Query Details

Emotet Domain IOC Feed

TI Feed 2022 Talos Emotet Domain

Query

let EmotetDomain = externaldata(Domain: string)[@"https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_domains.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceNetworkEvents
| where RemoteUrl in~ (EmotetDomain)
| project Timestamp, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName

About this query

Emotet Domain IOC Feed

Query Information

Description

Emotet Domain IOC Feed Source: Talos Intelligence Feed information: https://blog.talosintelligence.com/emotet-coming-in-hot/ Feed link: https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_domains.txt

Defender XDR

Sentinel

let EmotetDomain = externaldata(Domain: string)[@"https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_domains.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceNetworkEvents
| where RemoteUrl in~ (EmotetDomain)
| project TimeGenerated, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName

Explanation

This query is designed to detect network events related to the Emotet malware by checking if any network activity on devices matches a list of known malicious domains associated with Emotet. Here's a simple breakdown of what the query does:

  1. Data Source: It uses an external data source, specifically a text file hosted on GitHub by Cisco Talos, which contains a list of domains known to be contacted by the Emotet malware.

  2. Loading Data: The query loads this list of domains into a variable called EmotetDomain.

  3. Filtering Events: It then examines network events from devices (captured in DeviceNetworkEvents) to see if any of the remote URLs accessed match the domains in the EmotetDomain list.

  4. Output: If a match is found, it projects (or selects) specific details about the event, such as the timestamp, the URL and IP address contacted, the device name, and information about the process that initiated the network connection (like the command line, file name, and account details).

  5. Purpose: The goal is to identify potential Emotet infections by flagging devices that have communicated with known Emotet domains, allowing for further investigation or remediation.

The query is written in KQL (Kusto Query Language) and is intended to be used in security tools like Microsoft Defender XDR and Azure Sentinel to enhance threat detection capabilities.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

EmotetDomainIOCFeedTalosIntelligenceDeviceNetworkEventsRemoteUrlIPNameInitiatingProcessCommandLineFileAccountTimeGenerated

Operators

letexternaldatawithwherein~project

Actions

GitHub