all.app name:powershell.exe AND TTP:CODE DROP TTP:SUSPICIOUS BEHAVIOR OR TTP:PACKED CALL Table 3: Emotet Defense queries Detection - ThreatHunter The following images highlight some approaches to hunt for emotet samples that are part of this larger family. These techniques may need to be tweaked or processes negated from the results based off of the environment that it is being used in. Figure 12: ThreatHunter detections Some of the most effective searches for ThreatHunter are listed in the table below. crossproc name:explorer.exe filemod name:*.exe filemod count:[2 TO *] process publisher state:FILE SIGNATURE STATE NOT SIGNED modload name:cryptbase.dll process name:powershell.exe netconn count:[1 TO * ] filemod name:*.exe (process name:system32\\* OR process name:appdata\local\**\*) filemod name:*.exe netconn count:[1 TO *] childproc count:[1 TO *] process publisher state:FILE SIGNATURE STATE NOT SIGNED Table 4: Emotet ThreatHunter queries Detection - Response Additionally the corresponding queries for Response are listed in the table below
8 attachments
See matching library entry files - attachment-id=13408 │ © │ © ( type: endpoint.eve...