Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Sophos Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Mobile
Sophos Cloud Optix
Sophos Sensor
Sophos Switch
Sophos Wireless
Sophos Email
UTM Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Member Recognition
Community Leaderboards
More
Cancel
3CX DLL-Sideloading attack:
What you need to know
Sophos Endpoint
Threat Hunting
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Sophos Endpoint requires membership for participation - click to join
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Vulnerability Scanner in a query
Karl_Ackerman
Approved on
14 Oct 2020
3 Comments
This query will perform a very basic vulnerability scan. What is does is generate a list of all installed applications on the device and collect their publisher, name and version information. We exclude things from the list that do not have version numbers...
25 Sep 2020 10:45 AM
Detecting RED TEAM Activity
Karl_Ackerman
Approved on
4 Jan 2021
1 Comment
I suspect for most of us reading these posts, we have had the experience of a RedTeam test. This is where you as a business hire an outside party to perform a penetration test of your organization. They can use lots of different tactics from phishing...
31 Dec 2020 2:11 PM
List top threat indicators for Windows
Karl_Ackerman
Approved on
16 Jun 2022
1 Comment
This query evaluates the machine learning and reputation scores to provide a list of the most suspect executables observed in the environment. Descriptive name Variable Type Notes Begin Search on date $$Begin Search on date$...
15 Mar 2021 9:22 PM
Query for "Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability"
RaviSoni
Approved on
14 Jul 2022
0 Comments
Cisco Security has recently updated (21 May 2021) the information about this vulnerability. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK The query performs the checks if the endpoint is affected...
21 May 2021 10:33 PM
EDR Query - Kaseya ransomware IOC's
RaviSoni
Approved on
7 Jul 2021
0 Comments
SophosLabs has published the IOC for Kaseya ransomware. Below is the query that fetches the IOC published on GitHub and check for matching Indicators present in the endpoint. /* EDR Query to check for matching REvil-Kaseya-IOC's */ --VARIABLE $$StartTime...
7 Jul 2021 7:35 AM
SeriousSam/HiveNightmare Hunting Query (Live Endpoint)
reg1nleifr
Approved on
14 Jul 2022
2 Comments
Hunting Query we've used for detecting suspicious processes exploiting the SeriousSAM Vulnerability. Depending on your environment you might see plenty false positives. A good idea might be to add valid processes to the query based on the sha256 value...
21 Jul 2021 9:12 AM
Query for PetitPotam Events
JeramyKopacko
Under Review on
28 Jul 2021
4 Comments
Consider the following information regarding ADCS Attacks: https://community.sophos.com/b/security-blog/posts/petitpotam-attack We can quickly identify this by searching for the event logs with the following: SELECT datetime(time, 'unixepoch', 'localtime...
28 Jul 2021 1:56 PM
Hafnium check
Karl_Ackerman
Approved on
14 Jul 2022
1 Comment
WE have a number of queries for hafnium and additional news articles. Check out the news https://news.sophos.com/en-us/2021/03/05/hafnium-advice-about-the-new-nation-state-attack/ See the video on how to take the query from the article and run it...
26 Mar 2021 12:41 PM
Dell vulnerability - CVE-2021-21551.
RaviSoni
Approved on
6 May 2021
0 Comments
EDR query can identify the endpoints if they are affected by dell vulnerability CVE-2021-21551. https://nakedsecurity.sophos.com/2021/05/05/dell-fixes-exploitable-holes-its-own-firmware-update-driver-patch-now/ -- Check if the dbutil_2_3.sys file...
5 May 2021 11:50 PM
IOC Hunt for Solarwinds
CraigJones
Approved on
14 Jul 2022
1 Comment
We've released a small hunt query/iocs for the reported solarwinds attacks - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://github.com/sophos-cybersecurity...
14 Dec 2020 1:39 PM
HAFNIUM targeting Exchange Servers with 0-day exploits
RaviSoni
Under Review on
6 Mar 2021
0 Comments
This query will perform a scan to check the WebShall present in the machine, One of the IOC technique released by Microsoft. WITH HOST_IOC AS ( WITH IOC_LIST (IOC_Type, Indicator) AS ( VALUES ('filepath','C:\inetpub\wwwroot\aspnet_client\%.aspx...
6 Mar 2021 9:50 AM
Check IP Journal against File Properties & Processes
JeramyKopacko
Approved on
30 Nov 2021
0 Comments
It may be useful to see what specific PID, program, syntax, etc and its threat scoring that has interacted with a specific IP. This is the final query from the Getting Started Recommended Read shared recently. ## DEFINE $$IPaddress$$ as IPaddress ...
14 Jul 2021 3:32 PM
Query EXEs in Suspicious Location & Compare Scoring
JeramyKopacko
Approved on
14 Jul 2022
0 Comments
This will use the Sophos File Journal to compare ML, PUA, Local and Global Scoring in suspicious locations SELECT sfp.sha256, sfp.mlScore, sfp.puaScore, sfp.globalRep, sfp.localRep, f.path, f.filename, datetime(f.atime,'unixepoch','localtime...
6 May 2021 9:33 PM
HiveNightmare aka SeriousSAM vulnerability query
SecBug
Under Review on
22 Jul 2021
1 Comment
The Live Discover query below, from Sophos MTR, will identify processes that have accessed either the SAM, SECURITY, or SYSTEM Registry hive files in Shadow volumes. It is optimized to minimize the number of accesses to the Sophos File Journal to enable...
22 Jul 2021 11:43 AM
Query for PetitPotam Conditions
JeramyKopacko
Under Review on
27 Jul 2021
0 Comments
This query will search if your environment has the conditions to be exposed by the recent "PetitPotam" vulnerability as described here: https://nakedsecurity.sophos.com/2021/07/26/windows-petitpotam-network-attack-how-to-protect-against-it/ This will...
27 Jul 2021 7:47 AM
PrintNightMare Hotfix Check
Jainidh Rajpal
Approved on
7 Jul 2021
0 Comments
-- PrintNightMare Hotfix/Patch Check SELECT DISTINCT services.display_name AS Service, services.status, 'List PrintNightMare Hotfix' TEST, CAST(GROUP_CONCAT(hotfix_id, ' '||CHAR(10)) AS TEXT) Result, CASE WHEN hotfix_id = 'KB5004953' THEN 'Windows...
7 Jul 2021 1:16 PM
Query for missing default shares
JeramyKopacko
Approved on
23 Dec 2021
0 Comments
This query for create a virtual table from a URL file with defined CSVs. For this, we're going to look for missing default shares in Windows. As Microsoft indicates here, it can lead to various problems in the environment and in recent reports, it is...
23 Dec 2021 5:09 PM
PrintNightMare Registry Fix Check
Jainidh Rajpal
Approved on
7 Jul 2021
0 Comments
-- Check Print Server Registry Fix SELECT DISTINCT 'Check Registry Fix' Test, CAST(GROUP_CONCAT(name, ' '||CHAR(10)) AS TEXT) Result, CASE WHEN name = 'RestrictDriverInstallationToAdministrators' THEN 'Fix Applied...
7 Jul 2021 1:18 PM
Printnightmare Hunting Query (Data Lake)
reg1nleifr
Under Review on
1 Jul 2021
9 Comments
We've created a hunting query for possible infected cve-2021-1675 Hosts, based on this Sigma Rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/av_printernightmare_cve_2021_1675.yml The input variable "C:\Windows\System32\spool...
1 Jul 2021 11:28 AM
Adobe Vulnerability - CVE-2021-28550
Patrick Moubarak
Under Review on
12 May 2021
1 Comment
EDR query to identify the endpoints affected by the Adobe vulnerability CVE-2021-28550 Adobe Security Bullitin: https://helpx.adobe.com/security/products/acrobat/apsb21-29.html Windows: SELECT CASE WHEN ( (SELECT 1 FROM programs WHERE name LIKE...
12 May 2021 7:39 PM
>