cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
PapaBaetz
Engaged Sweeper
So, im in heavy fear about Emotet at the moment.

Im wondering if it would be possible to find allready infected systems via report ins Lansweeper.
I learned that emotet often activate services in Windows that has as name only numbers.

Description of this here:
https://community.sophos.com/kb/en-us/127218

Or did already someone created such report? Because i searched and didnt find something.

Best regards,

Ralph
3 REPLIES 3
grimstar
Champion Sweeper II
This means it should show only numbers, but it's done via a double negative. The "Not Like" is the first negative, and the ^ in [^0-9] is another negative. I only did this because I read that IS_NUMERIC, which is supposed to give results that are only numeric, isn't 100% reliable.
grimstar
Champion Sweeper II
If your requirement is simply to look for a service that is all numbers, the following should work. The reason for the double negative on the number check is because I read somewhere that IS_NUMERIC doesn't always work as intended.

This is a modification of the automatic services not started on client report. In addition to checking to make sure the service is just a combination of numbers, a few fields have been removed, it was opened up to both client and server, and it no longer cares about the service state.

This report by no means should be used as a foolproof method to determine if Emotet exists on a system in your environment, but it can be used to supplement per what you requested. Also worth noting I have no services that are purely numbers in my environment so a verification wasn't performed to what I would typically like to do.

Select Top 1000000 tsysOS.Image As icon,
tblServicesUni.Name,
tblAssets.AssetName,
tblAssets.AssetID,
tblServicesUni.Caption,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tblAssets.Description,
tblAssets.Firstseen,
tblAssets.Lastseen
From tblServices
Inner Join tblAssets On tblServices.AssetID = tblAssets.AssetID
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Inner Join tblServicesUni On tblServices.ServiceuniqueID =
tblServicesUni.ServiceuniqueID
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
Left Join tsysIPLocations On tsysIPLocations.StartIP <= tblAssets.IPNumeric
And tsysIPLocations.EndIP >= tblAssets.IPNumeric
Where tblServicesUni.Name Not Like '%[^0-9]%'
Order By tblAssets.AssetName
RKCar wrote:
If your requirement is simply to look for a service that is all numbers, the following should work. The reason for the double negative on the number check is because I read somewhere that IS_NUMERIC doesn't always work as intended.

This is a modification of the automatic services not started on client report. In addition to checking to make sure the service is just a combination of numbers, a few fields have been removed, it was opened up to both client and server, and it no longer cares about the service state.

This report by no means should be used as a foolproof method to determine if Emotet exists on a system in your environment, but it can be used to supplement per what you requested. Also worth noting I have no services that are purely numbers in my environment so a verification wasn't performed to what I would typically like to do.

Select Top 1000000 tsysOS.Image As icon,
tblServicesUni.Name,
tblAssets.AssetName,
tblAssets.AssetID,
tblServicesUni.Caption,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tblAssets.Description,
tblAssets.Firstseen,
tblAssets.Lastseen
From tblServices
Inner Join tblAssets On tblServices.AssetID = tblAssets.AssetID
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Inner Join tblServicesUni On tblServices.ServiceuniqueID =
tblServicesUni.ServiceuniqueID
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
Left Join tsysIPLocations On tsysIPLocations.StartIP <= tblAssets.IPNumeric
And tsysIPLocations.EndIP >= tblAssets.IPNumeric
Where tblServicesUni.Name Not Like '%[^0-9]%'
Order By tblAssets.AssetName


Hello RKCar,

thank you very much for your effort here!
So, i tried the SQL-Statment and find ALL running services, that not have nummers in the name.
Im not very firm in SQL, but i understood, that the "Where tblServicesUni.Name Not Like '%[^0-9]%'" means, that this SHOULD show only the numbers, or not?

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now