Query for Applications that Auto Start

SELECT
name as 'Key Name',
source as 'Start Up source',
path as 'Path',
args as 'Aruments',
username as 'Owner',
status as 'Status'
FROM startup_items
ORDER by status

This may be used to identify persistence or unidentified startup items

JeramyKopacko

JeramyKopacko over 2 years ago in reply to Danish

Danish,

There is a query known as "Authentication Attempts" to find a specific IP address. You can also use something short, like my colleague Ravi created in another forum:

SELECT
datetime(time,'unixepoch','localtime') as 'Time',
eventid,
task_message,
json_extract(data,'$.EventData.FailureReason')as FailureReason,
json_extract(data,'$.EventData.TargetUserName') as UserName
FROM sophos_windows_events
WHERE eventid='4625' AND UserName <> '' AND time > STRFTIME('%H','NOW','24 hours');

Thanks!
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Danish over 2 years ago

hello Jeramy, do you know the query for Failed Login Attempts for windows ? Sophos got the query but only for linux. can you help me with that . Thanks
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Query for Applications that Auto Start