Sophos Community Blog
Community Security Blog
Intercept X Endpoint
Live Discover & Response Query Forum
Release Notes & News
Live Discover & Response Query Forum
Intercept X Top Contributors
By highest score
By recent status change
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
In any category
In 'Live Discover'
In 'Live Response'
Live Discover Query - UAC check and no need to re-invent the wheel
REVIEWED by Sophos While thinking about other useful queries, for example checking where UAC is disabled on Windows computers: select data 'EnableLUA' from registry where key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies...
18 Apr 2020 11:48 AM
Live Discovery Query - Netsh - is something or someone allowing access?
REVIEWED by Sophos I can imagine the scenario where malware has executed and maybe looks to set up a communication channel. In order to allow itself through the Windows firewall, it may well add an incoming rule using the command line tool netsh. It...
23 May 2020 2:07 PM
Live Response read text files; change configuration files etc.
Hello 99% of my time I use the GUI; so when it comes to use the CMD prompt I feel a little uncomfortable I am trying to use live response; in the kb and other documentation it is stated that with Live Response on windows you can: Reboot a device...
19 Jul 2020 2:26 PM
Live Discover Query - BitLocker
REVIEWED by Sophos The first query will show for Windows devices if any drive has been encrypted using BitLocker: select drive_letter as "Drive Letter", case protection_status when "1" then "ENABLED" else "DISABLED" end "Protection Status", encryption_method...
23 Apr 2020 3:46 PM
Live Response - Investigating other devices
Given the scenario where you have a number of computers at a site and in the same subnet, it may be possible to perform some remote diagnostics. Some example PowerShell commands are included below that could be used as-is or modified as needed. Finding...
8 May 2020 4:45 PM
Live Discover Query - Abusing netsh
REVIEWED by Sophos It's probably worth a couple of minutes to mention this item: https://attack.mitre.org/techniques/T1128/ Essentially good ol' netsh can be used to load a malicious module and that it offers persistence. The tool does document this...
25 May 2020 10:48 PM
Live Discover Query - General IT queries
Hi, I have been looking at Live Discover and like the look of it. I am not an expert in Threat Hunting, but I was hoping I could use Live Discover to help me with my day to day IT tasks. I was thinking along the lines of the following. Machine...
20 May 2020 12:10 PM
Live Discover Query - identify devices where Tamper Protection is disabled
REVIEWED by Sophos As a simple query highlighting the power of Live Query for ad-hoc reporting, we can easily get the tamper protection state for the computers selected: select data,path from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet...
18 Apr 2020 9:01 AM
Live Discover Query - Living off the land BITS
REVIEWED by Sophos There are many libraries one can use for making web calls, be it PowerShell, WinHTTP, XML but one of the more stealthy technologies is Background Intelligent Transfer Service (BITS). Information is available here as a starting point...
30 May 2020 8:43 PM
Live Discover Query - CPU Usage (Weighted)
REVIEWED by Sophos Hi guys, Been playing with live discover, which seems to be all I'm doing at the moment, it's a little addictive! Anyway wrote a simple query to collect the most active processes on devices. Unlike the cpu_time table, this query...
18 Jun 2020 3:51 PM