Emotet Threat Analysis in 2024.

Emotet is a stealer trojan that has requalified into dropper malware at some point.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, Trojan Scanner and Online Virus Scanner.

Emotet Trojan Analysis | Gridinsoft

What is Emotet Malware?

October 19, 2023

Requalification is a pretty rare case in the malware world. Originally a banking stealer, Emotet trojan gained the ability to deliver other malware, which then became its main purpose. Despite such a transformation, it retained its key functionality – stealing banking information.

Emotet is a trojan-dropper, appearing in 2014. By design, this malware was a banking stealer – a pretty prolific one. Since the start it has combined advanced spreading and launching techniques, along with a specific approach towards grabbing credentials. After several large updates (referred to as v2/v3/v4) it received a dropper functionality, which made its modern image such as we know it. Together with heavy anti-detection and anti-analysis techniques, this malware poses a serious cybersecurity threat to any kind of users. Another distinctive feature of Emotet is its periodic activity: instead of steady uptime, malware rather has sporadic bursts of spreading.

Received Emotet samples

The extensive malware delivery network formed by hackers that stand behind Emotet is worth separate attention. Both its scale, uptime and malware that is spread via such a network have beaten any of its contemporaries. IcedID, QakBot, UmbreCrypt, Conti and TrickBot – all these malware names had a long cooperation with Emotet threat actors. Such a success is an obvious reason for the interest from law enforcement. In 2021, two of Emotet high-ranked participants (ones who were responsible for maintaining network infrastructure) were captured in Ukraine. That did not stop malware from running though, but its activity became even more unpredictable than it ever was.

For Windows users, Emotet may be familiar under the nickname of Sabsik. Obviously, Microsoft usually assigns a specific detection name for large malware families – and some Emotet samples receive the eponymous detection. However, as malware exploits deep packing and other detection evasion methods, it is quite easy to find a sample with family signatures smudged. In such cases, Microsoft Defender will display a pop-up with Trojan:Win32/Sabsik detection.

Emotet history

We have already mentioned some important milestones in the history of Emotet malware. It appeared in June 2014 under the name of Heodo/Geodo, and received its first major update (v2) at the end of the same year. These versions were generally aiming at Central European countries with developed economies – in particular Germany, Switzerland and Austria, so-called DACH. Key activity was circulating around banking data stealing. Through the following 1.5 years the activity of a newcomer was not noteworthy, although malware received another update (v3) and the ability to act as malware loader – the thing that became definitive for the future of Emotet.

Emotet timeline

At the end of 2016, a cybercrime group called Mealybug (a.k.a TA542) formed up and started its malicious activity using Emotet. Their activity in 2017 was titled with a spike in activity – mainstream banking information stealing and the deployment of a wide range of malware. The dropper campaign included TrickBot, IcedID stealer and a couple of ransomware samples. Year of 2018 was significant because of the start of full-scale attacks upon companies and governments. The loudest victim in that year was the computer system of the city of Allentown. The attack cost over $1 million to fix.

Following years brought even more ill fame to Emotet. Throughout 2019 and 2020, they attacked hundreds of companies and even infrastructure of large cities, like Frankfurt, Lake and Quebec. This, apparently, triggered some serious attention from law enforcement agencies, primarily the FBI. Together with their colleagues from Europe, the US law enforcement launched an operation called Ladybird, that ended up with capturing some of the Emotet top management members. Two men responsible for managing network infrastructure of Emotet malware were arrested in the capital of Ukraine – Kyiv. That case eventually led to a temporal shutdown of all operations.

Nonetheless, fear related to these arrests did not last long. Less than 6 months after these events, malware relaunched its activity, with pretty much the same scale. However, the active periods became way shorter than they used to be. Instead of up to a year-long uptime, they show up for a month, or even a couple of weeks – and go offline. Homogeneity of this gang and absence of any realistic media activity does not allow us to make any conclusions about the reasons for such a change, excluding extremal carefulness, of course.

Unfortunate Times

Throughout the long time, since around 2018, Emotet relied heavily on spreading through MS Office macros. This method has proven itself exceptionally reliable and simple to implement. Just deliver the infected Office file – via email spam or through any other method – and wait. The number of users who were aware about malignant use of macros remains low even these days, leave alone early days of Emotet. And the amount of exploitation opportunities were tremendous and allowed for pretty much any action needed in malware injection process. This was about to change, sooner or later.

In February 2023 Microsoft announced implementation of Mark-of-the-Web, a specific mechanism in MS Office that marks the documents downloaded from the Internet. One marked in such a way gets its active content blocked upon launching, both macros or links. It can still be disabled – but with much more effort compared to a simple click on the button “Allow macros”. And while other malware managed to find a replacement for macros, Emotet did not.

MotW MS Office
The only way to disable Mark-of-the-Web - by editing the properties of the file

After the MotW implementation, Emotet activity started decreasing with tremendous speed. Actually, the attempts of its masters may have been significant, but the result was not. In less than 2 months afterwards, Emotet basically lost any botnet expansion potential. As of September 2023, hackers do not even try to change anything – our analysts detect less than 10 samples a day at peaks, and 2-3 samples per day on average. This is just pathetic compared to Emotet’s prime-time with thousands of victims each day.

Is this the end of Emotet? We don’t think so. It is not unusual for Emotet to stay low for a long time, though over half a year of lull is still extraordinary. Possibly, the team has lost their leaders during the early 2021 events, and the rest just cannot keep up and find new approaches. Possibly, they are getting ready for something bigger – which is possible, especially due to the introduction of Python applets support in Microsoft Office. The time will show, but 2023 is definitely quite a depressing year for this malware.

Botnet Structure

Botnets led by Emotet are large enough to be noteworthy, especially considering their unusual structure. Since both malware and its network infrastructure are updating constantly, the difference between networks of infected computers over time increased dramatically. Such changes brought a lot of problems to analysts that tried to predict and prevent the threat, but simultaneously gave them a great classification tool. These days, analysts define 5 different botnet infrastructures, named epochs. They may be distinguished by the public encryption keys that are held within C2 configuration, present in each malware sample. The developer did not share their malware samples with clients, as a lot of other malware developers do. Instead, they hire and study the hackers, which then act correspondingly to strictly-marked rules. That’s why it is quite easy to divide all the botnets into compact groups.

Epoch 1, 2, and 3 were actively used since 2017 – when TA542 formed as a separate cybercrime group. They bore upon earlier versions of Emotet, which carried a public RSA key hard-coded into each sample. During the C2 communication, malware applied that key to cipher an AES key, which, in turn, served to cipher the data going in and out. All three epochs were active until January 2021, when a major part of network infrastructure was seized along with members’ arrests.

Epochs 4 and 5, however, were developing independently of the first three, which gave the gang a second chance after the events at the beginning of 2021. These botnets used newer versions of Emotet, which featured two ECC public keys, that were used to encrypt data and to validate data packages correspondingly. These days, these two botnets form a backbone of Emotet malware; according to the research, over 60% of the Emotet network belongs to Epoch 4, while the rest (under 40%) is Epoch 5.

Emotet Distribution Ways

Main ways of Emotet malware spreading both in past and present is email spam. By most parameters, it repeats some common spam you may have witnessed in any other malware spreading campaign. A message mimics some urgent or important notice that should be reviewed by the receiver. Common topics are “Overdue invoice” or “Delivery notification” with the attached MS Excel file. Malware installation script is hidden inside of a macro application. Once this file is opened, the document shows you an offer to enable macros as “part of the content is missing”. Executing the script embedded in the macro makes your PC connected to a compromised website (generally a WordPress-based page) that emits a payload.

Emotet delivery

Changes Due To Policy Updates

At the beginning of 2023, Microsoft decided to cut down the ever-loved tactic with malicious macros. After over 2 decades of flawless operations as a malware delivery way, it became almost completely blocked by disabling executable content for MS Office files that arrived from the Internet. Such files are marked specifically, and after the launch, Microsoft Office will flatten such a file, similarly to how CDR systems do.

Move MS Office file Emotet
Request to move a lure file to the MS Office root directory

However, Microsoft would not be itself if it had not left a huge breach in this mechanism. Any MS Office file may be run “as usual” if it is launched from the MS Office directory. The system recognizes any file from that place as trustworthy, and thus no executable content will be excised. Cybercriminals who spread Emotet add specific instructions to move the file in the message or right inside the text of this file.

Self-propagation

Emotet stealer capabilities turn out to be useful not only for collecting important credentials. This malware is capable of accessing MS Outlook address book, and using it to commence mass-mailing. This, however, is possible only with the use of specific add-ons for Emotet. As you can guess, messages sent in such a manner contain the same thing as Emotet used to arrive at the initial system. But now, it also gains a disguise - the personality of the attacked PC user. That approach allowed Emotet to have an almost exponential gain of victims in certain campaigns.

Some analysts also say that Emotet is capable of self-spreading using Windows networking vulnerabilities, such as EternalBlue. This, however, is not particularly true — Emotet participated in deploying TrickBot malware to the system, which then used the mentioned breach to propagate itself to other systems in the network.

The most recent versions of this malware, released at the edge of 2022, feature their own way of spreading within the network. It impersonates the user account from the machine it is running on, and tries to connect to other machines in the local network using SMB. Same as in the case of mass-mailing, this trick requires the operator to install the corresponding malware plugin. To log into these machines, it uses a hardcoded list of usernames and passwords to perform a simple brute force. WnetOpenEnumW and WnetEnumResourceW – basic WinAPI calls – help malware with enumerating the machines and other network elements present and available.

Infection chain

As we mentioned above, the main way of Emotet delivery to the target system is malicious macro in the Office document. However, samples have major differences in the method of loading after the mentioned macro was launched. These alterations appear not only between samples of different activity periods, but also during a single attack. That is probably the result of the affiliate's job – each team of ones create their own loading scripts, which makes them unique in each case.

Emotet arrives as a 64-bit .dll file, with a randomly generated name given by the server that is used to emit the payload. Macro script saves it to the Temp folder. Same macro then applies regsvr32.exe to run the payload. In order to evade early detection and confuse signature-based anti-malware engines, Emotet practises the tricks typical for different other advanced malware. Most of them are related to code packing, obfuscation and code encryption.

Loader

The aforementioned DLL gets to the target system in the encrypted form, and is unpacked using the shellcode embedded in the loader. The latter is the specific add-on that goes stuck to that library. VirtualAlloc function serves to allocate RAM area to inject decrypted malware code and make it run during several stages. First, the loader allocates the memory and protects it with PAGE_EXECUTE_READWRITE property. Further, it deciphers the part of the DLL into this memory, using a decryption key added at the stage of sample packing. After that, the execution is passed to this memory area.

Emotet loader execution procedure
Emotet loader execution procedure

Second stage supposes the use of another piece of code. An ASM blob, designed to decrypt, load, and run the specific part of the Emotet’s DLL, is a final stage before seeing the actual execution of this malware. Similar to previous stages, it allocates memory and sets a PAGE_EXECUTE_READWRITE protection, and dumps the decrypted contents of the DLL. But to run it, this code calls VirtualAlloc once again, in order to remap the sections to a different memory location. Only then, the code is getting executed.

Decrypted Emotet strings
Decrypted Emotet strings

Gaining persistence

Newly-launched sample of Emotet will establish persistence in the system. For this purpose, it creates a registry key that guides Windows to launch the loader at system start. The key is attached to the current user account, and is located in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hive. This key leads to a randomly-named copy of the loader we described in previous paragraphs, placed in the Temp folder. After being launched via this key, it does the described above loading procedure once again.

Registry entries created by Emotet malware
Registry entries created by Emotet malware

The peculiarity of all this procedure is that it constantly changes, even within a single Emotet version. Samples of this malware caught in the wild around spring 2022 and in November of the same year have a different way of handling the code strings. Instead of keeping them decrypted within a certain section of its PE, latest versions keep them encrypted, and decipher on demand. That is somewhat similar to the manner SmokeLoader backdoor handles this – and it makes it difficult both to detect and analyse. Still, some tricks allow us to extract most of this data. And only developers know how that will happen in future Emotet releases.

C2 communication

An obvious step that comes shortly after gaining persistence in the attacked environment is contacting the command and control server. Emotet performs it as usual and non-typical simultaneously. Commonly-used HTTP POST/GET requests feature an elliptic-curve cryptography (ECC) encryption, which has proven itself as an exceptionally tough nut. A pretty salient feature, however, is the use of 8080 port in a vast majority of its connections. Other ones in use are 80, 443 and 7080. List of IP addresses of command servers, as it happens commonly, is embedded into the malware code at a stage of compilation. However, as numerous researches show, the addresses that appear amidst malware strings are not related to exact C&C servers. In order to mask the traffic, Emotet operators use compromised servers as proxy simply to disable the ability to reveal the botnet infrastructure IPs that easily. Both Epoch 4 and Epoch 5 botnets feature several pools of C2 addresses that show up in different malware samples.

Encoded C2 addresses among the code sections of Emotet
Encoded C2 addresses among the code sections of Emotet

As we mentioned above, public ECC keys are hard-coded into the Emotet samples. They are needed to generate a private encryption key, that will secure the data, and to validate the data package. Such a double-check is not a paranoid reassurance, but a demanded security measure – that helps C&C to weed out fake traffic. Initial request, same as in other malware, contains some basic information about the infected machine, required for fingerprinting purposes. Overall, commands that Emotet can receive may be divided into 4 categories, and are marked with 1-9 digits.

Command name Description
Load a module Loads one of six modules available for installation. Each one has a corresponding variable in the command, although its header remains the same. Hides under the number of 2.
Sleep Forces malware to stop any actions and go idle. Same command to the already “sleeping” bot will wake it back up. Took the number of 5.
Update/remove Updates the Emotet binary on the machine. A specific variable will command the malware to perform self-destroying. Has a number of 1.
Download DLL/EXE Orders to download malware from a specified source (sometimes a different C2). Uses code 3 for a regular download & run, and 4 for downloading and running the additional payload via regsvr32.exe, i.e. using Emotet methods.

Modules

Modern samples of Emotet do not come packed with all possible functionality. In fact, by default it lacks even its stealing module, offering only remote access, i.e. behaving more like a backdoor. Aside from delivering additional payloads to a system and data stealing, Emotet also supports receiving an “upgrade” – additional modules that extend its functionality. There could be up to 6 different modules, which appeared steadily and are evolving constantly.

Stealer module

First and foremost, Emotet is a banking stealer, and only then a dropper malware. It did not lose its capabilities for digging out banking credentials even after seeing more often usage as a tool for botnet establishment. After launching and establishing persistence, malware starts listening to web browser activity. However, instead of a more classic approach with keystroke logging or cheating with web frames or redirects, Emotet applies monitoring traffic in order to detect a connection to the banking website. It receives a list of ones to spy on together with the module itself. If any activity related to one of these domains is detected, Emotet tries to eavesdrop the connection and extract passwords. With time, malware was taught a different way to steal credentials – by hacking the password storing mechanism used in most popular web browsers.

Hardware module

Despite aiming at banking credentials more than other things, Emotet can also collect detailed information about the system it is running in. Hardware module is what helps it with that task, but with a pretty unusual add-on. Aside from the functionality that helps malware to grab the info about the system, it adds another anti-spoofing layer, that checks genuinity of the bot messages. The packet that contains the hardware module contains a specific ID value, that is attributed specifically to that bot. Packet with the results of this module activity – gathered information – contains a specific value at the end, that is generated using the ID value contained within the module package. If the C2 server does not have a matching range of values for the one, it blocks packages from this bot, marking it as a fake one. The types of PC information gathered by Emotet are the following:

  • Username
  • Hostname
  • Session ID
  • Windows version
  • Windows build
  • Total system RAM
  • Used RAM
  • Name of Emotet's process

XMRig

An infamous coin miner trojan, that aims at exploiting hardware of the target PC to mine Monero cryptocurrency. Earlier, it was delivered by Emotet-based botnets as a separate malware. But during the last campaign that took place in November 2022, XMRig arrived at the systems infected with Emotet as its module. Such a transposition had happened in the past with other malware – particularly one Emotet developers considered as their “partner”. And such a coexistence sounds logical considering the number of infected machines under the rule of Emotet and the fact that coin miners are most effective in the long-term perspective.

Advanced email stealer

Emotet can steal email credentials it meets “by the way” while it breaks into the browser. Stand-alone mailing services, like Outlook and Thunderbird, remain untouched – and advanced email stealer module fixes that issue. Aside from the ability to use the accounts for self-spreading via spam, operators receive the information that eases spear phishing by orders of magnitude. In addition, this module allows you to get the contact book of the hijacked accounts. This, together with thread hijacking, makes this module pretty effective when it comes to bumping the attack efficiency.

Email spamming for self-propagation

Above, we mentioned that Emotet is capable of sending itself through the email message, repeating the manner it infected the initial machine. But as you may guess, it is not vastly effective when you don’t have access to email accounts or contact books. For that reason this module mainly appears as a complementary to the email stealer. Module uses a default pattern of message, set by the operator, and MS Office file that carries a malicious macro.

SMB lateral movement module

Server Message Block protocol, or SMB, is a brilliant solution not only for connecting computers and peripheral devices to a single local network, but also for malware spreading. Impersonating the user of an infected computer, Emotet is capable of connecting to other computers in the local network, and deploy itself there. As we mentioned above, it uses a list of typical passwords to perform brute force attacks, and enumerates computers present in the network with WnetOpenEnumW and WnetEnumResourceW commands. This module appeared pretty recent – around the beginning of 2022.

Traffic proxying a.k.a UPnP module

We already mentioned that TA542 uses numerous compromised servers around the world as proxy servers that redirect the traffic to a genuine Emotet C2. UPnP module is what helps malware operators to find new servers, or organise a temporary proxy layer for their connection. This module allows an infected computer to receive the traffic from other attacked systems, and redirect it to the actual C2 server.

Malware delivery by Emotet

Emotet is known for delivering a huge number of malware names. Among them are ransomware, spyware, other droppers, and even coin miners. Attacking both companies, single users and even government organisations, it never picks specific victims for specific malware. There is an order – and Emotet simply executes it. Let’s see the most known malware samples spread by Emotet trojan.

Malware name Description
IcedID A.k.a. BokBot. Banking trojan, similar to what Emotet was before turning into a dropper. Acts as a primary payload for Emotet, as being delivered to infected systems almost immediately after the initial C2 contact.
Conti Ransomware, a product of an eponymous Russian cybercriminal group. Was generally delivered to corporations. Group dissolved in April, 2022, after a leak of ransomware source code.
BlackCat Ransomware gang, which started their partnership with Emotet in summer 2022. Prolific gang that attacks mainly corporations and government organisations. Publishes victims' data in surface Web.
Ryuk Ransomware, was generally delivered as a final payload in the chain Emotet → TrickBot → Ruyk. Most often, it aims at corporations.
STOP/Djvu Ransomware that attacks single users and rarely companies. Used to be one of the most prolific ransomware gangs. Has a long-term partnership with Emotet, despite only dim information about that.
TrickBot Dropper malware/backdoor, yet another long-term partner of Emotet. Used to deliver various other malware – including Emotet itself after its resurgence after January 2021 events.
CobaltStrike Not a regular malware, but a complex tool for malware orchestration. Acts generally as a backdoor, with its Beacon module, that allows it to access the environment and deploy any kind of additional payloads.
XMRig Coin miner malware, one of the most widespread in its kind. Conjunction of effectiveness and flexibility makes it pretty prolific on its market. Began spreading as an Emotet module in 2022.

How to protect yourself from Emotet?

Throughout the long history of its evolution, Emotet developed numerous ways to avoid detection in the system it is running in. That’s why the best way to protect yourself from this malware is to prevent its appearance in your system. However, conducting these measures in corporations is less efficient, as there are dozens (or even hundreds) chain links that may break apart. Thus, it is better to apply both preventive and reactive measures.

Be familiar with the typical methods of Emotet spreading. Actually, there is only one – email spam with a malicious attachment. Knowing how to distinguish between genuine email and the fake one will save you from different other problems. Spam that contains a MS Office document with a malicious macro became a beloved spreading tool for all categories of cybercriminals. Always remember which emails you should receive, and stay aware even if your colleague texts you about something routine. Keep an eye out for strange email addresses – the one that contradicts with the email topic or a possible sender.

The most effective advice here is to avoid enabling macros execution under any circumstances. Whatever the document or email says, enabling macros is a bad idea. Their usage nowadays is pretty rare, as there are numerous other ways to provide interactivity and document updates with the same or even higher efficiency as macros do. Microsoft forbids execution of macros in the documents that arrived from the Web, but that still does not mean they are 100% safe.

Use advanced security solutions. This advice is both reactive and proactive, as such a program will help you with both detecting a malicious Office document, as well as stopping the already going infection. However, regular anti-malware software is barely able to deal with threats like Emotet. It should feature a behavioural detection system, or even AI-based scanning, to spot malware samples even when it is hidden behind numerous layers of obfuscation and packing.

Set up a network protection system. Emotet applies enhanced networking features that allow it to slip through the passive barriers like firewalls. The Network Detection and Response system (NDR), on the other hand, is able to detect suspicious traffic using the same advanced detection techniques as we described above. Even when it is not certain about detecting malicious traffic, NDR will notify the security team about suspicious behaviour. It touches both external and internal connections – don’t forget about SMB spreading methods.

Check your sent messages. That touches both individuals and employees of large corporations. Detecting messages you’ve never sent is already not a good sign. Seeing a typical malspam message sent from your name is a very bad omen. If such activity is detected, you should scan your device and contact the system administrator (if you have the one).

Emotet IoC

IP addresses

187.144.227.2 143.0.245.169 189.245.135.12
5.67.96.120 203.130.0.67 181.189.213.231
186.4.167.166 117.218.17.6 213.14.166.152
1.234.2.232 101.50.0.91 103.132.242.26
103.43.75.120 103.75.201.2 104.168.155.143
107.170.39.149 110.232.117.186 115.68.227.76
119.59.103.152 129.232.188.93 139.59.126.41
139.59.56.73 147.139.166.154 149.28.143.92
149.56.131.28 153.126.146.25 159.65.140.115
159.65.88.10 159.89.202.34 1.21.136.179

Hashes

MD5: cb9e1acaf2bc27d3d63ab65fda4c5186
MD5: d2d13fb9464c11719f9232c9fedb702e
MD5: 827dc167869b7e832d0bb302741cfdd1
MD5: f7f9d268e8553cd2631ce5cc36fdb8e3
MD5: 17d0249831849e69bd89f0777b8f7198
MD5: ad4dc5f1468aed6dc24457166b561171
MD5: d56787b2b92525ddb9da2604af77fb7d
MD5: 71499d67b748d742241df13e96c9bb04
MD5: bbf633e6434386e4bdb7503266fadb2f
MD5: 6b234087d3cb95e28d3e0caea780bf6b
SHA256: bb444759e8d9a1a91a3b94e55da2aa489bb181348805185f9b26f4287a55df36
SHA256: f6485aef4be4cb0ec50317b7f87694fb775f81733af64c9bc6050f6806504207
SHA256: 0000dad03392dd3c6e997bad4eed45afddcda5eb2b29402304cb6a463d8b6dbc
SHA256: 00012006226f4b68b40767430075321015626b2fcba8ad1dddf1dc6d0de68f4d
SHA256: 00021d6cba6faa8a7689ac0290549a3b0c999766fa5061cf3ee9b6cc943dc3d0
SHA256: 0002a0fb0ee6d81edd91287ea1e89ab30a3421dd9840b99ea46e69b9be191d64
SHA256: 0002afff4625bee9fb13b0d0c845e0c1b4381c16a65b72024b7759b18256f911
SHA256: 00037f2d52219a6672d6a583e887a809250c96f8f0eacf7d8503848c874dac6b
SHA256: 0002bfc448d1d6417b1cc74306fdf3979675f3b88778aee17463dee9fe3bf9d1
SHA256: 000495b2f119bfebf709c63e76d71923c45863242757698a7cb9bf1983036e99

URLs

0007.name 02feb02.com 1000paginas.com
10x45.com 123breathe.org 13cuero.com
12cunghoangdao.edu.vn 1conpo.ru 1566xueshe.com
1skt.com 1roof.ltd.uk arthaloca.com
grupokeithmar.com marseilleseriesstories.com 23brickstreet.com
web-hosting.es posadamision.com 2idiotsandnobusinessplan.com
282wiwwuoqeorurowi.com 3635optical.ga 3dstudioa.com.br
3kiloafvallen.nl 50-50aravidis.gr a-cf.org

MITRE ATT&CK signatures

Indicator Description Indicator Description
T1552.001 Credentials In Files T1110.001 Password Guessing
T1573.002 Asymmetric Cryptography T1047 Windows Management Instrumentation
T1552.001 Credentials In Files T1041 Exfiltration Over C2 Channel
T1043 Commonly Used Port T1040 Network Sniffing
T1021.002 SMB/Windows Admin Shares T1555.003 Credentials from Web Browsers
T1547.001 Registry Run Keys / Startup Folder T1065 Uncommonly Used Port
T1114.001 Local Email Collection T1560 Archive Collected Data
T1210 Exploitation of Remote Services T1003.001 LSASS Memory
T1059.001 PowerShell T1087.003 Email Account
T1566.002 Spearphishing Link T1566.001 Spearphishing Attachment
T1059.005 Visual Basic T1204.001 Malicious Link
T1078.003 Local Accounts T1204.002 Malicious File
T1057 Process Discovery T1027 Obfuscated Files or Information
T1059.003 Windows Command Shell T1571 Non-Standard Port
T1094 Custom Command and Control Protocol T1027.002 Software Packing
T1055.001 Dynamic-link Library Injection T1053.005 Scheduled Task