Emotet SHA256 IOC Feed
TI Feed 2022 Talos Emotet SHA256
Query
let Emotetsha256 = externaldata(sha256: string)[@"https://githubraw.com/Cisco-Talos/IOCs/main/2022/11/Emotet_parents.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceFileEvents
| where SHA256 in (Emotetsha256)
| project Timestamp, FileName, SHA256, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountNameAbout this query
Emotet SHA256 IOC Feed
Query Information
Description
Emotet SHA256 IOC Feed Source: Talos Intelligence Feed information: https://blog.talosintelligence.com/emotet-coming-in-hot/ Feed link: https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_parents.txt
Defender XDR
Sentinel
let Emotetsha256 = externaldata(sha256: string)[@"https://githubraw.com/Cisco-Talos/IOCs/main/2022/11/Emotet_parents.txt"] with (format="txt", ignoreFirstRecord=True);
DeviceFileEvents
| where SHA256 in (Emotetsha256)
| project TimeGenerated, FileName, SHA256, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName
Explanation
This query is designed to detect files associated with the Emotet malware on devices by checking their SHA256 hash values against a known list of Emotet-related hashes. Here's a simple breakdown of what the query does:
-
Data Source: The query uses an external data source, specifically a text file hosted on GitHub by Cisco Talos, which contains SHA256 hash values of files known to be associated with the Emotet malware.
-
Data Retrieval: The query retrieves these SHA256 hash values from the specified URL and stores them in a variable called
Emotetsha256. -
File Event Filtering: It then examines file events recorded in the
DeviceFileEventstable, looking for any events where the file's SHA256 hash matches one of the hashes in theEmotetsha256list. -
Data Projection: For any matching file events, the query extracts and displays specific details, including:
- The timestamp of the event (
TimestamporTimeGenerated). - The name of the file (
FileName). - The SHA256 hash of the file (
SHA256). - The name of the device where the event occurred (
DeviceName). - Information about the process that initiated the file event, such as the command line used (
InitiatingProcessCommandLine), the name of the initiating process file (InitiatingProcessFileName), and the account domain and name under which the process was running (InitiatingProcessAccountDomain,InitiatingProcessAccountName).
- The timestamp of the event (
This query is useful for security analysts who want to identify and investigate potential Emotet infections on their network by correlating file events with known malicious indicators.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators