Team: Huntress EDR
Product: Emotet, Trickbot
Environment: Huntress EDR
Summary: Banking Trojans rapidly spread and self-propagate. In order to help prevent the spread of Emotet and Trickbot malware, Huntress recommends disabling administrative shares, changing passwords, and installing the MS17-010 patch for better protection.
We know dealing with an Emotet and/or Trickbot infection can be a major pain. These banking Trojans are self-propagating and can spread rapidly through a network. On top of that, they typically install other malware and sometimes ransomware. Often it seems as soon as you clean a host, it is re-infected.
Disable Administrative Shares
Disabling Administrative Shares is highly recommended. It will help prevent hosts from re-infecting one another.
- On Windows workstations (7, 8.1, and 10), use the value name AutoShareWks
- On Windows servers (2008, 2012, and 2016), use the value name AutoShareServer
In the image below, we used "net share" to view the administrative shares, then created the AutoShareWks DWORD value, restarted the server service, and then used "net share" again to verify the administrative shares (C$, D$, and ADMIN$) were no longer present.
Note: you must restart the server service (or reboot) for the changes to the admin share to take effect.
Alternatives that have the same effect
Several of our partners have used these methods successfully:
- Stop and disable the LanmanServer (Server) service. If you only stop it, when the system is rebooted, the service will auto-start.
- Use a Group Policy to enable the Windows Firewall, block access to port 445 (SMB).
NOTE Disabling administrative shares on servers (or disabling the Server service/blocking port 445) may prevent user's from accessing shared resources and will also prevent Windows domain authentication.
Install MS17-010 Patch
Deploy the Huntress Agent Throughout the Network
We often see hosts that are re-infected even after it appears that all the malicious files have been removed from the network. Typically we find there was an infected host that was powered off or did not have the Huntress Agent installed. If passwords were not changed and administrative shares were not disabled, as soon as this "offline" host was powered on it would start infecting other hosts.
If you have new Emotet and/or Trickbot services, review the event log from the host specifically looking for event id 4697. This is the service creation event. The log should show what account/computer created the service, which may help to identify compromised accounts and other hosts.
What to Expect from Huntress
Depending on the extent of the infection we may temporarily disable incident reports. If hosts are constantly getting re-infected, new incident reports will be generated each time. We've seen networks with hundreds of infected hosts that were constantly re-infecting one another. Our goal is not to flood your ticket queue with new reports for hosts that have already been reported.
Should you choose to remediate, you have the option of using Assisted Remediation which will attempt to remediate an incident automatically. Huntress also provides a PowerShell script that may help. The script can be customized based on the details included in the incident reports. Note the script is provided as-is and we are unable to support it.
Once the re-infection rate has slowed, we will resume sending incident reports.
If you have any questions, please do not hesitate to contact Huntress support using the button below or by email at firstname.lastname@example.org.