Browse Live Discover and Response Queries by Category
Complete

NOTE: answered in comments

In live discover, how do I find a HASH list?

hey.

In my query, I am trying to find out if a HASH is located on a device (with a comma separating the values).I have a problem when consulting the hash table because it doesn't show me any value if I don't define a directory first, so I need to search for those hashes on any partition of the device, as well as on Windows and Linux systems.For example:define Variable $$sha_list$$ = hash1,hash2,hash3 (these hashes belong to files located in c:\windows\temp)

WITH split(sha) AS (
SELECT value
FROM
JSON_EACH('["' || REPLACE(REPLACE('$$sha_list$$', ' ', ''), ',', '","') || '"]')
)

SELECT * from hash

INNER JOIN split ON hash.sha256 =split.sha

WHERE hash.directory like 'C:\%%'

this query fails, but if I change the value of hash.directory for the next, the query works fine

WHERE hash.directory like 'C:\W%\T%'


How can I search a list of hash on a devices?

zewarma laisha
Parents

  • Hi zewarma,

    Thanks for reaching out to us. I have moved your post to the appropriate forum thread. 

    I suspect the reason your query is failing is due to the Watchdog outlined in our Query limitations.

    This is a similar issue to what was encountered in a neighboring thread. Is the file you are looking for a malicious file? If so, another way you could go about this is to submit a sample of the file for analysis so Sophos detects the file instead. 

Comment

  • Hi zewarma,

    Thanks for reaching out to us. I have moved your post to the appropriate forum thread. 

    I suspect the reason your query is failing is due to the Watchdog outlined in our Query limitations.

    This is a similar issue to what was encountered in a neighboring thread. Is the file you are looking for a malicious file? If so, another way you could go about this is to submit a sample of the file for analysis so Sophos detects the file instead. 

Children
No Data
Unfiltered HTML