S0367: Emotet
Analyst context for executives and security teams
Emotet matters because ATT&CK describes it as modular Windows malware primarily used as a downloader for other malware, with relationships spanning credential access, discovery, execution, persistence, lateral movement, command and control, exfiltration, and evasion behaviors. For leaders, the key issue is not one malware name; it is whether the organization can quickly contain a Windows intrusion that may become a platform for follow-on tooling such as TrickBot or IcedID.
Executive priority
Treat Emotet-style behavior as a resilience and incident-readiness test for Windows environments. Priority questions: do we have evidence for credential theft attempts, SMB/admin-share movement, PowerShell/WMI execution, scheduled task persistence, and web-based C2; can we isolate affected hosts quickly; and can we prove control coverage for audit and incident review? Because ATT&CK provides no official detection text for this object, leadership should ask for validated telemetry and tested response procedures rather than relying on malware-name alerts alone.
Technical view
SOC and IR teams should validate coverage against the related ATT&CK techniques rather than only static indicators. Emotet is linked to LSASS memory access, Wi-Fi and user/process/email account discovery, SMB/Windows Admin Shares, WMI, scheduled tasks, PowerShell, Windows Command Shell, Visual Basic, DLL injection, process hollowing, packed/embedded/encoded/obfuscated payloads, web-protocol C2, and exfiltration over C2. Detection engineering should correlate suspicious Windows execution chains, credential-access signals, lateral SMB activity, persistence artifacts, and unusual outbound web traffic from hosts showing discovery or injection behavior.
Likely telemetry
- Windows process creation events with command-line detail for PowerShell, cmd, Visual Basic/script hosts, WMI, and scheduled task execution
- Windows security and endpoint telemetry for LSASS access, credential dumping indicators, process injection, DLL injection, and process hollowing
- Scheduled task creation, modification, and execution records
- Service/task naming and masquerading evidence
- SMB/admin share access, remote logons, local account use, and lateral authentication patterns
Detection direction
- Do not depend on Emotet signatures alone; ATT&CK relationships show behaviors that can change through obfuscation, packing, embedded payloads, and command obfuscation.
- Tune detections around behavior chains: suspicious script or shell execution followed by discovery, LSASS access, scheduled task creation, SMB movement, and outbound web traffic.
- Validate visibility for Windows administrative features that are commonly noisy, especially WMI, PowerShell, scheduled tasks, and SMB admin shares; separate normal administration from unusual parent processes, hosts, users, timing, and destinations.
- Review false positives from legitimate IT automation, software deployment, backup activity, helpdesk tools, and administrative scripts before escalating broad detections.
- Use relationship context carefully: ATT&CK links Emotet to Wizard Spider and multiple techniques, but local telemetry is required to determine whether any specific incident involves this malware or actor.
Mitigation priorities
- Prioritize Windows endpoint hardening and monitoring around script execution, WMI, scheduled tasks, and command shells.
- Reduce credential exposure by hardening LSASS access, limiting local administrator rights, and addressing local account/password reuse risk.
- Constrain SMB/admin-share access and monitor remote administrative activity between workstations and servers.
- Strengthen egress monitoring and filtering for unusual web-protocol traffic from endpoints, especially when paired with discovery or persistence signals.
- Maintain incident response playbooks for rapid host isolation, credential reset decisions, lateral movement scoping, and follow-on malware investigation.
Analyst notes and limits
The most useful defensive framing is Emotet as a downloader and intrusion-enablement risk on Windows. Its ATT&CK relationships make it relevant to managed detection, IR readiness, identity protection, endpoint hardening, network monitoring, and compliance evidence for logging and response controls. The supplied object has no ATT&CK tactic list and no official detection guidance, so this take is driven by the official description, external references, and related techniques.
This summary uses only the supplied ATT&CK fields and relationships. It does not assert current activity, customer exposure, successful detection coverage, or actor attribution beyond the stated ATT&CK relationship that Wizard Spider uses this object. Platform claims are limited to the supplied Windows platform for Emotet, while related techniques may list broader platforms.
Emotet
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | Emotet has enumerated all users connected to network shares. |
| Enterprise | T1570 | Lateral Tool Transfer | Emotet has copied itself to remote systems using the `service.exe` filename.CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Emotet is known to use RSA keys for encrypting C2 traffic. CitationTrend Micro Emotet Jan 2019 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. CitationUS-CERT Emotet Jul 2018CitationCIS Emotet Dec 2018 |
| Enterprise | T1110.001 | Password Guessing Sub-technique | Emotet has been observed using a hard coded list of passwords to brute force user accounts. CitationMalwarebytes Emotet Dec 2017CitationSymantec Emotet Jul 2018CitationUS-CERT Emotet Jul 2018CitationSecureworks Emotet Nov 2018CitationCIS Emotet Dec 2018CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1047 | Windows Management Instrumentation | Emotet has used WMI to execute powershell.exe.CitationCarbon Black Emotet Apr 2019 |
| Enterprise | T1571 | Non-Standard Port | Emotet has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.CitationTalos Emotet Jan 2019CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1027.001 | Binary Padding Sub-technique | Emotet inflates malicious files and malware as an evasion technique.Citationemotet_trendmicro_mar2023 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Emotet uses RegSvr32 to execute the DLL payload.Citationemotet_trendmicro_mar2023 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Emotet has leveraged the Admin$, C$, and IPC$ shares for lateral movement. CitationMalwarebytes Emotet Dec 2017CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1204.002 | Malicious File Sub-technique | Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.CitationTrend Micro Banking Malware Jan 2019CitationCarbon Black Emotet Apr 2019CitationIBM IcedID November 2017 |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | |
| Enterprise | T1078.003 | Local Accounts Sub-technique | Emotet can brute force a local admin password, then use it to facilitate lateral movement.CitationMalwarebytes Emotet Dec 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Emotet has been observed adding the downloaded payload to the |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Emotet has been delivered by phishing emails containing links. CitationTrend Micro Banking Malware Jan 2019CitationKaspersky Emotet Jan 2019CitationCIS Emotet Apr 2017CitationMalwarebytes Emotet Dec 2017CitationSymantec Emotet Jul 2018CitationUS-CERT Emotet Jul 2018CitationTalos Emotet Jan 2019CitationTalos Emotet Jan 2019CitationPicus Emotet Dec 2018 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1135 | Network Share Discovery | Emotet has enumerated non-hidden network shares using `WNetEnumResourceW`. CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Emotet has used HTTP for command and control.CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Emotet has exfiltrated data over its C2 channel.CitationTrend Micro Emotet Jan 2019CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | Emotet can download follow-on payloads and items via malicious `url` parameters in obfuscated PowerShell code.CitationPincus Emotet 2020 |
| Enterprise | T1210 | Exploitation of Remote Services | Emotet has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation.CitationSymantec Emotet Jul 2018CitationUS-CERT Emotet Jul 2018CitationSecureworks Emotet Nov 2018CitationRed Canary Emotet Feb 2019 |
| Enterprise | T1114 | Email Collection | Emotet has been observed leveraging a module that can scrape email addresses from Outlook.CitationCIS Emotet Dec 2018CitationIBM IcedID November 2017CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Emotet has maintained persistence through a scheduled task, e.g. though a .dll file in the Registry.CitationUS-CERT Emotet Jul 2018Citationemotet_hc3_nov2023 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Emotet has been observed dropping browser password grabber modules. CitationTrend Micro Emotet Jan 2019CitationIBM IcedID November 2017 |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Emotet has used a self-extracting RAR file to deliver modules to victims. Emotet has also extracted embedded executables from files using hard-coded buffer offsets.CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. CitationSymantec Emotet Jul 2018CitationTalos Emotet Jan 2019CitationTrend Micro Emotet Jan 2019CitationPicus Emotet Dec 2018CitationCarbon Black Emotet Apr 2019 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Emotet has relied upon users clicking on a malicious link delivered through spearphishing.CitationTrend Micro Banking Malware Jan 2019CitationCarbon Black Emotet Apr 2019 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Emotet has installed itself as a new service with the service name `Windows Defender System Service` and display name `WinDefService`.CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. CitationTalos Emotet Jan 2019CitationTrend Micro Emotet Jan 2019CitationPicus Emotet Dec 2018CitationESET Emotet Dec 2018 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1040 | Network Sniffing | Emotet has been observed to hook network APIs to monitor network traffic. CitationTrend Micro Banking Malware Jan 2019 |
| Enterprise | T1620 | Reflective Code Loading | Emotet has reflectively loaded payloads into memory.CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Emotet uses obfuscated URLs to download a ZIP file.Citationemotet_trendmicro_mar2023 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Emotet has used cmd.exe to run a PowerShell script. CitationPicus Emotet Dec 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Emotet has been delivered by phishing emails containing attachments. CitationCIS Emotet Apr 2017CitationMalwarebytes Emotet Dec 2017CitationSymantec Emotet Jul 2018CitationUS-CERT Emotet Jul 2018CitationTalos Emotet Jan 2019CitationTrend Micro Emotet Jan 2019CitationPicus Emotet Dec 2018CitationCarbon Black Emotet Apr 2019CitationIBM IcedID November 2017 |
| Enterprise | T1087.003 | Email Account Sub-technique | Emotet has been observed leveraging a module that can scrape email addresses from Outlook.CitationCIS Emotet Dec 2018CitationIBM IcedID November 2017CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1027.002 | Software Packing Sub-technique | Emotet has used custom packers to protect its payloads.CitationTrend Micro Emotet Jan 2019 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Emotet uses a copy of `certutil.exe` stored in a temporary directory for process hollowing, starting the program in a suspended state before loading malicious code.Citationemotet_trendmicro_mar2023 |
| Enterprise | T1057 | Process Discovery | Emotet has been observed enumerating local processes.CitationASEC Emotet 2017 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Emotet has been observed injecting in to Explorer.exe and other processes. CitationPicus Emotet Dec 2018CitationTrend Micro Banking Malware Jan 2019CitationUS-CERT Emotet Jul 2018 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | Emotet has been observed leveraging a module that scrapes email data from Outlook.CitationCIS Emotet Dec 2018 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Emotet has been observed creating new services to maintain persistence.CitationUS-CERT Emotet Jul 2018CitationSecureworks Emotet Nov 2018CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1573 | Encrypted Channel | Emotet has encrypted data before sending to the C2 server.CitationFortinet Emotet May 2017 |
| Enterprise | T1106 | Native API | Emotet has used `CreateProcess` to create a new process to run its executable and `WNetEnumResourceW` to enumerate non-hidden shares.CitationBinary Defense Emotes Wi-Fi Spreader |
| Enterprise | T1016.002 | Wi-Fi Discovery Sub-technique | Emotet can extract names of all locally reachable Wi-Fi networks and then perform a brute-force attack to spread to new networks.CitationBinary Defense Emotes Wi-Fi Spreader |
Groups, software, and campaigns
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.7 | Current bundle | 7a8b5571d5e9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Banking Malware Jan 2019
Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
Open source URL -
[2]
CIS Emotet Apr 2017
CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.
Open source URL -
[3]
CIS Emotet Dec 2018
CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
Open source URL -
[4]
ESET Emotet Nov 2018
ESET . (2018, November 9). Emotet launches major new spam campaign. Retrieved March 25, 2019.
Open source URL -
[5]
Emotet
(Citation: Trend Micro Banking Malware Jan 2019)(Citation: Kaspersky Emotet Jan 2019)(Citation: CIS Emotet Apr 2017)(Citation: Malwarebytes Emotet Dec 2017)(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: ESET Emotet Nov 2018)(Citation: Secureworks Emotet Nov 2018)(Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: CIS Emotet Dec 2018)(Citation: Picus Emotet Dec 2018)(Citation: Red Canary Emotet Feb 2019)
-
[6]
Geodo
(Citation: Trend Micro Emotet Jan 2019)
-
[7]
Kaspersky Emotet Jan 2019
Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.
Open source URL -
[8]
Malwarebytes Emotet Dec 2017
Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.
Open source URL -
[9]
Picus Emotet Dec 2018
Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
Open source URL -
[10]
Red Canary Emotet Feb 2019
Donohue, B.. (2019, February 13). https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/. Retrieved March 25, 2019.
Open source URL -
[11]
Secureworks Emotet Nov 2018
Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.
Open source URL -
[12]
Symantec Emotet Jul 2018
Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
Open source URL -
[13]
Talos Emotet Jan 2019
Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
Open source URL -
[14]
Trend Micro Emotet Jan 2019
Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
Open source URL -
[15]
US-CERT Emotet Jul 2018
US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
Open source URL -
[16]
mitre-attack S0367Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.