This is sourced directly from Sophos MDR: Increased exploitation of PaperCut drawing blood around the Internet – Sophos News PaperCut IoC List: IoCs/papercut-nday-indicators-of-compromise.csv at master · sophoslabs/IoCs · GitHub SELECT date_format…

I am trying to determine what process is generating outbound SMB traffic on a system. I can see the traffic in the firewall logs, but when I use the query below, nothing comes up. It doesn't matter which system I check, or whether I use port 137 or 445…

Hello, I would like suggestions regarding how to put together a query to find MD5 hashes. There is a built-in query called Processes matching SHA-256 hashes in the last 30 days (below), but I would like to search for MD5 hashes not SHA-256, since…

This query for create a virtual table from a URL file with defined CSVs. For this, we're going to look for missing default shares in Windows. As Microsoft indicates here, it can lead to various problems in the environment and in recent reports, it is…

SELECT meta_hostname AS Endpoint, MAX(CASE WHEN name = 'Google Chrome' THEN version END) AS Chrome FROM xdr_data WHERE query_name = 'windows_programs' and version != '96.0.4664.110' GROUP BY meta_hostname Google's full release of the CVE…

Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate. SELECT meta_hostname AS ep_name, name, cmdline, path…

Note: This query is designed for Linux only. For a basic search which lists processes called Log4J on Windows, Mac and Linux, please view this query. This query helps customers identify vulnerable Log4J components in their environment. It shows Log4J…

Utilizing a post from Karl_Ackerman and the precanned queries in Sophos Central, here is a query that can pull down a remote csv table, and join it to the sophos_ip_journal. It takes one variable: URL -- String -- $$URL$$ In this use case, I took…

SELECT CASE WHEN version = '11.6' THEN 'Not Vulnerable to FORCEDENTRY' ELSE 'Vulnerable | Upgrade to 11.6' END AS BigSurCheck FROM os_version WHERE major = '11'

Query we've used for looking for possible MSHTML related activity. You can add additional programs to the where clause and filter out false positives using the having clause. The rule is mainly based on the idea of this sigma rule: https://github.com…

This query will look for a process event that has been associated with this attack. WinWord.exe has launched a child process called "control.exe" and has been seen in the wild with this vulnerability. This does NOT guarantee you've been breached but…

The current vulnerability CVE-2021-40444 MSHTML is a zero-day and is awaiting a patch. You should consider the Microsoft guidance in their Security Update Guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 This query will…

/* Desc: Number of Hours of activity to search / TYPE: String / SQLVAR: $$Number of Hours of activity to search$$ Desc: RAW IOC List location from a URL / TYPE: String / SQLVAR: $$RAW IOC List location from a URL$$ / Value: ... Desc: Start Search From…

This is an older vulnerability but still nice to showcase the capabilities of how XDR can discover CVEs. This query will search and detect Windows vulnerability affecting the Netlogon feature. Sophos Security Bulletin: https://community.sophos.com…

Consider the following information regarding ADCS Attacks: https://community.sophos.com/b/security-blog/posts/petitpotam-attack We can quickly identify this by searching for the event logs with the following: SELECT datetime(time, 'unixepoch', 'localtime…

This query will search if your environment has the conditions to be exposed by the recent "PetitPotam" vulnerability as described here: https://nakedsecurity.sophos.com/2021/07/26/windows-petitpotam-network-attack-how-to-protect-against-it/ This will…

The Live Discover query below, from Sophos MTR, will identify processes that have accessed either the SAM, SECURITY, or SYSTEM Registry hive files in Shadow volumes. It is optimized to minimize the number of accesses to the Sophos File Journal to enable…

This query will search your endpoints for the following CVEs and their currently released patches: 2021-1675, 2021-34527, and 2021-34481. As of writing this, CVE-2021-34481 is considered still vulnerable and the recommended fix is to disable the print…

Hunting Query we've used for detecting suspicious processes exploiting the SeriousSAM Vulnerability. Depending on your environment you might see plenty false positives. A good idea might be to add valid processes to the query based on the sha256 value…

This query will parse the Web Intelligence log files and display the URL's that users have visited or have attempted to visit, Category of the URL, Action was taken etc. This gives a rough idea of what users have visited on a specific date. Declare…

It may be useful to see what specific PID, program, syntax, etc and its threat scoring that has interacted with a specific IP. This is the final query from the Getting Started Recommended Read shared recently. ## DEFINE $$IPaddress$$ as IPaddress …

Similar to the Data Lake Query (which seems to be having issues since it's not detecting all dll files in all folders) we've also created a Live-Discovery Query for Windows Systems on the Printnightmare Vulnerability. The Query could be scheduled via…

SophosLabs has published the IOC for Kaseya ransomware. Below is the query that fetches the IOC published on GitHub and check for matching Indicators present in the endpoint. /* EDR Query to check for matching REvil-Kaseya-IOC's */ --VARIABLE $$StartTime…