• List software installed between two dates

    • Under Review
    • Live Discover
    • 0 Comments
    REVIEWED by Sophos This query will list all the software installed between two dates, taking Sophos out of the list. The variable screen is below. It also shows the format. Some software has no date so that is returned just in case it helps SELECT...
    • 16 Jul 2020 2:20 PM
  • Live Discovery Query: How to bulk process a CSV List of SHA256 data

    • Under Review
    • Live Discover
    • 2 Comments
    REVIEWED by Sophos When hunting for indicators of compromise it is not uncommon to find a list of things you should be checking. In the example below I will show how to use variables to select some csv data that is under 5KB in size and then convert...
    • 27 May 2020 12:07 PM
  • Query for emerging threat - Check your Pulse

    • Under Review
    • Live Discover
    • 0 Comments
    REVIEWED by Sophos Yesterday I got one of those alerts that I suspect many of you also receive, another security advisory. This one was for folks who have the Pulse Secure VPN and mentioned that even after applying the patch the adversary could be...
    • 17 Apr 2020 2:30 PM
  • Live Discover Query - Software version check

    • Under Review
    • Live Discover
    • 2 Comments
    REVIEWED by Sophos One thing I have found helpful with osquery is the flexibility it provides for what sometimes seems an obvious task such as the version of a piece of software. Take for example the client software of Zoom given it's pretty popular...
    • 18 Apr 2020 11:31 PM
  • Live Response - Force an update from the command line and checking status

    • Under Review
    • Live Discover
    • 0 Comments
    Given that Live Response is now live! This might be a useful command to initiate an "update now" from the command line: powershell -command $(New-Object -comObject "ActiveLinkClient.ClientUpdate.1").UpdateNow(1,1) You can monitor the progress by...
    • 30 Apr 2020 4:45 PM
  • Detecting Kingminer IOCs

    • Under Review
    • Live Discover
    • 2 Comments
    REVIEWED by Sophos See the story from Sophos Labs Uncut on KingMiner: https://news.sophos.com/en-us/2020/06/09/kingminer-report/ The article is both educational and enlightening. One of the aspects of KingMiner that is common with other attacks...
    • 10 Jun 2020 2:41 PM
  • Another Story from the Front Line: Has CobaltStrike or PowerShellEmpire been installing services on the device

    • Under Review
    • Live Discover
    • 0 Comments
    REVIEWED by Sophos Like the earlier post we are often helping an account after they have been breached and are needing to deploy InterceptX with EDR on devices that where breached. In these situations we can't depend on the Sophos Journals for...
    • 12 Aug 2020 3:45 PM
  • Find Domain Controllers

    • Under Review
    • Live Discover
    • 0 Comments
    REVIEWED by Sophos SELECT os_version.name os_name, services.name, services.display_name, services.start_type, services.path, services.status, services.user_account FROM services JOIN os_version WHERE services.name = 'NTDS' To find machines with...
    • 24 Jul 2020 11:17 AM
  • Live Discovery Query: Identify new admin accounts

    • Under Review
    • Live Discover
    • 0 Comments
    REVIEWED by Sophos This query will identify new admin accounts created in the last N Days. SELECT u.username, (SELECT datetime FROM sophos_windows_events WHERE eventid = '4720' AND json_extract(json_extract(data, '$.EventData'),'$.TargetSid') = u...
    • 10 Jun 2020 1:48 PM
  • Live Discover Query: ALL system activity for N seconds from a date/time

    • Under Review
    • Live Discover
    • 2 Comments
    REVIEWED by Sophos This query will show ALL system activity that was recorded from a time period. Given the volume of data that can be returned we recommend only pulling a few seconds of information at a time and then using that to narrow down on...
    • 26 May 2020 5:38 PM