We know dealing with an Emotet and/or Trickbot infection can be a major pain. These banking Trojans are self-propagating and can spread rapidly through a network. On top of that, they typically install other malware and sometimes ransomware. Often it seems as soon as you clean a host, it is re-infected.
Disable Administrative Shares
Disabling Administrative Shares is highly recommended. It will help prevent hosts from re-infecting one another.
- On Windows workstations (7, 8.1, and 10), use the value name AutoShareWks
- On Windows servers (2008, 2012, and 2016), use the value name AutoShareServer
In the image below, we used "net share" to view the administrative shares, then created the AutoShareWks DWORD value, restarted the server service, and then used "net share" again to verify the administrative shares (C$, D$, and ADMIN$) were no longer present.
Note: you must restart the server service (or reboot) for the changes to the admin share to take effect.
Alternatives that have the same effect
Several of our partners have used these methods successfully:
- Stop and disable the LanmanServer (Server) service. If you only stop it, when the system is rebooted, the service will auto-start.
- Use a Group Policy to enable the Windows Firewall, block access to port 445 (SMB).
NOTE Disabling administrative shares on servers (or disabling the Server service/blocking port 445) may prevent user's from accessing shared resources and will also prevent Windows domain authentication.
Install MS17-010 Patch
Deploy the Huntress Agent Throughout the Network
We often see hosts that are re-infected even after it appears that all the malicious files have been removed from the network. Typically we find there was an infected host that was powered off or did not have the Huntress Agent installed. If passwords were not changed and administrative shares were not disabled, as soon as this "offline" host was powered on it would start infecting other hosts.
If you have new Emotet and/or Trickbot services, review the event log from the host specifically looking for event id 4697. This is the service creation event. The log should show what account/computer created the service, which may help to identify compromised accounts and other hosts.
What to Expect from Huntress
Depending on the extent of the infection, we may temporarily disable incident reports. Without disabling incident reports, if the hosts are continually getting re-infected, new reports will be generated each time. We've seen networks with hundreds of infected hosts that were constantly re-infecting one another. Our goal is not to flood your ticket queue for hosts that have already been reported.
We provide you with a list of all infected hosts.
Should you choose to remediate, Huntress offers a feature called Assisted Remediation to attempt to remediate an incident automatically. Huntress also provides a PowerShell script** that may help. The PS1 can be customized based on the details in the incident reports.
Once the re-infection rate has slowed, we will start sending incident reports again.
If you have any questions, please do not hesitate to contact Huntress support using the button below or by email at firstname.lastname@example.org.
**The script is unsupported and provided as-is.