On Friday, July 17, many of us woke up to a bunch of new phishing emails. What happened over night? Well, like Sherrod DeGrippo from ProofPoint wrote, emotet returns after a 5 month hiatus. Emotet is a banking trojan that gains access to end user machines and steals their financial information such as login information and personal identifiable information (PII). This week, we met with Sherrod and discussed Emotet. As usual, we create an adversary emulation plan based on Cyber Threat Intelligence and then emulate it with SCYTHE. We share the emulation plan so the community can also emulate the Emotet campaign to test and improve people, process, and technology. Lastly, we discuss how to defend against Emotet, in this case, we cover training the end users by performing phishing simulations. We hope you enjoy it.

    Cyber Threat Intelligence

    This week, our Cyber Threat Intelligence comes from a company that is at the forefront of email security, ProofPoint. We interview Sherrod DeGrippo who wrote the article emotet returns after a 5 month hiatus to understand what Emotet is, how they operate, and how we can improve security. Here is this week’s interview:

    We found a number of additional resources related to the latest Emotet campaign to pull out the Cyber Threat Intelligence:

    An excellent resource to see replays of what occurs when someone falls for the phishing email and opens the emotet document is the site any.run. Here are a few for emotet:

    Emotet has been around for a number of years and is tracked by MITRE ATT&CK. We can see the TTPs via the ATT&CK Navigator Layer created from the JSON in the SCYTHE Community Github.

    Adversary Emulation Plan

    Emotet works by spamming targets with business-related emails containing malicious Office documents that are either attached to the email or with a link to download the malicious file. If someone falls for the phishing email, opens the document, and enables macros, the Emotet malware will execute.

    As usual, below is the adversary emulation profile for Emotet. The emulation plan can be downloaded from the SCYTHE Community Threats Github and imported to your SCYTHE instance.





    Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector.


    Banking Trojan - steal banking information and PII

    Initial Access

    T1566 - Phishing

    T1566.001 - Spearphishing Attachment

    T1566.002 - Spearphishing Link

    Command and Control

    T1573 - Encrypted Channel

    T1573.002 - Asymmetric Cryptography

    T1571 - Non-Standard Port


    T1059 - Command and Scripting Interpreter

    T1059.001 - PowerShell

    T1059.003 - Windows Command Shell

    T1059.005 - Visual Basic

    T1053 - Scheduled Task/Job

    T1053.005 - Scheduled Task

    T1204 - User Execution

    T1204.001 - Malicious Link

    T1204.002 - Malicious File

    T1047 - Windows Management Instrumentation

    Defense Evasion

    T1027 - Obfuscated Files or Information

    T1027.002 - Software Packing

    T1055 - Process Injection

    T1055.001 - Dynamic-link Library Injection

    T1078 - Valid Accounts

    T1078.003 - Local Accounts


    T1087 - Account Discovery

    T1087.003 - Email Account

    T1057 - Process Discovery

    Credential Access

    T1110 - Brute Force

    T1110.001 - Password Guessing

    T1555 - Credentials from Password Stores

    T1555.003 - Credentials from Web Browsers

    T1040 - Network Sniffing

    T1003 - OS Credential Dumping

    T1003.001 - LSASS Memory

    T1552 - Unsecured Credentials

    T1552.001 - Credentials In Files


    T1560 - Archive Collected Data

    T1114 - Email Collection

    T1114.001 - Local Email Collection


    T1547 - Boot or Logon Autostart Execution

    T1547.001 - Registry Run Keys / Startup Folder

    T1543 - Create or Modify System Process

    T1543.003 - Windows Service

    Lateral Movement

    T1210 - Exploitation of Remote Services

    T1021 - Remote Services

    T1021.002 - SMB/Windows Admin Shares


    T1041 - Exfiltration Over C2 Channel

    Defend against Emotet

    Defending against emotet and other phishing campaigns can be broken up by people, process, and technology. ProofPoint is an excellent technology solution to cut down and stop phishing and malicious emails from getting to users. 

    From a people and process perspective, user awareness training is one of the best defenses against phishing attacks like emotet campaigns. Creating a phishing simulation program involves coordination with a number of internal teams but at a high level:

    • Create an email template that is used against the target organization
    • Create a unique link per email address
    • Send the emails to the target addresses
    • Metrics: Clicked email (failed test); Reported email (passed test)
    • If someone clicks on the email, they should get a message immediately informing them this was a test and with best practices of what to do next time
    • People reporting the phishing email should have some sort of positive reinforcement


    Emotet campaigns are back and ProofPoint was quick to catch it. We had a chat with Sherrod DeGrippo from ProofPoint and discussed the new campaign, phishing as a whole, emulating emotet, and how to defend against it. We created an adversary emulation plan and shared it on our Github. Lastly, we covered how to defend against phishing attacks by focusing on people, process, and technology. We hope you enjoyed it.

    This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

    About SCYTHE

    SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.

    Jorge Orchilles
    Post by Jorge Orchilles
    July 30, 2020