Live Discover Query - identify devices where Tamper Protection is disabled

REVIEWED by Sophos

As a simple query highlighting the power of Live Query for ad-hoc reporting, we can easily get the tamper protection state for the computers selected:

select data,path from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config' AND name='SEDEnabled' AND data=0;

Regards,

Jak

jak

Top Comments

AK over 3 years ago +3

/cfs-file/__key/commentfiles/fb5d84b10a5745448a7a45dafc1faa43-a278b39e-c981-4508-92a2-147f9cca12a9/pastedimage1593430621802v1.png REVIEWED by Sophos no logic changes, just slightly nicer output: …

Parents

AK over 3 years ago

/cfs-file/__key/commentfiles/fb5d84b10a5745448a7a45dafc1faa43-a278b39e-c981-4508-92a2-147f9cca12a9/pastedimage1593430621802v1.png REVIEWED by Sophos no logic changes, just slightly nicer output: SELECT CASE WHEN data LIKE '0' THEN 'DISABLED' end Tamper_Protection FROM registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config' AND name='SEDEnabled' AND data=0;
- Cancel
- Vote Up +3 Vote Down
- More
- Cancel

Comment

AK over 3 years ago

/cfs-file/__key/commentfiles/fb5d84b10a5745448a7a45dafc1faa43-a278b39e-c981-4508-92a2-147f9cca12a9/pastedimage1593430621802v1.png REVIEWED by Sophos no logic changes, just slightly nicer output: SELECT CASE WHEN data LIKE '0' THEN 'DISABLED' end Tamper_Protection FROM registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config' AND name='SEDEnabled' AND data=0;
- Cancel
- Vote Up +3 Vote Down
- More
- Cancel

Children

No Data

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Live Discover Query - identify devices where Tamper Protection is disabled

Top Comments