Browse Live Discover and Response Queries by Category
Approved

Query for Applications that Auto Start

SELECT
name as 'Key Name',
source as 'Start Up source',
path as 'Path',
args as 'Aruments',
username as 'Owner',
status as 'Status'
FROM startup_items
ORDER by status

This may be used to identify persistence or unidentified startup items

JeramyKopacko
Parents

  • hello Jeramy, do you know the query for Failed Login Attempts for windows ? Sophos got the query but only for linux. can you help me with that . Thanks

  • in reply to Danish

    Danish,

    There is a query known as "Authentication Attempts" to find a specific IP address. You can also use something short, like my colleague Ravi created in another forum:

    SELECT
    datetime(time,'unixepoch','localtime') as 'Time',
    eventid,
    task_message,
    json_extract(data,'$.EventData.FailureReason')as FailureReason,
    json_extract(data,'$.EventData.TargetUserName') as UserName
    FROM sophos_windows_events
    WHERE eventid='4625' AND UserName <> '' AND time > STRFTIME('%H','NOW','24 hours');

    Thanks!

Comment
  • in reply to Danish

    Danish,

    There is a query known as "Authentication Attempts" to find a specific IP address. You can also use something short, like my colleague Ravi created in another forum:

    SELECT
    datetime(time,'unixepoch','localtime') as 'Time',
    eventid,
    task_message,
    json_extract(data,'$.EventData.FailureReason')as FailureReason,
    json_extract(data,'$.EventData.TargetUserName') as UserName
    FROM sophos_windows_events
    WHERE eventid='4625' AND UserName <> '' AND time > STRFTIME('%H','NOW','24 hours');

    Thanks!

Children
No Data
Unfiltered HTML