Notification

Icon
Error

Finding infection with emotet

Posted: Thursday, November 14, 2019 12:42:58 PM(UTC)
PapaBaetz

PapaBaetz

Member Original PosterPosts: 2
0
Like
So, im in heavy fear about Emotet at the moment.

Im wondering if it would be possible to find allready infected systems via report ins Lansweeper.
I learned that emotet often activate services in Windows that has as name only numbers.

Description of this here:
https://community.sophos.com/kb/en-us/127218

Or did already someone created such report? Because i searched and didnt find something.

Best regards,

Ralph
RKCar
#1RKCar Member Posts: 82  
posted: 11/14/2019 5:36:23 PM(UTC)
If your requirement is simply to look for a service that is all numbers, the following should work. The reason for the double negative on the number check is because I read somewhere that IS_NUMERIC doesn't always work as intended.

This is a modification of the automatic services not started on client report. In addition to checking to make sure the service is just a combination of numbers, a few fields have been removed, it was opened up to both client and server, and it no longer cares about the service state.

This report by no means should be used as a foolproof method to determine if Emotet exists on a system in your environment, but it can be used to supplement per what you requested. Also worth noting I have no services that are purely numbers in my environment so a verification wasn't performed to what I would typically like to do.

Code:
Select Top 1000000 tsysOS.Image As icon,
  tblServicesUni.Name,
  tblAssets.AssetName,
  tblAssets.AssetID,
  tblServicesUni.Caption,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Description,
  tblAssets.Firstseen,
  tblAssets.Lastseen
From tblServices
  Inner Join tblAssets On tblServices.AssetID = tblAssets.AssetID
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServicesUni On tblServices.ServiceuniqueID =
    tblServicesUni.ServiceuniqueID
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
  Left Join tsysIPLocations On tsysIPLocations.StartIP <= tblAssets.IPNumeric
    And tsysIPLocations.EndIP >= tblAssets.IPNumeric
Where tblServicesUni.Name Not Like '%[^0-9]%'
Order By tblAssets.AssetName
PapaBaetz
#2PapaBaetz Member Original PosterPosts: 2  
posted: 11/15/2019 12:25:37 PM(UTC)
Originally Posted by: RKCar Go to Quoted Post
If your requirement is simply to look for a service that is all numbers, the following should work. The reason for the double negative on the number check is because I read somewhere that IS_NUMERIC doesn't always work as intended.

This is a modification of the automatic services not started on client report. In addition to checking to make sure the service is just a combination of numbers, a few fields have been removed, it was opened up to both client and server, and it no longer cares about the service state.

This report by no means should be used as a foolproof method to determine if Emotet exists on a system in your environment, but it can be used to supplement per what you requested. Also worth noting I have no services that are purely numbers in my environment so a verification wasn't performed to what I would typically like to do.

Code:
Select Top 1000000 tsysOS.Image As icon,
  tblServicesUni.Name,
  tblAssets.AssetName,
  tblAssets.AssetID,
  tblServicesUni.Caption,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Description,
  tblAssets.Firstseen,
  tblAssets.Lastseen
From tblServices
  Inner Join tblAssets On tblServices.AssetID = tblAssets.AssetID
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServicesUni On tblServices.ServiceuniqueID =
    tblServicesUni.ServiceuniqueID
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
  Left Join tsysIPLocations On tsysIPLocations.StartIP <= tblAssets.IPNumeric
    And tsysIPLocations.EndIP >= tblAssets.IPNumeric
Where tblServicesUni.Name Not Like '%[^0-9]%'
Order By tblAssets.AssetName


Hello RKCar,

thank you very much for your effort here!
So, i tried the SQL-Statment and find ALL running services, that not have nummers in the name.
Im not very firm in SQL, but i understood, that the "Where tblServicesUni.Name Not Like '%[^0-9]%'" means, that this SHOULD show only the numbers, or not?
RKCar
#3RKCar Member Posts: 82  
posted: 11/15/2019 1:51:06 PM(UTC)
This means it should show only numbers, but it's done via a double negative. The "Not Like" is the first negative, and the ^ in [^0-9] is another negative. I only did this because I read that IS_NUMERIC, which is supposed to give results that are only numeric, isn't 100% reliable.

Active Discussions

Lansweeper "add cc user" doesn't show the correct listings
by  JLPingree   Go to last post Go to first unread
Last post: Yesterday at 8:12:44 PM(UTC)
Lansweeper Default User Date Format
by  RickW99456  
Go to last post Go to first unread
Last post: Yesterday at 5:00:51 PM(UTC)
Lansweeper Duplicate assets (Servers)
by  FrankSc   Go to last post Go to first unread
Last post: Yesterday at 3:20:28 PM(UTC)
Lansweeper Lansweeper load the disk subsystem
by  Alexey Gorbachev  
Go to last post Go to first unread
Last post: Yesterday at 3:13:17 PM(UTC)
Lansweeper Lost Configuration tab (Admin rights)
by  kspap   Go to last post Go to first unread
Last post: Yesterday at 10:30:12 AM(UTC)
Lansweeper Deployment with different user rights
by  Jupiter_IT  
Go to last post Go to first unread
Last post: Yesterday at 9:39:20 AM(UTC)
Lansweeper cisco fuji device not linking with connected devices
by  char   Go to last post Go to first unread
Last post: 7/5/2020 9:12:07 AM(UTC)
Lansweeper Microsoft CVE-2020-1425
by  Richard_B  
Go to last post Go to first unread
Last post: 7/3/2020 4:29:41 PM(UTC)