Community Blogs & Events
Sophos Community Blog
Community Security Blog
Sophos Partner Recognition
Intercept X Endpoint
Live Discover & Response Query Forum
Release Notes & News
Live Discover & Response Query Forum
Intercept X Top Contributors
By highest score
By recent status change
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
In any category
In 'Live Discover'
In 'Live Response'
List software installed between two dates
REVIEWED by Sophos This query will list all the software installed between two dates, taking Sophos out of the list. The variable screen is below. It also shows the format. Some software has no date so that is returned just in case it helps SELECT...
16 Jul 2020 2:20 PM
Live Discovery Query: How to bulk process a CSV List of SHA256 data
REVIEWED by Sophos When hunting for indicators of compromise it is not uncommon to find a list of things you should be checking. In the example below I will show how to use variables to select some csv data that is under 5KB in size and then convert...
27 May 2020 12:07 PM
Query for emerging threat - Check your Pulse
REVIEWED by Sophos Yesterday I got one of those alerts that I suspect many of you also receive, another security advisory. This one was for folks who have the Pulse Secure VPN and mentioned that even after applying the patch the adversary could be...
17 Apr 2020 2:30 PM
Live Discover Query - Software version check
REVIEWED by Sophos One thing I have found helpful with osquery is the flexibility it provides for what sometimes seems an obvious task such as the version of a piece of software. Take for example the client software of Zoom given it's pretty popular...
18 Apr 2020 11:31 PM
Live Response - Force an update from the command line and checking status
Given that Live Response is now live! This might be a useful command to initiate an "update now" from the command line: powershell -command $(New-Object -comObject "ActiveLinkClient.ClientUpdate.1").UpdateNow(1,1) You can monitor the progress by...
30 Apr 2020 4:45 PM
Detecting Kingminer IOCs
REVIEWED by Sophos See the story from Sophos Labs Uncut on KingMiner: https://news.sophos.com/en-us/2020/06/09/kingminer-report/ The article is both educational and enlightening. One of the aspects of KingMiner that is common with other attacks...
10 Jun 2020 2:41 PM
Another Story from the Front Line: Has CobaltStrike or PowerShellEmpire been installing services on the device
REVIEWED by Sophos Like the earlier post we are often helping an account after they have been breached and are needing to deploy InterceptX with EDR on devices that where breached. In these situations we can't depend on the Sophos Journals for...
12 Aug 2020 3:45 PM
Find Domain Controllers
REVIEWED by Sophos SELECT os_version.name os_name, services.name, services.display_name, services.start_type, services.path, services.status, services.user_account FROM services JOIN os_version WHERE services.name = 'NTDS' To find machines with...
24 Jul 2020 11:17 AM
Live Discovery Query: Identify new admin accounts
REVIEWED by Sophos This query will identify new admin accounts created in the last N Days. SELECT u.username, (SELECT datetime FROM sophos_windows_events WHERE eventid = '4720' AND json_extract(json_extract(data, '$.EventData'),'$.TargetSid') = u...
10 Jun 2020 1:48 PM
Live Discover Query: ALL system activity for N seconds from a date/time
REVIEWED by Sophos This query will show ALL system activity that was recorded from a time period. Given the volume of data that can be returned we recommend only pulling a few seconds of information at a time and then using that to narrow down on...
26 May 2020 5:38 PM