bit of an odd one to just have the md5 and not appear online in some way.
So it is possible to search endpoints, but you will need to pass a path.
There was a post from a German News page (heise) talking about two MD5 Hash codes with not much context to it.
There is not much information available beside those two MD5 hash values. Even google does not give not much information about them.
__________________________________________________________________________________________________________________