Notification

Icon
Error

Finding infection with emotet

Posted: Thursday, November 14, 2019 12:42:58 PM(UTC)
PapaBaetz

PapaBaetz

Member Original PosterPosts: 2
0
Like
So, im in heavy fear about Emotet at the moment.

Im wondering if it would be possible to find allready infected systems via report ins Lansweeper.
I learned that emotet often activate services in Windows that has as name only numbers.

Description of this here:
https://community.sophos.com/kb/en-us/127218

Or did already someone created such report? Because i searched and didnt find something.

Best regards,

Ralph
RKCar
#1RKCar Member Posts: 82  
posted: 11/14/2019 5:36:23 PM(UTC)
If your requirement is simply to look for a service that is all numbers, the following should work. The reason for the double negative on the number check is because I read somewhere that IS_NUMERIC doesn't always work as intended.

This is a modification of the automatic services not started on client report. In addition to checking to make sure the service is just a combination of numbers, a few fields have been removed, it was opened up to both client and server, and it no longer cares about the service state.

This report by no means should be used as a foolproof method to determine if Emotet exists on a system in your environment, but it can be used to supplement per what you requested. Also worth noting I have no services that are purely numbers in my environment so a verification wasn't performed to what I would typically like to do.

Code:
Select Top 1000000 tsysOS.Image As icon,
  tblServicesUni.Name,
  tblAssets.AssetName,
  tblAssets.AssetID,
  tblServicesUni.Caption,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Description,
  tblAssets.Firstseen,
  tblAssets.Lastseen
From tblServices
  Inner Join tblAssets On tblServices.AssetID = tblAssets.AssetID
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServicesUni On tblServices.ServiceuniqueID =
    tblServicesUni.ServiceuniqueID
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
  Left Join tsysIPLocations On tsysIPLocations.StartIP <= tblAssets.IPNumeric
    And tsysIPLocations.EndIP >= tblAssets.IPNumeric
Where tblServicesUni.Name Not Like '%[^0-9]%'
Order By tblAssets.AssetName
PapaBaetz
#2PapaBaetz Member Original PosterPosts: 2  
posted: 11/15/2019 12:25:37 PM(UTC)
Originally Posted by: RKCar Go to Quoted Post
If your requirement is simply to look for a service that is all numbers, the following should work. The reason for the double negative on the number check is because I read somewhere that IS_NUMERIC doesn't always work as intended.

This is a modification of the automatic services not started on client report. In addition to checking to make sure the service is just a combination of numbers, a few fields have been removed, it was opened up to both client and server, and it no longer cares about the service state.

This report by no means should be used as a foolproof method to determine if Emotet exists on a system in your environment, but it can be used to supplement per what you requested. Also worth noting I have no services that are purely numbers in my environment so a verification wasn't performed to what I would typically like to do.

Code:
Select Top 1000000 tsysOS.Image As icon,
  tblServicesUni.Name,
  tblAssets.AssetName,
  tblAssets.AssetID,
  tblServicesUni.Caption,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Description,
  tblAssets.Firstseen,
  tblAssets.Lastseen
From tblServices
  Inner Join tblAssets On tblServices.AssetID = tblAssets.AssetID
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServicesUni On tblServices.ServiceuniqueID =
    tblServicesUni.ServiceuniqueID
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
  Left Join tsysIPLocations On tsysIPLocations.StartIP <= tblAssets.IPNumeric
    And tsysIPLocations.EndIP >= tblAssets.IPNumeric
Where tblServicesUni.Name Not Like '%[^0-9]%'
Order By tblAssets.AssetName


Hello RKCar,

thank you very much for your effort here!
So, i tried the SQL-Statment and find ALL running services, that not have nummers in the name.
Im not very firm in SQL, but i understood, that the "Where tblServicesUni.Name Not Like '%[^0-9]%'" means, that this SHOULD show only the numbers, or not?
RKCar
#3RKCar Member Posts: 82  
posted: 11/15/2019 1:51:06 PM(UTC)
This means it should show only numbers, but it's done via a double negative. The "Not Like" is the first negative, and the ^ in [^0-9] is another negative. I only did this because I read that IS_NUMERIC, which is supposed to give results that are only numeric, isn't 100% reliable.

Active Discussions

Installer Installer - Microsoft Office
by  Florian_Eigsi   Go to last post Go to first unread
Last post: 6/29/2020 3:33:20 PM(UTC)
Installer Firefox ESR 68.8.0 MSI Installer
by  PLSJohnJohn   Go to last post Go to first unread
Last post: 5/11/2020 4:33:50 PM(UTC)
Installer Update Chrome browser with GoogleUpdate.exe ?
by  Inna Ptushkina  
Go to last post Go to first unread
Last post: 5/4/2020 8:39:29 PM(UTC)
Installer Bios Update for Dell all in one
by  Florian_Eigsi   Go to last post Go to first unread
Last post: 4/2/2020 11:36:43 AM(UTC)
Installer Windows 10 Upgrade
by  Michael Kop  
Go to last post Go to first unread
Last post: 3/27/2020 4:47:52 PM(UTC)
Installer Uninstall - Adobe Acrobat 9x
by  palemmo   Go to last post Go to first unread
Last post: 3/25/2020 7:25:05 PM(UTC)
Installer OneDrive Silent Install
by  Steven.C  
Go to last post Go to first unread
Last post: 3/13/2020 2:55:19 PM(UTC)