Security

Minimizing your attack surface against EMOTET

Anton Wadström

Introduction

On 2022-11-02, BleepingComputer reported that the Emotet malware operation came back to life after an almost four-month “vacation”.

In this blog post I’d like to suggest a few configuration changes you could implement in your organization to minimize your chances of being affected by the malware, as well as a few hunting queries for Microsoft Sentinel that could help you find Emotet exploitation attempts.

As seen in the BleepingComputer article, the macro enabled XLS-file contains instructions for the user on how to run the file.

Source: BleepingComputer

Prevention

These instructions rely on a feature in Office called “Trusted locations”. Content, code, and add-ins are allowed to load from trusted locations with a minimal amount of security, without prompting the users for permission. If a dangerous file is opened from a trusted location, it will not be subject to standard security measures and could harm users’ computers or data.

To prevent these instructions from working if a user would follow them, we can disable trusted locations all together, or alter them to our desired configuration.

To see your own current configuration:

  1. Open Excel
  2. Go to File – Options
  3. Go to Trust center – Trust center settings
  4. Go to Trusted locations

Here you’ll see all of your currently configured trusted locations. Note that there is a check box called “Disable all Trusted Locations”.

Excel trust center trusted locations

This check box is something we easily can configure with Group Policy, Configuration Manager, or Microsoft Intune. In this example we’ll use a configuration profile in Microsoft Intune to disable all trusted locations in all Office applications that support the option.

Create a configuration profile in Intune

  1. Navigate to the Microsoft Endpoint Manager admin center: https://endpoint.microsoft.com/
  2. Click on ‘Devices’
  3. Click on ‘Configuration profiles’
  4. Click on ‘Create profile’
  5. Choose ‘Platform: Windows 10 and later’, ‘Profile type: Templates’ and ‘Template name: Administrative templates’
  6. Click on ‘Create’
  7. Choose a name and description for the profile
  8. In ‘Configuration settings’ section, choose ‘All settings’ and search for ‘Disable all trusted locations’
  9. Click on each setting and change it to ‘Enabled’

Optional: To add additional protection, you could disable the ability for users to enable content in macro enabled Office files – completely blocking macros to execute in files downloaded from the internet.

In the same configuration profile, search for ‘Block macros from running’ and enable each setting. Note that this might disrupt users that often work with macro enabled files that are shared from third parties.

 

Once you’re happy with the configuration, assign the profile to the desired groups of users or devices and save it.

After a few minutes when the profile has synced to the target device(s). Opening Trust center in Excel once more shows that the settings have been applied:

With a configuration policy like this, your organization is better secured against attacks that utilize macro enabled Office documents in their modus operandi, not just Emotet.

Hunting

The below queries as provided as-is with no guarantees that they will detect Emotet activity.

DLL created in %localappdata% and executed by Regsvr32.exe

When the macro runs, it will download a randomly named DLL file to a randomly named folder under %localappdata% (C:\Users\{username}\AppData\Local) and execute it with Regsvr32.exe.

This behavior can in theory be detected with the following KQL query in Microsoft Sentinel (requires Defender for Endpoint raw log ingestion), or in Defender for Endpoint Advanced Hunting. The query looks for events 7 days back but can be adjusted to your liking.

let lookback = 7d;
DeviceFileEvents
| where TimeGenerated >= ago(lookback)
| where ActionType == "FileCreated" and FolderPath contains "Appdata\\Local"
| extend extension = split(FileName, ".")[-1]
| where extension =~ "dll"
| join (
    DeviceProcessEvents
    | where TimeGenerated >= ago(lookback)
    | where InitiatingProcessFileName contains "Regsvr32.exe"
) on DeviceId
| where InitiatingProcessCommandLine1 has FileName or ProcessCommandLine has FileName

Known malicious XLS file names in email attachment

We can also use a list of known XLS file names (for example from Emotet samples uploaded to VirusTotal) and hunt for those in email attachments.

The following KQL query requires that Defender for Office raw logs are ingested to Sentinel.

let suspiciousFileNames = dynamic([
    "Fattura 2022 - IT 00291.xls",
    "QW68872431443085HVH.xls",
    "DK26716065008226688J.xls",
    "Linevgroup.xls",
    "Purchases 2022 02-11-2022_1232.xls",
    "2022-11-02_1814.xls",
    "2022-11-02_1822.xls",
    "2022-11-02_1807.xls",
    "2022-11-02_1843.xls",
    "D945631138997156GQ.xls",
    "2022-11-02_1730.xls",
    "DETALLES-02112022.xls",
    "Fattura numero 1644 del 02.11.2022.xls",
    "Nuovo documento 2022.11.02.xls",
    "48760267972793303423.xls",
    "Bradesco.com_I0005212895999B.xls",
    "Hotmail.xls",
    "gescanntes-Dokument.xls",
    "Address Changed.xls",
    "ef2ce641a4e9f270eea626e8e4800b0b97b4a436c40e7af30aeb6f02566b809c.xls",
    "Rech 2022.02.11_1013.xls",
    "2022-11-02_1447.xls",
    "form.xls",
    "Purchases 2022 02-11-2022_1222.xls",
    "Rechnungskorrektur 2022.02.11_1355.xls",
    "Form.xls",
    "Fattura n. 9421999 del 02.11.2022.xls",
    "Chambre des Notaires de Paris.xls",
    "ZJ08718262708920406KZA.xls",
    "Fattura 561966.xls",
    "G67693032887418061NRS.xls",
    "Fattura 78671.xls",
    "VH45860876277636153IYJ.xls",
    "Fattura 2022 - IT 00499.xls",
    "B8801878004904300HYQ.xls",
    "Rechnungszahlung.xls",
    "Rech 2022.02.11_1356.xls",
    "Formular 2022.02.11_1614.xls",
    "Fattura 2022 - IT 00227.xls",
    "Electronic form.xls",
    "Rechnung 2022.02.11_1523.xls",
    "Form - 02 Nov, 2022.xls",
    "Latest payment.xls",
    "Report.xls",
    "Rech.xls",
    "Scan 2022.02.11_1154.xls",
    "Rechnungs-Details 2022.02.11_1615.xls",
    "RechnungsDetails 2022.02.11_1053.xls",
    "Q95097909266YY.xls",
    "Invoice Number 269299 02-11-2022_1356.xls",
    "Rechnungskorrektur.xls",
    "Invoices Overdue.xls",
    "WBE-011122 YYNN-021122.xls",
    "10095526485508587240716.xls",
    "4489.xls",
    "Rechnung 2022.02.11_1145.xls",
    "Fattura 1717.xls",
    "payments 2022-11-02_1137, USA.xls",
    "GON088160074RL.xls",
    "SLIM CD INC.xls",
    "fattura novembre.xls",
    "Scan.xls",
    "payments 2022-11-02_1011, USA.xls",
    "Invoice Copies 2022-11-02_1008, USA.xls",
    "INVOICE00032762.xls",
    "Migsich gescanntes-Dokument 2022.02.11_1124.xls",
    "Rech 2022.02.11_1333.xls",
    "KQL-011122 BKFP-021122.xls",
    "KK2765229177BZ.xls",
    "2022-11-02_1835.xls",
    "2284_68@2284",
    "Fakturierung.xls",
    "1004327921702759545.xls",
    "Recent money transfer details.xls",
    "RechnungsDetails 2022.02.11_1231.xls",
    "Scan 2022.02.11_0928.xls",
    "EF2650172670885KV.xls",
    "Fattura 5382.xls",
    "Copia Fattura.xls",
    "SCAN594_00088.xls",
    "INVOICE0000004678.xls",
    "Dokumente-vom-Notar 02.11.2022.xls",
    "Details 2022.02.11_1008.xls",
    "Hkcon.co_2022-02-11_1636.xls",
    "DETALLES-0211.xls",
    "Rechnung 2022.02.11_0921.xls",
    "2022-11-02_1208.xls",
    "Details.xls",
    "Fakturierung 2022.02.11_1102.xls",
    "Rechnungszahlung 2022.02.11_1142.xls",
    "Rechnungs-Details.xls",
    "Bill address change.xls",
    "gescanntes-Dokument 2022.02.11_1028.xls",
    "Fattura numero 86585 del 02.11.2022.xls",
    "Fattura 42734.xls",
    "INV 02-11-2022_0824.xls",
    "Scan 2022.02.11_1035.xls",
    "2022-11-02_1809.xls",
    "Hkcon.co_2022-02-11_1727.xls",
    "PLJ373704016BZ.xl"
]);
let lookback = 7d;
EmailAttachmentInfo
| where TimeGenerated >= ago(lookback)
| where FileName in (suspiciousFileNames)

By taking the NetworkMessageId from any results returned by the above query we can lookup the original email using the EmailEvents table:

EmailEvents
| where NetworkMessageId == "{NetworkMessageId retrieved from before}"

Conclusion

This was a shorter blogpost on examples on how you can prevent and hunt for Emotet and other similar malware strains. As always, there are tons of additional actions you could take to better secure your organization against threats like these, and a thousand different detection mechanisms you could deploy.

It’s hard to fathom that we, in 2022, are still being affected by Office macros… Disable macro execution where you can and be done with it!

Upptäck mer