Sophos Community
Site
User
Site
Search
User
All Groups
Intercept X Endpoint
XG Firewall
UTM Firewall
Sophos Partners
Community Chat
Support Portal
Feedback on Product Documentation
Community Blogs & Events
Community Calendar
Sophos Community Blog
Community Security Blog
Getting Started
Member Recognition
Community Leaderboards
Sophos Partner Recognition
Sophos Techvids
Product Documentation
Support Portal
Sophos.com
More
Cancel
Advisory: Support Portal Maintenance. Login is currently unavailable,
more info available here.
Intercept X Endpoint
Live Discover & Response Query Forum
Release Notes & News
Recommended Reads
Support Advisories
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
In any category
Not categorized
In 'Live Discover'
In 'Live Response'
Vulnerability Scanner in a query
Karl_Ackerman
Approved
Live Discover
0 Comments
This query will perform a very basic vulnerability scan. What is does is generate a list of all installed applications on the device and collect their publisher, name and version information. We exclude things from the list that do not have version numbers...
25 Sep 2020 11:07 AM
Asset Discovery Query
Paul Lawrence
Approved
Live Discover
0 Comments
The below query will use the arp_cache table from the devices specified, take the MAC Address information from the results and send that via CURL to an API ( https://macvendors.com/api ) to pull in vendor information for the MAC addresses as another...
16 Nov 2020 9:51 PM
Detecting RED TEAM Activity
Karl_Ackerman
Approved
Live Discover
0 Comments
I suspect for most of us reading these posts, we have had the experience of a RedTeam test. This is where you as a business hire an outside party to perform a penetration test of your organization. They can use lots of different tactics from phishing...
31 Dec 2020 2:11 PM
Live Response - Suspicious Process - Create a dump for offline analysis
jak
Approved
Live Response
1 Comment
REVIEWED by Sophos Imagine the scenario - you see what looks to be a suspicious process on an endpoint, maybe you've used Live Query to list modules but you need to dig a little deeper. Well, how about the following workflow: Initiate a Live...
1 May 2020 11:24 PM
Device Activity (Multiple queries in one)
Karl_Ackerman
Approved
Live Discover
0 Comments
As a threat hunter it is critical to get oriented quickly. When you have a device that has suspect activity on it and the threat hunter is still exploring what is happening they want a lot of different information about the device. This information is...
1 Nov 2020 9:28 PM
Live Discover Query - UAC check and no need to re-invent the wheel
jak
Under Review
Live Discover
1 Comment
REVIEWED by Sophos While thinking about other useful queries, for example checking where UAC is disabled on Windows computers: select data 'EnableLUA' from registry where key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies...
18 Apr 2020 11:48 AM
IOC Hunt for Solarwinds
CraigJones
Under Review
Live Discover
1 Comment
We've released a small hunt query/iocs for the reported solarwinds attacks - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://github.com/sophos-cybersecurity...
14 Dec 2020 1:54 PM
Find Local Administrative Accounts
RustbeltSE
Under Review
Live Discover
0 Comments
It may be useful to do a search for local administrative accounts in your device fleet. You could grab timestamps of when accounts were created to gain more insight. SELECT username, groupname, type, u.UID, g.GID, Description, comment FROM users...
16 Nov 2020 9:51 PM
Decode encoded powershell
Karl_Ackerman
Approved
Live Discover
2 Comments
With the common use of powershell by cobalt strike and every other threat actor, I though it would be nice to have a query that detects and decodes encoded powershell commands. The first query will simply decode base 64 encoded data (As you would see...
18 Nov 2020 4:17 PM
List software installed between two dates
MichaelCurtis
Under Review
Live Discover
0 Comments
REVIEWED by Sophos This query will list all the software installed between two dates, taking Sophos out of the list. The variable screen is below. It also shows the format. Some software has no date so that is returned just in case it helps SELECT...
16 Jul 2020 2:20 PM
>