Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Intercept X Endpoint
Sophos (XG) Firewall
Sophos Central
UTM Firewall
Sophos Mobile
Sophos Wireless
Sophos Email
Community Chat
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
Sophos Techvids
Product Documentation
Visit docs.sophos.com
Support Portal
Sophos.com
More
Cancel
Intercept X Endpoint
Processes
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Generic Process Search on Windows
Karl_Ackerman
Under Review
0 Comments
Hi folks, Sophos already published a canned query for 'Search for processes (Windows)', and while that one is really useful I had some asks for a different approach that allowed for larger time windows in the search and some different parameters. ...
22 Jun 2021 3:46 AM
Threat Hunting - Powershell Script Blocks
AndyM
Under Review
0 Comments
With the Sophos process journals you can see loads of information about the execution of processes as well as their command lines, but you cannot see the session data used directly in powershell, since it is running within the same process. Thankfully...
22 Jun 2021 3:15 AM
Process that writes on Shadow Copy space
GiovanniGiovannelli
Under Review
2 Comments
Any idea for creating a query in order to extract a list of processes that write on Shadow copy space during a specified interval of time? Thank you
22 Jun 2021 3:29 AM
Process HTTP Calls
JeramyKopacko
Under Review
1 Comment
In testing out Caldera recently, the sandcat tool brings up a good point of interest in identifying where GET calls are being made. SELECT sophos_http_journal.PID, sophos_http_journal.PID, datetime(sophos_http_journal.time,'unixepoch','localtime')...
22 Jun 2021 3:28 AM
Decode encoded powershell
Karl_Ackerman
Approved
2 Comments
With the common use of powershell by cobalt strike and every other threat actor, I though it would be nice to have a query that detects and decodes encoded powershell commands. The first query will simply decode base 64 encoded data (As you would see...
22 Jun 2021 3:13 AM
Query - Are any Sophos services not running?
Karl_Ackerman
Under Review
3 Comments
REVIEWED by Sophos Sometimes adversaries are able to stop Sophos services, or the endpoint has had an install or update issue. As long as the live discover services are up an running you can find devices that do not have all the needed Sophos services...
22 Jun 2021 3:08 AM
Live Discover - PowerShell command audit
jak
Under Review
0 Comments
REVIEWED by Sophos Hello Threat Hunters! I mentioned in this post: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/120201/live-response---command-audit/ how you could audit the history of PowerShell...
22 Jun 2021 3:44 AM
Live Discover - Lateral movement detection
Karl_Ackerman
Approved
2 Comments
REVIEWED by Sophos With Live discover I wanted to explore if I can write a query to detect lateral movement between devices that are under management. Because Live Discover queries are run on individual devices we can not easily build a query that...
22 Jun 2021 3:02 AM
Live Discover Query - Living off the land BITS
jak
Under Review
1 Comment
REVIEWED by Sophos There are many libraries one can use for making web calls, be it PowerShell, WinHTTP, XML but one of the more stealthy technologies is Background Intelligent Transfer Service (BITS). Information is available here as a starting point...
22 Jun 2021 3:01 AM
Live Discover Query: ALL system activity for N seconds from a date/time
Karl_Ackerman
Under Review
2 Comments
REVIEWED by Sophos This query will show ALL system activity that was recorded from a time period. Given the volume of data that can be returned we recommend only pulling a few seconds of information at a time and then using that to narrow down on...
22 Jun 2021 3:00 AM
Live Discovery Query - SophosPID process activity digest
Karl_Ackerman
Under Review
0 Comments
REVIEWED by Sophos We have added a new table to the sophos forensics journals. The sophos_process_activity table. Often as part of an investigation you need to to get a quick view of what a process did in the past and this table provides a quick...
22 Jun 2021 3:43 AM
Live Discovery Query - Netsh - is something or someone allowing access?
jak
Under Review
1 Comment
REVIEWED by Sophos I can imagine the scenario where malware has executed and maybe looks to set up a communication channel. In order to allow itself through the Windows firewall, it may well add an incoming rule using the command line tool netsh. It...
22 Jun 2021 3:42 AM
LIve Discovery Query: Process tree for a SophosPID
Karl_Ackerman
Under Review
2 Comments
REVIEWED by Sophos One of the first things I like to understand when looking at a suspect process is how did it get started and what children processes if any did it create. To do that we need to build a process tree from the sophos process journal...
22 Jun 2021 3:00 AM
Live Discover Query - Checking for redirected web traffic to unknown processes
jak
Under Review
1 Comment
REVIEWED by Sophos While looking at the "sophos_ip_journal table", I noticed the interesting field "redirectionState" which could be useful to find traffic that is being covertly redirected to a local proxy before being sent on its way unbeknown to...
22 Jun 2021 3:38 AM
Live Discover Query - Sysinternals
jak
Under Review
1 Comment
REVIEWED by Sophos We all know how useful the tools from Sysinternals are. Thanks Mark! Clearly they are so useful that the crooks use them too, in particular, PsExex is a favorite. When these tools are run you have to accept a Eula, this state is...
22 Jun 2021 2:49 AM
Live Discover Query - identify devices where services could be an issue
jak
Under Review
1 Comment
REVIEWED by Sophos One possibility is to simply query the "services" table for service status, for example: select s.display_name, s.status from services as s where (s.display_name like 'Sophos%' or s.display_name like 'HitmanPro%') and s.status...
22 Jun 2021 2:46 AM