Similar to the Data Lake Query (which seems to be having issues since it's not detecting all dll files in all folders) we've also created a Live-Discovery Query for Windows Systems on the Printnightmare Vulnerability. The Query could be scheduled via…

-- FIND SYSTEMS WITH PRINT SPOOLER RUNNING SELECT name, status, start_type, user_account, CASE WHEN status = 'RUNNING' THEN ' Exposed to unpatched vulnerabilities inc. PrintNightmare ' WHEN status = 'STOPPED' THEN ' NOT exposed to unpatched…

-- Check Print Server Registry Fix SELECT DISTINCT 'Check Registry Fix' Test, CAST(GROUP_CONCAT(name, ' '||CHAR(10)) AS TEXT) Result, CASE ​ WHEN name = 'RestrictDriverInstallationToAdministrators' THEN 'Fix Applied…

-- PrintNightMare Hotfix/Patch Check SELECT DISTINCT services.display_name AS Service, services.status, 'List PrintNightMare Hotfix' TEST, CAST(GROUP_CONCAT(hotfix_id, ' '||CHAR(10)) AS TEXT) Result, CASE WHEN hotfix_id = 'KB5004953' THEN 'Windows…

SophosLabs has published the IOC for Kaseya ransomware. Below is the query that fetches the IOC published on GitHub and check for matching Indicators present in the endpoint. /* EDR Query to check for matching REvil-Kaseya-IOC's */ --VARIABLE $$StartTime…

--PrintNightMare Print Spooler Service Check SELECT display_name, status, start_type, user_account, CASE WHEN status = 'RUNNING' THEN ' Exposed to unpatched vulnerabilities inc. PrintNightmare' WHEN status ='STOPPED' THEN ' NOT exposed to unpatched…

This query will search for reg keys that indicate your Sophos agent requires a reboot to complete installation/updates and the date it was flagged to be rebooted WITH rebootRequired AS (SELECT CASE WHEN data LIKE '1' THEN 'Yes' ELSE 'No' END…

Hello Sophos Team, I wanted a live discovery query that would retrieve the version of any software installed on macOS machines in my environment, as well as the hostname / IP of the machines. The purpose of this query is to verify and patch all programs…

It may be valuable to view the parsed logs from your Sophos Network Threat Protection engine. Here you can see the time stamps, PID, program and URL accessed. --Declare YYYY-MM-DD as a string variable WITH sntp_table AS (SELECT * FROM grep WHERE…

Many thanks to Karl_Ackerman for the assist on completing this query. It may be valuable to discover what rule sets are currently deployed to your snort (IPS) engine. WITH ips_rule_table AS (SELECT * FROM grep WHERE path = 'C:\ProgramData\Sophos\Sophos…

Hello all, Would like to know if it is possible to get results from scheduled queries directly per mail? I don't know if this feature exists but I wasn't able to find it out, hope this feature already exists, if not is there any roadmap or deadline…

Cisco Security has recently updated (21 May 2021) the information about this vulnerability. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK The query performs the checks if the endpoint is affected…

EDR query to identify the endpoints affected by the Adobe vulnerability CVE-2021-28550 Adobe Security Bullitin: https://helpx.adobe.com/security/products/acrobat/apsb21-29.html Windows: SELECT CASE WHEN ( (SELECT 1 FROM programs WHERE name LIKE…

## Use descriptive name “filepath” as variableType “File Path” SELECT sfp.sha256, sfp.mlScore, sfp.puaScore, sfp.globalRep, sfp.localRep, f.path, f.filename, datetime(f.atime,'unixepoch','localtime') AS Last_Accessed, datetime(f…

This will use the Sophos File Journal to compare ML, PUA, Local and Global Scoring in suspicious locations SELECT sfp.sha256, sfp.mlScore, sfp.puaScore, sfp.globalRep, sfp.localRep, f.path, f.filename, datetime(f.atime,'unixepoch','localtime…

This will query and return your PS versions SELECT name, type, key, data, CASE WHEN data LIKE '1.%' THEN 'PS Version 1' WHEN data LIKE '2.%' THEN 'PS Version 2' WHEN data LIKE '3.%' THEN 'PS Version 3' WHEN data LIKE '4.%' THEN 'PS Version 4' WHEN data…

This will return all devices with SMB v1, 2, or 3 set SELECT name, type, key, data, CASE WHEN (name = 'SMB1' AND data = 1) THEN 'SMB Version 1' WHEN (name = 'SMB2' AND data = 1) THEN 'SMB Version 2' WHEN (name = 'SMB3' AND data = 1) THEN 'SMB Version…

EDR query can identify the endpoints if they are affected by dell vulnerability CVE-2021-21551. https://nakedsecurity.sophos.com/2021/05/05/dell-fixes-exploitable-holes-its-own-firmware-update-driver-patch-now/ -- Check if the dbutil_2_3.sys file…

Hi, I've been working on this for a few days. I know there are a few of these already on the forum, but thought I'd share in case anybody found this one useful. SELECT /*User section*/ logged_in_users.user User_Name, /*System Info*/ system_info.cpu_brand…