
1.The purpose of the article
Techbast will guide you to use Sophos Central’s Live Discover feature to create a query to check if there are any newly created admin accounts on the server.
2.Diagram

Details:
- The internet connection is connected at port 2 of the Sophos Firewall device with IP 10,150.30.106.
- The LAN subnet is configured at port 1 of the Sophos XG Firewall device with IP 172.16.16.16/24 and configured with a DHCP Server to allocate IPs to connected devices.
- In the LAN we will have the WIN-V3N9Q4OC2GG server with IP 172.16.16.19/24 and installed Sophos Endpoint.

3.Scenario
We will create a new admin account on the WIN-V3N9Q4OC2GG server and then create using Sophos Central’s Live Discover feature to create a query to check whether the newly created admin account is detected or not.
4.What to do
- Create an admin account on the WIN-V3N9Q4OC2GG server.
- Create query.
5.Configuration
5.1.Create an admin account on the WIN-V3N9Q4OC2GG server.
To create a new admin account on the server we need to open Server Manager.
Then click Tools > Active Directory Users and Computers.

Then click on Users > select New > User.

We fill in the user information we need to create as follows:
- First name: admin1.
- User logon name: admin1
- Click Next.

Next set a password for the account and click Next.

Click Finish to complete the account creation.

In order for this account to become an admin account, we need to add this account to the Administrators group.
To add we right-click on the admin1 account > Add to group.

The Select Groups table appears, at Enter the object name to select we enter admin in the box and click Check Names.
Now the Administrator group will appear, click OK.

The message that the admin1 account has been successfully added to the Administrators group will appear.
So we have successfully created a new admin account admin1.

5.2.Create query
To create a query, go to Threat Analysis Center > Live Discover.
First, we will turn on Designer Mode.
Then we click Create new query to create a new query.

The query creation table appears, we will enter the following information:
- Query Name: Name this query as Identify New Admin Account.
- Category: select Device.
- Source: select Live Endpoint and select Windows (Note with this option, the computer or server must have an internet connection to be able to query).

- In the SQL box we enter the code below.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
SELECT u.username, (SELECT datetime FROM sophos_windows_events WHERE eventid = '4720' AND json_extract(json_extract(data, '$.EventData'),'$.TargetSid') = u.uuid ) Creation_Date, u.description, u.directory, u.shell, u.uuid, u.type, ug.uid FROM user_groups ug JOIN users u ON u.uid = ug.uid WHERE ug.gid = 544 AND (SELECT time FROM sophos_windows_events WHERE eventid = '4720' AND json_extract(json_extract(data, '$.EventData'),'$.TargetSid') = u.uuid ) > strftime('%s','NOW','-$$Days$$ days'); |

- At the Variable editor we click Add variable to add date parameters as shown below.
- At Enter value to use when query run, enter the number of days in this box, for example, if you check to see if in the last 10 days from the time you run the query, a new admin account has been created, you will enter 10 in this box.

- At the Device selector we select the WIN-V3N9Q4OC2GG server with Sophos Endpoint installed and click Query.

Wait a few seconds, the query result will display the admin1 account that we just created with the creation time.

With the Live Discover feature and this query, it helps us to check if there is a new admin account created in the server.
From there, it helps us to identify the risk of hackers silently taking over the server.
Leave a Reply