Live Discover & Response Query Forum

REVIEWED by Sophos While thinking about other useful queries, for example checking where UAC is disabled on Windows computers: select data 'EnableLUA' from registry where key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies...

REVIEWED by Sophos I can imagine the scenario where malware has executed and maybe looks to set up a communication channel. In order to allow itself through the Windows firewall, it may well add an incoming rule using the command line tool netsh. It...

Hello 99% of my time I use the GUI; so when it comes to use the CMD prompt I feel a little uncomfortable I am trying to use live response; in the kb and other documentation it is stated that with Live Response on windows you can: Reboot a device...

REVIEWED by Sophos The first query will show for Windows devices if any drive has been encrypted using BitLocker: select drive_letter as "Drive Letter", case protection_status when "1" then "ENABLED" else "DISABLED" end "Protection Status", encryption_method...

Given the scenario where you have a number of computers at a site and in the same subnet, it may be possible to perform some remote diagnostics. Some example PowerShell commands are included below that could be used as-is or modified as needed. Finding...

REVIEWED by Sophos It's probably worth a couple of minutes to mention this item: https://attack.mitre.org/techniques/T1128/ Essentially good ol' netsh can be used to load a malicious module and that it offers persistence. The tool does document this...

Hi, I have been looking at Live Discover and like the look of it. I am not an expert in Threat Hunting, but I was hoping I could use Live Discover to help me with my day to day IT tasks. I was thinking along the lines of the following. Machine...

REVIEWED by Sophos As a simple query highlighting the power of Live Query for ad-hoc reporting, we can easily get the tamper protection state for the computers selected: select data,path from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet...

REVIEWED by Sophos There are many libraries one can use for making web calls, be it PowerShell, WinHTTP, XML but one of the more stealthy technologies is Background Intelligent Transfer Service (BITS). Information is available here as a starting point...

REVIEWED by Sophos Hi guys, Been playing with live discover, which seems to be all I'm doing at the moment, it's a little addictive! Anyway wrote a simple query to collect the most active processes on devices. Unlike the cpu_time table, this query...