REVIEWED by Sophos This query will list all the software installed between two dates, taking Sophos out of the list. The variable screen is below. It also shows the format. Some software has no date so that is returned just in case it helps SELECT...

REVIEWED by Sophos When hunting for indicators of compromise it is not uncommon to find a list of things you should be checking. In the example below I will show how to use variables to select some csv data that is under 5KB in size and then convert...

REVIEWED by Sophos Yesterday I got one of those alerts that I suspect many of you also receive, another security advisory. This one was for folks who have the Pulse Secure VPN and mentioned that even after applying the patch the adversary could be...

REVIEWED by Sophos One thing I have found helpful with osquery is the flexibility it provides for what sometimes seems an obvious task such as the version of a piece of software. Take for example the client software of Zoom given it's pretty popular...

Given that Live Response is now live! This might be a useful command to initiate an "update now" from the command line: powershell -command $(New-Object -comObject "ActiveLinkClient.ClientUpdate.1").UpdateNow(1,1) You can monitor the progress by...

REVIEWED by Sophos See the story from Sophos Labs Uncut on KingMiner: https://news.sophos.com/en-us/2020/06/09/kingminer-report/ The article is both educational and enlightening. One of the aspects of KingMiner that is common with other attacks...

REVIEWED by Sophos Like the earlier post we are often helping an account after they have been breached and are needing to deploy InterceptX with EDR on devices that where breached. In these situations we can't depend on the Sophos Journals for...

REVIEWED by Sophos SELECT os_version.name os_name, services.name, services.display_name, services.start_type, services.path, services.status, services.user_account FROM services JOIN os_version WHERE services.name = 'NTDS' To find machines with...

REVIEWED by Sophos This query will identify new admin accounts created in the last N Days. SELECT u.username, (SELECT datetime FROM sophos_windows_events WHERE eventid = '4720' AND json_extract(json_extract(data, '$.EventData'),'$.TargetSid') = u...

REVIEWED by Sophos This query will show ALL system activity that was recorded from a time period. Given the volume of data that can be returned we recommend only pulling a few seconds of information at a time and then using that to narrow down on...