Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Vulnerability Scanner in a query

    • Approved on
    • 3 Comments
    This query will perform a very basic vulnerability scan. What is does is generate a list of all installed applications on the device and collect their publisher, name and version information. We exclude things from the list that do not have version numbers...
  • Detecting RED TEAM Activity

    • Approved on
    • 1 Comment
    I suspect for most of us reading these posts, we have had the experience of a RedTeam test. This is where you as a business hire an outside party to perform a penetration test of your organization. They can use lots of different tactics from phishing...
  • EDR Query - Kaseya ransomware IOC's

    • Approved on
    • 0 Comments
    SophosLabs has published the IOC for Kaseya ransomware. Below is the query that fetches the IOC published on GitHub and check for matching Indicators present in the endpoint. /* EDR Query to check for matching REvil-Kaseya-IOC's */ --VARIABLE $$StartTime...
  • List top threat indicators for Windows

    • Approved on
    • 1 Comment
    This query evaluates the machine learning and reputation scores to provide a list of the most suspect executables observed in the environment. Descriptive name Variable Type Notes Begin Search on date $$Begin Search on date$...
  • Query for "Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability"

    • Approved on
    • 0 Comments
    Cisco Security has recently updated (21 May 2021) the information about this vulnerability. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK The query performs the checks if the endpoint is affected...
  • SeriousSam/HiveNightmare Hunting Query (Live Endpoint)

    • Approved on
    • 2 Comments
    Hunting Query we've used for detecting suspicious processes exploiting the SeriousSAM Vulnerability. Depending on your environment you might see plenty false positives. A good idea might be to add valid processes to the query based on the sha256 value...
  • Hafnium check

    • Approved on
    • 1 Comment
    WE have a number of queries for hafnium and additional news articles. Check out the news https://news.sophos.com/en-us/2021/03/05/hafnium-advice-about-the-new-nation-state-attack/ See the video on how to take the query from the article and run it...
  • IOC Hunt for Solarwinds

    • Approved on
    • 1 Comment
    We've released a small hunt query/iocs for the reported solarwinds attacks - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://github.com/sophos-cybersecurity...
  • Query for PetitPotam Events

    • Under Review on
    • 4 Comments
    Consider the following information regarding ADCS Attacks: https://community.sophos.com/b/security-blog/posts/petitpotam-attack We can quickly identify this by searching for the event logs with the following: SELECT datetime(time, 'unixepoch', 'localtime...
  • HAFNIUM targeting Exchange Servers with 0-day exploits

    • Under Review on
    • 0 Comments
    This query will perform a scan to check the WebShall present in the machine, One of the IOC technique released by Microsoft. WITH HOST_IOC AS ( WITH IOC_LIST (IOC_Type, Indicator) AS ( VALUES ('filepath','C:\inetpub\wwwroot\aspnet_client\%.aspx...
  • Dell vulnerability - CVE-2021-21551.

    • Approved on
    • 0 Comments
    EDR query can identify the endpoints if they are affected by dell vulnerability CVE-2021-21551. https://nakedsecurity.sophos.com/2021/05/05/dell-fixes-exploitable-holes-its-own-firmware-update-driver-patch-now/ -- Check if the dbutil_2_3.sys file...
  • PrintNightMare Hotfix Check

    • Approved on
    • 0 Comments
    -- PrintNightMare Hotfix/Patch Check SELECT DISTINCT services.display_name AS Service, services.status, 'List PrintNightMare Hotfix' TEST, CAST(GROUP_CONCAT(hotfix_id, ' '||CHAR(10)) AS TEXT) Result, CASE WHEN hotfix_id = 'KB5004953' THEN 'Windows...
  • HiveNightmare aka SeriousSAM vulnerability query

    • Under Review on
    • 1 Comment
    The Live Discover query below, from Sophos MTR, will identify processes that have accessed either the SAM, SECURITY, or SYSTEM Registry hive files in Shadow volumes. It is optimized to minimize the number of accesses to the Sophos File Journal to enable...
  • Query for PetitPotam Conditions

    • Under Review on
    • 0 Comments
    This query will search if your environment has the conditions to be exposed by the recent "PetitPotam" vulnerability as described here: https://nakedsecurity.sophos.com/2021/07/26/windows-petitpotam-network-attack-how-to-protect-against-it/ This will...
  • Check IP Journal against File Properties & Processes

    • Approved on
    • 0 Comments
    It may be useful to see what specific PID, program, syntax, etc and its threat scoring that has interacted with a specific IP. This is the final query from the Getting Started Recommended Read shared recently. ## DEFINE $$IPaddress$$ as IPaddress ...
  • Query EXEs in Suspicious Location & Compare Scoring

    • Approved on
    • 0 Comments
    This will use the Sophos File Journal to compare ML, PUA, Local and Global Scoring in suspicious locations SELECT sfp.sha256, sfp.mlScore, sfp.puaScore, sfp.globalRep, sfp.localRep, f.path, f.filename, datetime(f.atime,'unixepoch','localtime...
  • Checking For Print Spooler Vulnerabilities

    • Approved on
    • 0 Comments
    This query will search your endpoints for the following CVEs and their currently released patches: 2021-1675, 2021-34527, and 2021-34481. As of writing this, CVE-2021-34481 is considered still vulnerable and the recommended fix is to disable the print...
  • Query for missing default shares

    • Approved on
    • 0 Comments
    This query for create a virtual table from a URL file with defined CSVs. For this, we're going to look for missing default shares in Windows. As Microsoft indicates here, it can lead to various problems in the environment and in recent reports, it is...
  • Query for MD5 hashes

    • Under Review on
    • 3 Comments
    Hello, I would like suggestions regarding how to put together a query to find MD5 hashes. There is a built-in query called Processes matching SHA-256 hashes in the last 30 days (below), but I would like to search for MD5 hashes not SHA-256, since...
  • Query if CVE-2021-40444 MSHTML Mitigations Are Applied

    • Under Review on
    • 0 Comments
    The current vulnerability CVE-2021-40444 MSHTML is a zero-day and is awaiting a patch. You should consider the Microsoft guidance in their Security Update Guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 This query will...