Community Blogs & Events
Sophos Community Blog
Community Security Blog
Sophos Partner Recognition
Intercept X Endpoint
Live Discover & Response Query Forum
Release Notes & News
Live Discover & Response Query Forum
Intercept X Top Contributors
By highest score
By recent status change
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
In any category
In 'Live Discover'
In 'Live Response'
Live Discover Query - UAC check and no need to re-invent the wheel
REVIEWED by Sophos While thinking about other useful queries, for example checking where UAC is disabled on Windows computers: select data 'EnableLUA' from registry where key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies...
18 Apr 2020 11:48 AM
Vulnerability Scanner in a query
This query will perform a very basic vulnerability scan. What is does is generate a list of all installed applications on the device and collect their publisher, name and version information. We exclude things from the list that do not have version numbers...
25 Sep 2020 11:07 AM
Live Response - Suspicious Process - Create a dump for offline analysis
REVIEWED by Sophos Imagine the scenario - you see what looks to be a suspicious process on an endpoint, maybe you've used Live Query to list modules but you need to dig a little deeper. Well, how about the following workflow: Initiate a Live...
1 May 2020 11:24 PM
Live Discover Query - Artifacts of infection - Registry and other strings
REVIEWED by Sophos Given that malicious software is designed to evade detection and thwart the ability to remediate; there are plenty of registry keys that could provide some insight into prior infections or ongoing ones. I mention prior infections...
28 Apr 2020 8:08 PM
Live Discover Query - Show the % free disk space
REVIEWED by Sophos Often when a user complains about a device being slow or having problems the first thing to check is how much free disk space does the device have. You can use this to monitor the devices under management to determine if you should...
1 May 2020 3:34 PM
Live Discover Query - SDBot Malware - RAT
REVIEWED by Sophos Here is a specific query identifying SDBot Malware used by the TA505 hacking group: SELECT DISTINCT srj.time AS event_timestamp, srj.keyName, srj.value, srj.eventType, srj.sophosPID, srj.valueName, 'REG_BINARY' AS valueType, 'SDBbot...
6 May 2020 12:47 PM
Identify all portable executables deployed or modified by a process name over time
REVIEWED by Sophos For this query we want to identify all portable executables that have been written to the device. We have some variables so if you want to can look for the Portable Executables created by a specific process %powershell% or all...
7 Jul 2020 6:08 PM
Check version of Firefox installed vs latest available
REVIEWED by Sophos A quick and dirty query leveraging curl to get the latest version of Firefox from Mozilla.org and compare to the installed version. Uses curl a bit too much, but I'm having trouble using "with" clauses and parsing that result,...
15 Jul 2020 11:47 AM
Stories from the Front Line - Finding files modified by ransomware
REVIEWED by Sophos The Sophos Incident Response team is often very busy, today I checked in on some of their current efforts to help accounts respond to active breaches and lent a hand with a query. An account had ransomware hit some unprotected devices...
12 Aug 2020 3:09 PM
Live Discover Query - Vulnerability check for ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability
REVIEWED by Sophos Windows has a zero-day that won’t be patched for weeks Well another day another zero day vulnerability. Today I am looking at how to best create a vulnerability check given information in a CVE and a Microsoft Notification. In...
22 Apr 2020 7:27 PM