{"description": "Enterprise techniques used by Emotet, ATT&CK software S0367 (v1.7)", "name": "Emotet (S0367)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has the ability to duplicate the user\u2019s token.(Citation: Binary Defense Emotes Wi-Fi Spreader) For example, [Emotet](https://attack.mitre.org/software/S0367) may use a variant of Google\u2019s ProtoBuf to send messages that specify how code will be executed.(Citation: emotet_hc3_nov2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.003", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been observed leveraging a module that can scrape email addresses from Outlook.(Citation: CIS Emotet Dec 2018)(Citation: IBM IcedID November 2017)(Citation: Binary Defense Emotes Wi-Fi Spreader)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has used HTTP for command and control.(Citation: Binary Defense Emotes Wi-Fi Spreader)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been observed adding the downloaded payload to the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key to maintain persistence.(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: Picus Emotet Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "showSubtechniques": true}, {"techniqueID": "T1110.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been observed using a hard coded list of passwords to brute force user accounts. (Citation: Malwarebytes Emotet Dec 2017)(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: Secureworks Emotet Nov 2018)(Citation: CIS Emotet Dec 2018)(Citation: Binary Defense Emotes Wi-Fi Spreader)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has used Powershell to retrieve the malicious payload and download additional resources like [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: Symantec Emotet Jul 2018)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: Red Canary Emotet Feb 2019)(Citation: Carbon Black Emotet Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has used cmd.exe to run a PowerShell script. (Citation: Picus Emotet Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. (Citation: Symantec Emotet Jul 2018)(Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: Carbon Black Emotet Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been observed creating new services to maintain persistence.(Citation: US-CERT Emotet Jul 2018)(Citation: Secureworks Emotet Nov 2018)(Citation: Binary Defense Emotes Wi-Fi Spreader) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been observed dropping browser password grabber modules. (Citation: Trend Micro Emotet Jan 2019)(Citation: IBM IcedID November 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has used Google\u2019s Protobufs to serialize data sent to and from the C2 server.(Citation: Binary Defense Emotes Wi-Fi Spreader) Additionally, [Emotet](https://attack.mitre.org/software/S0367) has used Base64 to encode data before sending to the C2 server.(Citation: Fortinet Emotet May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has used a self-extracting RAR file to deliver modules to victims. Emotet has also extracted embedded executables from files using hard-coded buffer offsets.(Citation: Binary Defense Emotes Wi-Fi Spreader)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been observed leveraging a module that can scrape email addresses from Outlook.(Citation: CIS Emotet Dec 2018)(Citation: IBM IcedID November 2017)(Citation: Binary Defense Emotes Wi-Fi Spreader)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1114.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been observed leveraging a module that scrapes email data from Outlook.(Citation: CIS Emotet Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has encrypted data before sending to the C2 server.(Citation: Fortinet Emotet May 2017)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) is known to use RSA keys for encrypting C2 traffic. (Citation: Trend Micro Emotet Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has exfiltrated data over its C2 channel.(Citation: Trend Micro Emotet Jan 2019)(Citation: Binary Defense Emotes Wi-Fi Spreader)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1210", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation.(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: Secureworks Emotet Nov 2018)(Citation: Red Canary Emotet Feb 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Emotet](https://attack.mitre.org/software/S0367) can download follow-on payloads and items via malicious `url` parameters in obfuscated PowerShell code.(Citation: Pincus Emotet 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has copied itself to remote systems using the `service.exe` filename.(Citation: Binary Defense Emotes Wi-Fi Spreader)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has installed itself as a new service with the service name `Windows Defender System Service` and display name `WinDefService`.(Citation: Binary Defense Emotes Wi-Fi Spreader)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has used `CreateProcess` to create a new process to run its executable and `WNetEnumResourceW` to enumerate non-hidden shares.(Citation: Binary Defense Emotes Wi-Fi Spreader)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has enumerated non-hidden network shares using `WNetEnumResourceW`. (Citation: Binary Defense Emotes Wi-Fi Spreader)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1040", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been observed to hook network APIs to monitor network traffic. (Citation: Trend Micro Banking Malware Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.(Citation: Talos Emotet Jan 2019)(Citation: Binary Defense Emotes Wi-Fi Spreader)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) inflates malicious files and malware as an evasion technique.(Citation: emotet_trendmicro_mar2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has used custom packers to protect its payloads.(Citation: Trend Micro Emotet Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has dropped an embedded executable at `%Temp%\\setup.exe`.(Citation: Binary Defense Emotes Wi-Fi Spreader) Additionally, [Emotet](https://attack.mitre.org/software/S0367) may embed entire code into other files.(Citation: emotet_hc3_nov2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has obfuscated macros within malicious documents to hide the URLs hosting the malware,  CMD.exe arguments, and PowerShell scripts. (Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: ESET Emotet Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Emotet](https://attack.mitre.org/software/S0367) uses obfuscated URLs to download a ZIP file.(Citation: emotet_trendmicro_mar2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been observed dropping and executing password grabber modules including [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: Trend Micro Emotet Jan 2019)(Citation: emotet_hc3_nov2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been delivered by phishing emails containing attachments. (Citation: CIS Emotet Apr 2017)(Citation: Malwarebytes Emotet Dec 2017)(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: Carbon Black Emotet Apr 2019)(Citation: IBM IcedID November 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been delivered by phishing emails containing links. (Citation: Trend Micro Banking Malware Jan 2019)(Citation: Kaspersky Emotet Jan 2019)(Citation: CIS Emotet Apr 2017)(Citation: Malwarebytes Emotet Dec 2017)(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: Talos Emotet Jan 2019)(Citation: Talos Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been observed enumerating local processes.(Citation: ASEC Emotet 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been observed injecting in to Explorer.exe and other processes. (Citation: Picus Emotet Dec 2018)(Citation: Trend Micro Banking Malware Jan 2019)(Citation: US-CERT Emotet Jul 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Emotet](https://attack.mitre.org/software/S0367) uses a copy of `certutil.exe` stored in a temporary directory for process hollowing, starting the program in a suspended state before loading malicious code.(Citation: emotet_trendmicro_mar2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1620", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has reflectively loaded payloads into memory.(Citation: Binary Defense Emotes Wi-Fi Spreader)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has leveraged the Admin$, C$, and IPC$ shares for lateral movement. (Citation: Malwarebytes Emotet Dec 2017)(Citation: Binary Defense Emotes Wi-Fi Spreader) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has maintained persistence through a scheduled task, e.g. though a .dll file in the Registry.(Citation: US-CERT Emotet Jul 2018)(Citation: emotet_hc3_nov2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[Emotet](https://attack.mitre.org/software/S0367) uses RegSvr32 to execute the DLL payload.(Citation: emotet_trendmicro_mar2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "showSubtechniques": true}, {"techniqueID": "T1016.002", "comment": "[Emotet](https://attack.mitre.org/software/S0367) can extract names of all locally reachable Wi-Fi networks and then perform a brute-force attack to spread to new networks.(Citation: Binary Defense Emotes Wi-Fi Spreader)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has enumerated all users connected to network shares.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. (Citation: US-CERT Emotet Jul 2018)(Citation: CIS Emotet Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has relied upon users clicking on a malicious link delivered through spearphishing.(Citation: Trend Micro Banking Malware Jan 2019)(Citation: Carbon Black Emotet Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has relied upon users clicking on a malicious attachment delivered through spearphishing.(Citation: Trend Micro Banking Malware Jan 2019)(Citation: Carbon Black Emotet Apr 2019)(Citation: IBM IcedID November 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.003", "comment": "[Emotet](https://attack.mitre.org/software/S0367) can brute force a local admin password, then use it to facilitate lateral movement.(Citation: Malwarebytes Emotet Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Emotet](https://attack.mitre.org/software/S0367) has used WMI to execute powershell.exe.(Citation: Carbon Black Emotet Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Emotet", "color": "#66b1ff"}]}