We know dealing with an Emotet and/or Trickbot infection can be a major pain. These banking trojans are self propagating and can spread rapidly through a network. On top of that, they typically install other malware and sometimes ransomware. Often times it seems as soon as you clean a host, it is re-infected.
Disable Administrative Shares
This is highly recommended. It will help prevent hosts from reinfecting one another.
- On Windows workstations (7, 8.1, and 10), use the value name AutoShareWks
- On Windows servers (2008, 2012, and 2016), use the value name AutoShareServer
In the image below, we used "net share" to view the administrative shares, then created the AutoShareWks DWORD value, restarted the server service, and then used "net share" again to verify the administrative shares (C$, D$, and ADMIN$) were no longer present.
Alternatives that have the same effect. Several of our partners have used these method successfully.
- Stop and disable the LanmanServer (Server) service. If you only stop it, when the system is rebooted the service will auto-start.
- Use a Group Policy to enable the Windows Firewall, block access to port 445 (SMB).
NOTE Disabling administrative shares on servers (or disabling the Server service/blocking port 445) may prevent user's from accessing shared resources and will also prevent Windows domain authentication.
Install MS17-010 Patch
Deploy the Huntress Agent Throughout the Network
We often see hosts that are re-infected even after it appears that all the malicious files have been removed from the network. Typically we find there was an infected host that was powered off or did not have the Huntress Agent installed. If passwords were not changed and administrative shares were not disabled, as soon as this "offline" host was powered on it would start infecting other hosts.
If you have new Emotet and/or Trickbot services, review the event log from the host specifically looking for event id 4697. This is the service creation event. The log should show what account/computer created the service which may help to identify compromised accounts and other hosts.
What to Expect from Huntress
Depending on the extent of the infection we may temporarily disable incident reports. If hosts are constantly getting re-infected, new incident reports will be generated each time. (We've seen networks with hundreds of infected hosts that were constantly re-infecting one another.) We do not want to inundate your ticket queue for hosts that have already been reported.
We will send a list of all the infected hosts as well as instructions to customize this remediation script for the particular infection. (Trickbot periodically changes the service names it uses. We will provide the commands required to remove Trickbot based on the service names we are seeing on your network.)
Once the re-infection rate has slowed, we will start sending incident reports again.
If you have any questions, please do not hesitate to contact Huntress support at support<@>huntress.io.