• Live Discover Query - UAC check and no need to re-invent the wheel

    • Under Review
    • Live Discover
    • 1 Comment
    REVIEWED by Sophos While thinking about other useful queries, for example checking where UAC is disabled on Windows computers: select data 'EnableLUA' from registry where key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies...
    • 18 Apr 2020 11:48 AM
  • Live Discovery Query - Netsh - is something or someone allowing access?

    • Under Review
    • Live Discover
    • 1 Comment
    REVIEWED by Sophos I can imagine the scenario where malware has executed and maybe looks to set up a communication channel. In order to allow itself through the Windows firewall, it may well add an incoming rule using the command line tool netsh. It...
    • 23 May 2020 2:07 PM
  • Live Response read text files; change configuration files etc.

    • Under Review
    • Live Response
    • 2 Comments
    Hello 99% of my time I use the GUI; so when it comes to use the CMD prompt I feel a little uncomfortable I am trying to use live response; in the kb and other documentation it is stated that with Live Response on windows you can: Reboot a device...
    • 19 Jul 2020 2:26 PM
  • Live Discover Query - BitLocker

    • Under Review
    • Live Discover
    • 1 Comment
    REVIEWED by Sophos The first query will show for Windows devices if any drive has been encrypted using BitLocker: select drive_letter as "Drive Letter", case protection_status when "1" then "ENABLED" else "DISABLED" end "Protection Status", encryption_method...
    • 23 Apr 2020 3:46 PM
  • Live Response - Investigating other devices

    • Under Review
    • Live Response
    • 0 Comments
    Given the scenario where you have a number of computers at a site and in the same subnet, it may be possible to perform some remote diagnostics. Some example PowerShell commands are included below that could be used as-is or modified as needed. Finding...
    • 8 May 2020 4:45 PM
  • Live Discover Query - Abusing netsh

    • Under Review
    • Live Discover
    • 1 Comment
    REVIEWED by Sophos It's probably worth a couple of minutes to mention this item: https://attack.mitre.org/techniques/T1128/ Essentially good ol' netsh can be used to load a malicious module and that it offers persistence. The tool does document this...
    • 25 May 2020 10:48 PM
  • Live Discover Query - General IT queries

    • Under Review
    • Live Discover
    • 3 Comments
    Hi, I have been looking at Live Discover and like the look of it. I am not an expert in Threat Hunting, but I was hoping I could use Live Discover to help me with my day to day IT tasks. I was thinking along the lines of the following. Machine...
    • 20 May 2020 12:10 PM
  • Live Discover Query - identify devices where Tamper Protection is disabled

    • Under Review
    • Live Discover
    • 2 Comments
    REVIEWED by Sophos As a simple query highlighting the power of Live Query for ad-hoc reporting, we can easily get the tamper protection state for the computers selected: select data,path from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet...
    • 18 Apr 2020 9:01 AM
  • Live Discover Query - Living off the land BITS

    • Under Review
    • Live Discover
    • 1 Comment
    REVIEWED by Sophos There are many libraries one can use for making web calls, be it PowerShell, WinHTTP, XML but one of the more stealthy technologies is Background Intelligent Transfer Service (BITS). Information is available here as a starting point...
    • 30 May 2020 8:43 PM
  • Live Discover Query - CPU Usage (Weighted)

    • Under Review
    • Live Discover
    • 0 Comments
    REVIEWED by Sophos Hi guys, Been playing with live discover, which seems to be all I'm doing at the moment, it's a little addictive! Anyway wrote a simple query to collect the most active processes on devices. Unlike the cpu_time table, this query...
    • 18 Jun 2020 3:51 PM