Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • FORCEDENTRY Big Sur 11.6 Version Check

    • Under Review
    • 0 Comments
    SELECT CASE WHEN version = '11.6' THEN 'Not Vulnerable to FORCEDENTRY' ELSE 'Vulnerable | Upgrade to 11.6' END AS BigSurCheck FROM os_version WHERE major = '11'
    • 14 Sep 2021 8:11 PM
  • FORCEDENTRY Safari Check (CATALINA & MOJAVE)

    • Under Review
    • 0 Comments
    SELECT CASE WHEN bundle_short_version = '14.1.2' THEN 'PATCHED' ELSE 'Vulnerable to FORCEDENTRY' END AS VulnCheck FROM apps WHERE name = 'Safari.app'
    • 14 Sep 2021 7:47 PM
  • CVE-2021-40444 MSHTML and other potential malicious processes originating from MS products (Data Lake)

    • Under Review
    • 0 Comments
    Query we've used for looking for possible MSHTML related activity. You can add additional programs to the where clause and filter out false positives using the having clause. The rule is mainly based on the idea of this sigma rule: https://github.com...
    • 9 Sep 2021 11:43 AM
  • Query for CVE-2021-40444 MSHTML Process Event

    • Under Review
    • 0 Comments
    This query will look for a process event that has been associated with this attack. WinWord.exe has launched a child process called "control.exe" and has been seen in the wild with this vulnerability. This does NOT guarantee you've been breached but...
    • 8 Sep 2021 8:57 PM
  • Query if CVE-2021-40444 MSHTML Mitigations Are Applied

    • Under Review
    • 0 Comments
    The current vulnerability CVE-2021-40444 MSHTML is a zero-day and is awaiting a patch. You should consider the Microsoft guidance in their Security Update Guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 This query will...
    • 8 Sep 2021 6:54 PM
  • Query - IOC´s From GitHub list

    • Under Review
    • 1 Comment
    /* Desc: Number of Hours of activity to search / TYPE: String / SQLVAR: $$Number of Hours of activity to search$$ Desc: RAW IOC List location from a URL / TYPE: String / SQLVAR: $$RAW IOC List location from a URL$$ / Value: ... Desc: Start Search From...
    • 24 Aug 2021 8:56 PM
  • T1078 - CVE-2020-1472 - Netlogon

    • Under Review
    • 0 Comments
    This is an older vulnerability but still nice to showcase the capabilities of how XDR can discover CVEs. This query will search and detect Windows vulnerability affecting the Netlogon feature. Sophos Security Bulletin: https://community.sophos.com...
    • 16 Aug 2021 9:36 PM
  • Receiving ACL for SAM file not working

    • Under Review
    • 0 Comments
    Hi, I created this query to check which of our systems are effected by serious SAM vulnerability. When I fire the query I not receive any data back. Does someone know what I did wrong? SELECT * FROM ntfs_acl_permissions WHERE path like 'C:...
    • 30 Jul 2021 9:26 AM
  • Query for PetitPotam Events

    • Under Review
    • 4 Comments
    Consider the following information regarding ADCS Attacks: https://community.sophos.com/b/security-blog/posts/petitpotam-attack We can quickly identify this by searching for the event logs with the following: SELECT datetime(time, 'unixepoch', 'localtime...
    • 30 Jul 2021 8:35 PM
  • Query for PetitPotam Conditions

    • Under Review
    • 0 Comments
    This query will search if your environment has the conditions to be exposed by the recent "PetitPotam" vulnerability as described here: https://nakedsecurity.sophos.com/2021/07/26/windows-petitpotam-network-attack-how-to-protect-against-it/ This will...
    • 28 Jul 2021 1:57 PM
  • HiveNightmare aka SeriousSAM vulnerability query

    • Under Review
    • 1 Comment
    The Live Discover query below, from Sophos MTR, will identify processes that have accessed either the SAM, SECURITY, or SYSTEM Registry hive files in Shadow volumes. It is optimized to minimize the number of accesses to the Sophos File Journal to enable...
    • 23 Jul 2021 11:03 AM
  • Checking For Print Spooler Vulnerabilities

    • Under Review
    • 0 Comments
    This query will search your endpoints for the following CVEs and their currently released patches: 2021-1675, 2021-34527, and 2021-34481. As of writing this, CVE-2021-34481 is considered still vulnerable and the recommended fix is to disable the print...
    • 22 Jul 2021 4:48 AM
  • SeriousSam/HiveNightmare Hunting Query (Live Endpoint)

    • Under Review
    • 2 Comments
    Hunting Query we've used for detecting suspicious processes exploiting the SeriousSAM Vulnerability. Depending on your environment you might see plenty false positives. A good idea might be to add valid processes to the query based on the sha256 value...
    • 21 Jul 2021 9:12 AM
  • Check IP Journal against File Properties & Processes

    • Under Review
    • 0 Comments
    It may be useful to see what specific PID, program, syntax, etc and its threat scoring that has interacted with a specific IP. This is the final query from the Getting Started Recommended Read shared recently. ## DEFINE $$IPaddress$$ as IPaddress ...
    • 14 Jul 2021 3:32 PM
  • Printnightmare Hunting Query (Live Discovery/Windows)

    • Under Review
    • 0 Comments
    Similar to the Data Lake Query (which seems to be having issues since it's not detecting all dll files in all folders) we've also created a Live-Discovery Query for Windows Systems on the Printnightmare Vulnerability. The Query could be scheduled via...
    • 13 Jul 2021 10:37 AM
  • PrintNightMare Spooler Service Check

    • Approved
    • 0 Comments
    -- FIND SYSTEMS WITH PRINT SPOOLER RUNNING SELECT name, status, start_type, user_account, CASE WHEN status = 'RUNNING' THEN ' Exposed to unpatched vulnerabilities inc. PrintNightmare ' WHEN status = 'STOPPED' THEN ' NOT exposed to unpatched...
    • 8 Jul 2021 1:23 AM
  • PrintNightMare Registry Fix Check

    • Approved
    • 0 Comments
    -- Check Print Server Registry Fix SELECT DISTINCT 'Check Registry Fix' Test, CAST(GROUP_CONCAT(name, ' '||CHAR(10)) AS TEXT) Result, CASE ​ WHEN name = 'RestrictDriverInstallationToAdministrators' THEN 'Fix...
    • 7 Jul 2021 1:18 PM
  • PrintNightMare Hotfix Check

    • Approved
    • 0 Comments
    -- PrintNightMare Hotfix/Patch Check SELECT DISTINCT services.display_name AS Service, services.status, 'List PrintNightMare Hotfix' TEST, CAST(GROUP_CONCAT(hotfix_id, ' '||CHAR(10)) AS TEXT) Result, CASE WHEN hotfix_id = 'KB5004953' THEN 'Windows...
    • 7 Jul 2021 4:32 PM
  • EDR Query - Kaseya ransomware IOC's

    • Approved
    • 0 Comments
    SophosLabs has published the IOC for Kaseya ransomware. Below is the query that fetches the IOC published on GitHub and check for matching Indicators present in the endpoint. /* EDR Query to check for matching REvil-Kaseya-IOC's */ --VARIABLE $...
    • 7 Jul 2021 7:10 PM
  • IOC PrintNightmare CVE-2021-1675

    • Under Review
    • 4 Comments
    Hello, can somebody help me with creating a query for detecting if the PrintNightmare vulnerability was abused? I want to build a query, which is checking if the folder C:\Windows\System32\spool\drivers\x64\3\old" exists. Greets, Dennis
    • 5 Jul 2021 6:48 AM