SELECT name as 'Key Name', source as 'Start Up source', path as 'Path', args as 'Aruments', username as 'Owner', status as 'Status'FROM startup_itemsORDER by status
This may be used to identify persistence or unidentified startup items
Danish,
There is a query known as "Authentication Attempts" to find a specific IP address. You can also use something short, like my colleague Ravi created in another forum:
SELECT datetime(time,'unixepoch','localtime') as 'Time', eventid, task_message,json_extract(data,'$.EventData.FailureReason')as FailureReason,json_extract(data,'$.EventData.TargetUserName') as UserNameFROM sophos_windows_eventsWHERE eventid='4625' AND UserName <> '' AND time > STRFTIME('%H','NOW','24 hours');
Thanks!
hello Jeramy, do you know the query for Failed Login Attempts for windows ? Sophos got the query but only for linux. can you help me with that . Thanks