Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Decode encoded powershell

    Karl_Ackerman
    • Approved on
    • 2 Comments
    With the common use of powershell by cobalt strike and every other threat actor, I though it would be nice to have a query that detects and decodes encoded powershell commands. The first query will simply decode base 64 encoded data (As you would see...

  • Process HTTP Calls

    JeramyKopacko
    • Approved on
    • 1 Comment
    In testing out Caldera recently, the sandcat tool brings up a good point of interest in identifying where GET calls are being made. SELECT sophos_http_journal.PID, sophos_http_journal.PID, datetime(sophos_http_journal.time,'unixepoch','localtime')...

  • Query - Are any Sophos services not running?

    Karl_Ackerman
    • Approved on
    • 3 Comments
    REVIEWED by Sophos Sometimes adversaries are able to stop Sophos services, or the endpoint has had an install or update issue. As long as the live discover services are up an running you can find devices that do not have all the needed Sophos services...

  • Live Discover Query - Checking for redirected web traffic to unknown processes

    jak
    • Approved on
    • 1 Comment
    REVIEWED by Sophos While looking at the "sophos_ip_journal table", I noticed the interesting field "redirectionState" which could be useful to find traffic that is being covertly redirected to a local proxy before being sent on its way unbeknown to...

  • Live Discover Query - Living off the land BITS

    jak
    • Approved on
    • 1 Comment
    REVIEWED by Sophos There are many libraries one can use for making web calls, be it PowerShell, WinHTTP, XML but one of the more stealthy technologies is Background Intelligent Transfer Service (BITS). Information is available here as a starting point...

  • Threat Hunting - Powershell Script Blocks

    AndyM
    • Approved on
    • 0 Comments
    With the Sophos process journals you can see loads of information about the execution of processes as well as their command lines, but you cannot see the session data used directly in powershell, since it is running within the same process. Thankfully...

  • Generic Process Search on Windows

    Karl_Ackerman
    • Approved on
    • 0 Comments
    Hi folks, Sophos already published a canned query for 'Search for processes (Windows)', and while that one is really useful I had some asks for a different approach that allowed for larger time windows in the search and some different parameters. ...

  • Live Discover Query - Sysinternals

    jak
    • Approved on
    • 1 Comment
    REVIEWED by Sophos We all know how useful the tools from Sysinternals are. Thanks Mark! Clearly they are so useful that the crooks use them too, in particular, PsExex is a favorite. When these tools are run you have to accept a Eula, this state is...

  • Live Discover - PowerShell command audit

    jak
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Hello Threat Hunters! I mentioned in this post: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/120201/live-response---command-audit/ how you could audit the history of PowerShell...

  • Live Discovery Query - SophosPID process activity digest

    Karl_Ackerman
    • Approved on
    • 0 Comments
    REVIEWED by Sophos We have added a new table to the sophos forensics journals. The sophos_process_activity table. Often as part of an investigation you need to to get a quick view of what a process did in the past and this table provides a quick...

  • Live Discover Query: ALL system activity for N seconds from a date/time

    Karl_Ackerman
    • Approved on
    • 2 Comments
    REVIEWED by Sophos This query will show ALL system activity that was recorded from a time period. Given the volume of data that can be returned we recommend only pulling a few seconds of information at a time and then using that to narrow down on...

  • Process that writes on Shadow Copy space

    GiovanniGiovannelli
    • Approved on
    • 2 Comments
    Any idea for creating a query in order to extract a list of processes that write on Shadow copy space during a specified interval of time? Thank you

  • LIve Discovery Query: Process tree for a SophosPID

    Karl_Ackerman
    • Approved on
    • 2 Comments
    REVIEWED by Sophos One of the first things I like to understand when looking at a suspect process is how did it get started and what children processes if any did it create. To do that we need to build a process tree from the sophos process journal...

  • Live Discover - Lateral movement detection

    Karl_Ackerman
    • Approved on
    • 2 Comments
    REVIEWED by Sophos With Live discover I wanted to explore if I can write a query to detect lateral movement between devices that are under management. Because Live Discover queries are run on individual devices we can not easily build a query that...

  • Live Discovery Query - Netsh - is something or someone allowing access?

    jak
    • Approved on
    • 1 Comment
    REVIEWED by Sophos I can imagine the scenario where malware has executed and maybe looks to set up a communication channel. In order to allow itself through the Windows firewall, it may well add an incoming rule using the command line tool netsh. It...

  • Live Discover Query - identify devices where services could be an issue

    jak
    • Under Review on
    • 1 Comment
    REVIEWED by Sophos One possibility is to simply query the "services" table for service status, for example: select s.display_name, s.status from services as s where (s.display_name like 'Sophos%' or s.display_name like 'HitmanPro%') and s.status...
Unfiltered HTML