Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
The eSentire Threat Intelligence team has observed an increase in successful Emotet infections coupled with lateral movement after the initial infection. eSentire Threat Intelligence assesses with medium confidence that the prevalence of infections will continue to rise given the current success of lateral movement and ease of delivery.
The initial infection vector is Microsoft Word documents downloaded from an embedded link inside fake invoice emails (Image 1). The trojan can spread through windows SMB file shares and is capable of downloading additional payloads from command & control servers. Samples observed employed randomly generated file names by victim asset and altered its file composition on disk at regular intervals to evade detection based on file hash.
Performing the mitigating actions listed below will significantly reduce the potential of Emotet infection and minimize the likelihood of successful lateral movement.
Emotet has been active since 2014 and has incorporated various techniques to steal information from victims.
In the most recent Emotet campaigns, the threat actor(s) were found to be hosting documents on compromised domains. When the macro is executed a PowerShell command is used to retrieve an Emotet payload from another compromised domain. Lateral movement is then achieved by using the default $admin SMB file share across Windows machines. Depending on the infected user’s permission level, the threat actor(s) may configure persistence through registry run keys or a service.
*Disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. Weigh the benefits of mitigation against potential disruptions to users.
Local Admin Access: Creates Service Description: Duplicates description from an existing service Directory of executable: c:\windows\syswow64\[Random Name].exe OR c:\windows\[Random Name].exe Normal User: Registry Run Key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\[Random Name]