• MITRE ATT&CK EXFILTRATION Tactic IOC Detection

    • Approved
    • Live Discover
    • 0 Comments
    Here is a query that looks at process and cmdlines to map to IOCs in the Exfiltration tactic for Mitre -- VARIABLE $$Start Search on Date and Time$$ DATE -- VARIABLE $$Total Hours to search$$ STRING -- Process cmdline IOC search, mapped to MITRE...
    • 31 Dec 2020 6:53 PM
  • EDR Query to find all local admins (Windows)

    • Under Review
    • Live Discover
    • 8 Comments
    I am searching for a way to query the local Administrators security group on every device in our environment. This seems like something Live Discover is capable of doing, but I haven't been able to figure out the OSQuery syntax to get it done. Right...
    • 18 Feb 2021 8:19 PM
  • List software installed between two dates

    • Under Review
    • Live Discover
    • 0 Comments
    REVIEWED by Sophos This query will list all the software installed between two dates, taking Sophos out of the list. The variable screen is below. It also shows the format. Some software has no date so that is returned just in case it helps SELECT...
    • 16 Jul 2020 2:20 PM
  • Live Discover Query - Artifacts of infection - Registry and other strings

    • Under Review
    • Live Discover
    • 1 Comment
    REVIEWED by Sophos Given that malicious software is designed to evade detection and thwart the ability to remediate; there are plenty of registry keys that could provide some insight into prior infections or ongoing ones. I mention prior infections...
    • 28 Apr 2020 8:08 PM
  • Stories from the Front Line - Finding files modified by ransomware

    • Under Review
    • Live Discover
    • 0 Comments
    REVIEWED by Sophos The Sophos Incident Response team is often very busy, today I checked in on some of their current efforts to help accounts respond to active breaches and lent a hand with a query. An account had ransomware hit some unprotected devices...
    • 12 Aug 2020 3:09 PM
  • Process HTTP Calls

    • Under Review
    • Live Discover
    • 0 Comments
    In testing out Caldera recently, the sandcat tool brings up a good point of interest in identifying where GET calls are being made. SELECT sophos_http_journal.PID, sophos_http_journal.PID, datetime(sophos_http_journal.time,'unixepoch','localtime')...
    • 25 Nov 2020 7:46 PM
  • Live Discovery Query: Identify new admin accounts

    • Under Review
    • Live Discover
    • 0 Comments
    REVIEWED by Sophos This query will identify new admin accounts created in the last N Days. SELECT u.username, (SELECT datetime FROM sophos_windows_events WHERE eventid = '4720' AND json_extract(json_extract(data, '$.EventData'),'$.TargetSid') = u...
    • 10 Jun 2020 1:48 PM
  • Gather System Information

    • Under Review
    • Live Discover
    • 0 Comments
    This query can be used for general IT. Perhaps a organization is considering new software or to compare serial numbers for warranty. SELECT uuid, hardware_serial, hostname, cpu_subtype, cpu_brand, physical_memory, hardware_vendor, hardware_model FROM...
    • 16 Nov 2020 9:51 PM
  • MITRE ATT&CK IMPACT Tactic IOC Detection

    • Approved
    • Live Discover
    • 0 Comments
    Experimenting with a simple query to detect IOC's based on process/cmdline analysis. This one below maps the MITRE ATT&CK framework for IMPACT. -- VARIABLES -- Start Search on Date and Time Date -- Total Hours to search STRING -- Detect MITRE...
    • 31 Dec 2020 6:53 PM
  • Query - Are any Sophos services not running?

    • Under Review
    • Live Discover
    • 3 Comments
    REVIEWED by Sophos Sometimes adversaries are able to stop Sophos services, or the endpoint has had an install or update issue. As long as the live discover services are up an running you can find devices that do not have all the needed Sophos services...
    • 12 Aug 2020 3:36 PM