This is sourced directly from Sophos MDR: Increased exploitation of PaperCut drawing blood around the Internet – Sophos News
PaperCut IoC List: IoCs/papercut-nday-indicators-of-compromise.csv at master · sophoslabs/IoCs · GitHub
SELECT
date_format(from_unixtime(TIME,'%Y-%m-%d %H:%i:%s') AS date_time,
customer_id,
meta_hostname,
parent_name,
parent_cmdline,
name,
cmdline,
sophos_pid
FROM
xdr_data
WHERE
AND query_name = 'running_processes_windows_sophos'
AND LOWER(parent_name) = 'pc-app.exe'
AND (LOWER(name) = 'cmd.exe'
OR LOWER(name) = 'powershell.exe')