Emotet Defensive Triage Notes
Loader notes for educational and defensive malware triage.
Executive Summary
Emotet has been reported as a loader and initial access facilitator. Defensive triage focuses on phishing delivery, script execution, persistence, and follow-on payload risk.
Malware Type
Loader
Common Behavior
- Often associated with malicious email delivery and script or document execution chains.
- May download follow-on payloads and establish persistence.
- Can support broader intrusion activity after initial execution.
MITRE ATT&CK Mapping
- T1566 Phishing
- T1204 User Execution
- T1105 Ingress Tool Transfer
IOCs Placeholder
IOCs vary by campaign and should be validated before use. Add confirmed hashes, domains, URLs, IPs, registry paths, file paths, or mutexes from authorized investigations only.
Detection Opportunities
- Hunt for suspicious Office, script, and command interpreter parent-child relationships.
- Review proxy and DNS telemetry for newly contacted infrastructure after email interaction.
- Correlate endpoint detections with mailbox and attachment telemetry.
Defensive Recommendations
- Contain affected hosts and collect email artifacts tied to delivery.
- Identify and remove follow-on payloads or persistence.
- Review mail filtering, attachment controls, and user reporting workflows.
Disclaimer
Educational and defensive use only. These notes support authorized analysis and detection engineering. They are not attribution claims and should not be treated as a complete malware verdict by themselves.