Notification

Icon
Error

Finding infection with emotet

Posted: Thursday, November 14, 2019 12:42:58 PM(UTC)
PapaBaetz

PapaBaetz

Member Original PosterPosts: 2
0
Like
So, im in heavy fear about Emotet at the moment.

Im wondering if it would be possible to find allready infected systems via report ins Lansweeper.
I learned that emotet often activate services in Windows that has as name only numbers.

Description of this here:
https://community.sophos.com/kb/en-us/127218

Or did already someone created such report? Because i searched and didnt find something.

Best regards,

Ralph
RKCar
#1RKCar Member Posts: 55  
posted: 11/14/2019 5:36:23 PM(UTC)
If your requirement is simply to look for a service that is all numbers, the following should work. The reason for the double negative on the number check is because I read somewhere that IS_NUMERIC doesn't always work as intended.

This is a modification of the automatic services not started on client report. In addition to checking to make sure the service is just a combination of numbers, a few fields have been removed, it was opened up to both client and server, and it no longer cares about the service state.

This report by no means should be used as a foolproof method to determine if Emotet exists on a system in your environment, but it can be used to supplement per what you requested. Also worth noting I have no services that are purely numbers in my environment so a verification wasn't performed to what I would typically like to do.

Code:
Select Top 1000000 tsysOS.Image As icon,
  tblServicesUni.Name,
  tblAssets.AssetName,
  tblAssets.AssetID,
  tblServicesUni.Caption,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Description,
  tblAssets.Firstseen,
  tblAssets.Lastseen
From tblServices
  Inner Join tblAssets On tblServices.AssetID = tblAssets.AssetID
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServicesUni On tblServices.ServiceuniqueID =
    tblServicesUni.ServiceuniqueID
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
  Left Join tsysIPLocations On tsysIPLocations.StartIP <= tblAssets.IPNumeric
    And tsysIPLocations.EndIP >= tblAssets.IPNumeric
Where tblServicesUni.Name Not Like '%[^0-9]%'
Order By tblAssets.AssetName
PapaBaetz
#2PapaBaetz Member Original PosterPosts: 2  
posted: 11/15/2019 12:25:37 PM(UTC)
Originally Posted by: RKCar Go to Quoted Post
If your requirement is simply to look for a service that is all numbers, the following should work. The reason for the double negative on the number check is because I read somewhere that IS_NUMERIC doesn't always work as intended.

This is a modification of the automatic services not started on client report. In addition to checking to make sure the service is just a combination of numbers, a few fields have been removed, it was opened up to both client and server, and it no longer cares about the service state.

This report by no means should be used as a foolproof method to determine if Emotet exists on a system in your environment, but it can be used to supplement per what you requested. Also worth noting I have no services that are purely numbers in my environment so a verification wasn't performed to what I would typically like to do.

Code:
Select Top 1000000 tsysOS.Image As icon,
  tblServicesUni.Name,
  tblAssets.AssetName,
  tblAssets.AssetID,
  tblServicesUni.Caption,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Description,
  tblAssets.Firstseen,
  tblAssets.Lastseen
From tblServices
  Inner Join tblAssets On tblServices.AssetID = tblAssets.AssetID
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServicesUni On tblServices.ServiceuniqueID =
    tblServicesUni.ServiceuniqueID
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
  Left Join tsysIPLocations On tsysIPLocations.StartIP <= tblAssets.IPNumeric
    And tsysIPLocations.EndIP >= tblAssets.IPNumeric
Where tblServicesUni.Name Not Like '%[^0-9]%'
Order By tblAssets.AssetName


Hello RKCar,

thank you very much for your effort here!
So, i tried the SQL-Statment and find ALL running services, that not have nummers in the name.
Im not very firm in SQL, but i understood, that the "Where tblServicesUni.Name Not Like '%[^0-9]%'" means, that this SHOULD show only the numbers, or not?
RKCar
#3RKCar Member Posts: 55  
posted: 11/15/2019 1:51:06 PM(UTC)
This means it should show only numbers, but it's done via a double negative. The "Not Like" is the first negative, and the ^ in [^0-9] is another negative. I only did this because I read that IS_NUMERIC, which is supposed to give results that are only numeric, isn't 100% reliable.

Active Discussions

Lansweeper iManage Client deployment
by  CyberCitizen   Go to last post Go to first unread
Last post: Today at 3:09:47 AM(UTC)
Lansweeper Missing hyperv host details for guest asset LAN-4130
by  danielm  
Go to last post Go to first unread
Last post: 12/7/2019 7:15:56 AM(UTC)
Lansweeper Lansweeper showing MAC address instead of name
by  crashff   Go to last post Go to first unread
Last post: 12/6/2019 10:26:25 PM(UTC)
Lansweeper Dell Warranty Lookup - Incorrect Information
by  Trenton Knew  
Go to last post Go to first unread
Last post: 12/6/2019 10:17:15 PM(UTC)
Lansweeper Incoming Email Parse
by  UEFT   Go to last post Go to first unread
Last post: 12/6/2019 5:46:22 PM(UTC)
Lansweeper SSH - Keyboard Interactive Authentication
by  KevinA-REJIS  
Go to last post Go to first unread
Last post: 12/6/2019 5:22:21 PM(UTC)
Lansweeper Custom OID Scanning / multible OIDs with wildcards
by  Esben.D  
Go to last post Go to first unread
Last post: 12/6/2019 11:57:18 AM(UTC)