Emotet Domain IOC Feed
TI Feed 2022 Talos Emotet Domain
Query
let EmotetDomain = externaldata(Domain: string)[@"https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_domains.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceNetworkEvents
| where RemoteUrl in~ (EmotetDomain)
| project Timestamp, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountNameAbout this query
Emotet Domain IOC Feed
Query Information
Description
Emotet Domain IOC Feed Source: Talos Intelligence Feed information: https://blog.talosintelligence.com/emotet-coming-in-hot/ Feed link: https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_domains.txt
Defender XDR
Sentinel
let EmotetDomain = externaldata(Domain: string)[@"https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_domains.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceNetworkEvents
| where RemoteUrl in~ (EmotetDomain)
| project TimeGenerated, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName
Explanation
This query is designed to detect network events related to the Emotet malware by checking if any network activity on devices matches a list of known malicious domains associated with Emotet. Here's a simple breakdown of what the query does:
-
Data Source: It uses an external data source, specifically a text file hosted on GitHub by Cisco Talos, which contains a list of domains known to be contacted by the Emotet malware.
-
Loading Data: The query loads this list of domains into a variable called
EmotetDomain. -
Filtering Events: It then examines network events from devices (captured in
DeviceNetworkEvents) to see if any of the remote URLs accessed match the domains in theEmotetDomainlist. -
Output: If a match is found, it projects (or selects) specific details about the event, such as the timestamp, the URL and IP address contacted, the device name, and information about the process that initiated the network connection (like the command line, file name, and account details).
-
Purpose: The goal is to identify potential Emotet infections by flagging devices that have communicated with known Emotet domains, allowing for further investigation or remediation.
The query is written in KQL (Kusto Query Language) and is intended to be used in security tools like Microsoft Defender XDR and Azure Sentinel to enhance threat detection capabilities.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators