Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Vulnerability Scanner in a query

    • Approved on
    • 3 Comments
    This query will perform a very basic vulnerability scan. What is does is generate a list of all installed applications on the device and collect their publisher, name and version information. We exclude things from the list that do not have version numbers...
  • Detecting RED TEAM Activity

    • Approved on
    • 1 Comment
    I suspect for most of us reading these posts, we have had the experience of a RedTeam test. This is where you as a business hire an outside party to perform a penetration test of your organization. They can use lots of different tactics from phishing...
  • List top threat indicators for Windows

    • Approved on
    • 1 Comment
    This query evaluates the machine learning and reputation scores to provide a list of the most suspect executables observed in the environment. Descriptive name Variable Type Notes Begin Search on date $$Begin Search on date...
  • Query for "Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability"

    • Under Review on
    • 0 Comments
    Cisco Security has recently updated (21 May 2021) the information about this vulnerability. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK The query performs the checks if the endpoint is...
  • EDR Query - Kaseya ransomware IOC's

    • Approved on
    • 0 Comments
    SophosLabs has published the IOC for Kaseya ransomware. Below is the query that fetches the IOC published on GitHub and check for matching Indicators present in the endpoint. /* EDR Query to check for matching REvil-Kaseya-IOC's */ --VARIABLE $...
  • SeriousSam/HiveNightmare Hunting Query (Live Endpoint)

    • Under Review on
    • 2 Comments
    Hunting Query we've used for detecting suspicious processes exploiting the SeriousSAM Vulnerability. Depending on your environment you might see plenty false positives. A good idea might be to add valid processes to the query based on the sha256 value...
  • Hafnium check

    • Under Review on
    • 1 Comment
    WE have a number of queries for hafnium and additional news articles. Check out the news https://news.sophos.com/en-us/2021/03/05/hafnium-advice-about-the-new-nation-state-attack/ See the video on how to take the query from the article and run it...
  • Query for PetitPotam Events

    • Under Review on
    • 4 Comments
    Consider the following information regarding ADCS Attacks: https://community.sophos.com/b/security-blog/posts/petitpotam-attack We can quickly identify this by searching for the event logs with the following: SELECT datetime(time, 'unixepoch', 'localtime...
  • Dell vulnerability - CVE-2021-21551.

    • Approved on
    • 0 Comments
    EDR query can identify the endpoints if they are affected by dell vulnerability CVE-2021-21551. https://nakedsecurity.sophos.com/2021/05/05/dell-fixes-exploitable-holes-its-own-firmware-update-driver-patch-now/ -- Check if the dbutil_2_3.sys file...
  • IOC Hunt for Solarwinds

    • Under Review on
    • 1 Comment
    We've released a small hunt query/iocs for the reported solarwinds attacks - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://github.com/sophos-cybersecurity...
  • HAFNIUM targeting Exchange Servers with 0-day exploits

    • Under Review on
    • 0 Comments
    This query will perform a scan to check the WebShall present in the machine, One of the IOC technique released by Microsoft. WITH HOST_IOC AS ( WITH IOC_LIST (IOC_Type, Indicator) AS ( VALUES ('filepath','C:\inetpub\wwwroot\aspnet_client\%...
  • Check IP Journal against File Properties & Processes

    • Approved on
    • 0 Comments
    It may be useful to see what specific PID, program, syntax, etc and its threat scoring that has interacted with a specific IP. This is the final query from the Getting Started Recommended Read shared recently. ## DEFINE $$IPaddress$$ as IPaddress ...
  • Query EXEs in Suspicious Location & Compare Scoring

    • Under Review on
    • 0 Comments
    This will use the Sophos File Journal to compare ML, PUA, Local and Global Scoring in suspicious locations SELECT sfp.sha256, sfp.mlScore, sfp.puaScore, sfp.globalRep, sfp.localRep, f.path, f.filename, datetime(f.atime,'unixepoch','localtime...
  • HiveNightmare aka SeriousSAM vulnerability query

    • Under Review on
    • 1 Comment
    The Live Discover query below, from Sophos MTR, will identify processes that have accessed either the SAM, SECURITY, or SYSTEM Registry hive files in Shadow volumes. It is optimized to minimize the number of accesses to the Sophos File Journal to enable...
  • Query for PetitPotam Conditions

    • Under Review on
    • 0 Comments
    This query will search if your environment has the conditions to be exposed by the recent "PetitPotam" vulnerability as described here: https://nakedsecurity.sophos.com/2021/07/26/windows-petitpotam-network-attack-how-to-protect-against-it/ This will...
  • PrintNightMare Hotfix Check

    • Approved on
    • 0 Comments
    -- PrintNightMare Hotfix/Patch Check SELECT DISTINCT services.display_name AS Service, services.status, 'List PrintNightMare Hotfix' TEST, CAST(GROUP_CONCAT(hotfix_id, ' '||CHAR(10)) AS TEXT) Result, CASE WHEN hotfix_id = 'KB5004953' THEN 'Windows...
  • Query for missing default shares

    • Approved on
    • 0 Comments
    This query for create a virtual table from a URL file with defined CSVs. For this, we're going to look for missing default shares in Windows. As Microsoft indicates here, it can lead to various problems in the environment and in recent reports, it...
  • Printnightmare Hunting Query (Data Lake)

    • Under Review on
    • 9 Comments
    We've created a hunting query for possible infected cve-2021-1675 Hosts, based on this Sigma Rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/av_printernightmare_cve_2021_1675.yml The input variable "C:\Windows\System32\spool...
  • Adobe Vulnerability - CVE-2021-28550

    • Under Review on
    • 1 Comment
    EDR query to identify the endpoints affected by the Adobe vulnerability CVE-2021-28550 Adobe Security Bullitin: https://helpx.adobe.com/security/products/acrobat/apsb21-29.html Windows: SELECT CASE WHEN ( (SELECT 1 FROM programs WHERE name LIKE...
  • PrintNightMare Spooler Service Check

    • Approved on
    • 0 Comments
    -- FIND SYSTEMS WITH PRINT SPOOLER RUNNING SELECT name, status, start_type, user_account, CASE WHEN status = 'RUNNING' THEN ' Exposed to unpatched vulnerabilities inc. PrintNightmare ' WHEN status = 'STOPPED' THEN ' NOT exposed to unpatched...