Query Details

Emotet SHA256 IOC Feed

TI Feed 2022 Talos Emotet SHA256

Query

let Emotetsha256 = externaldata(sha256: string)[@"https://githubraw.com/Cisco-Talos/IOCs/main/2022/11/Emotet_parents.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceFileEvents
| where SHA256 in (Emotetsha256)
| project Timestamp, FileName, SHA256, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName

About this query

Emotet SHA256 IOC Feed

Query Information

Description

Emotet SHA256 IOC Feed Source: Talos Intelligence Feed information: https://blog.talosintelligence.com/emotet-coming-in-hot/ Feed link: https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_parents.txt

Defender XDR

Sentinel

let Emotetsha256 = externaldata(sha256: string)[@"https://githubraw.com/Cisco-Talos/IOCs/main/2022/11/Emotet_parents.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceFileEvents
| where SHA256 in (Emotetsha256)
| project TimeGenerated, FileName, SHA256, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName

Explanation

This query is designed to detect files associated with the Emotet malware on devices by checking their SHA256 hash values against a known list of Emotet-related hashes. Here's a simple breakdown of what the query does:

  1. Data Source: The query uses an external data source, specifically a text file hosted on GitHub by Cisco Talos, which contains SHA256 hash values of files known to be associated with the Emotet malware.

  2. Data Retrieval: The query retrieves these SHA256 hash values from the specified URL and stores them in a variable called Emotetsha256.

  3. File Event Filtering: It then examines file events recorded in the DeviceFileEvents table, looking for any events where the file's SHA256 hash matches one of the hashes in the Emotetsha256 list.

  4. Data Projection: For any matching file events, the query extracts and displays specific details, including:

    • The timestamp of the event (Timestamp or TimeGenerated).
    • The name of the file (FileName).
    • The SHA256 hash of the file (SHA256).
    • The name of the device where the event occurred (DeviceName).
    • Information about the process that initiated the file event, such as the command line used (InitiatingProcessCommandLine), the name of the initiating process file (InitiatingProcessFileName), and the account domain and name under which the process was running (InitiatingProcessAccountDomain, InitiatingProcessAccountName).

This query is useful for security analysts who want to identify and investigate potential Emotet infections on their network by correlating file events with known malicious indicators.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceFileEvents

Keywords

EmotetSHA256IOCFeedDeviceFileEventsTimestampNameInitiatingProcessCommandLineAccountDomain

Operators

letexternaldatawithwhereinproject

Actions

GitHub