Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

  • Vulnerability Scanner in a query

    • Approved
    • Live Discover
    • 0 Comments
    This query will perform a very basic vulnerability scan. What is does is generate a list of all installed applications on the device and collect their publisher, name and version information. We exclude things from the list that do not have version numbers...
    • 25 Sep 2020 11:07 AM
  • Asset Discovery Query

    • Approved
    • Live Discover
    • 0 Comments
    The below query will use the arp_cache table from the devices specified, take the MAC Address information from the results and send that via CURL to an API ( https://macvendors.com/api ) to pull in vendor information for the MAC addresses as another...
    • 16 Nov 2020 9:51 PM
  • Detecting RED TEAM Activity

    • Approved
    • Live Discover
    • 0 Comments
    I suspect for most of us reading these posts, we have had the experience of a RedTeam test. This is where you as a business hire an outside party to perform a penetration test of your organization. They can use lots of different tactics from phishing...
    • 31 Dec 2020 2:11 PM
  • Live Response - Suspicious Process - Create a dump for offline analysis

    • Approved
    • Live Response
    • 1 Comment
    REVIEWED by Sophos Imagine the scenario - you see what looks to be a suspicious process on an endpoint, maybe you've used Live Query to list modules but you need to dig a little deeper. Well, how about the following workflow: Initiate a Live...
    • 1 May 2020 11:24 PM
  • Device Activity (Multiple queries in one)

    • Approved
    • Live Discover
    • 0 Comments
    As a threat hunter it is critical to get oriented quickly. When you have a device that has suspect activity on it and the threat hunter is still exploring what is happening they want a lot of different information about the device. This information is...
    • 1 Nov 2020 9:28 PM
  • Live Discover Query - UAC check and no need to re-invent the wheel

    • Under Review
    • Live Discover
    • 1 Comment
    REVIEWED by Sophos While thinking about other useful queries, for example checking where UAC is disabled on Windows computers: select data 'EnableLUA' from registry where key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies...
    • 18 Apr 2020 11:48 AM
  • IOC Hunt for Solarwinds

    • Under Review
    • Live Discover
    • 1 Comment
    We've released a small hunt query/iocs for the reported solarwinds attacks - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://github.com/sophos-cybersecurity...
    • 14 Dec 2020 1:54 PM
  • Find Local Administrative Accounts

    • Under Review
    • Live Discover
    • 0 Comments
    It may be useful to do a search for local administrative accounts in your device fleet. You could grab timestamps of when accounts were created to gain more insight. SELECT username, groupname, type, u.UID, g.GID, Description, comment FROM users...
    • 16 Nov 2020 9:51 PM
  • Decode encoded powershell

    • Approved
    • Live Discover
    • 2 Comments
    With the common use of powershell by cobalt strike and every other threat actor, I though it would be nice to have a query that detects and decodes encoded powershell commands. The first query will simply decode base 64 encoded data (As you would see...
    • 18 Nov 2020 4:17 PM
  • List software installed between two dates

    • Under Review
    • Live Discover
    • 0 Comments
    REVIEWED by Sophos This query will list all the software installed between two dates, taking Sophos out of the list. The variable screen is below. It also shows the format. Some software has no date so that is returned just in case it helps SELECT...
    • 16 Jul 2020 2:20 PM