{
	"id": "8356a56f-9ec9-4d90-9e36-9fbacc586690",
	"created_at": "2026-04-06T00:21:34.837183Z",
	"updated_at": "2026-04-10T13:11:52.024534Z",
	"deleted_at": null,
	"sha1_hash": "d5576267c274913a515a85ad3264de9afc19594d",
	"title": "Stopping Emotet Before it Moves Laterally | Red Canary",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42241,
	"plain_text": "Stopping Emotet Before it Moves Laterally | Red Canary\r\nBy Zach Lewis\r\nArchived: 2026-04-05 18:51:22 UTC\r\nWe’ve written a lot about lateral movement on this blog, and we took a long look at the tactic with some of our\r\nfriends from MITRE and Carbon Black in an on-demand webinar. However, if you’re dealing with lateral\r\nmovement, it’s likely something has already gone wrong in your environment.\r\nAs a precursor to our lateral movement webinar, we’re going to examine how our Cyber Incident Response Team\r\n(CIRT) can detect adversaries attempting to execute Emotet—and, by extension, other email-borne threats—\r\nbefore it compromises a customer environment. You can use the information here to help develop a strategy for\r\ndetecting Emotet (and other trojans) before a compromise occurs, and then you can use our lateral movement\r\nwebinar to create strategies for dealing with Emotet and other laterally moving malware or adversaries in cases\r\nwhere a breach has already occurred.\r\nWe chose to highlight Emotet here and in the webinar because it is one of the most prolific (and headache-inducing) lateral movers. Also, as Jessica Payne from Microsoft explained in a recent Twitter thread, strategies for\r\ndetecting Emotet are applicable to a wide variety of other adversary behaviors in both malware and hands-on\r\ntechniques.\r\nIt All Starts with a Malicious Document\r\nAs is so often the case, our detection—and the potential infection it alerted our customer about—started with a\r\nmalicious Microsoft Word document. The document was delivered as an attachment in an email message\r\ncontaining a macro to launch an encoded command line.\r\nhttps://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/\r\nPage 1 of 5\n\nAfter executing, the Word document spawned cmd.exe with an obfuscated command line.\r\nThe cmd.exe process, in turn, launched another obfuscated command line:\r\nMicrosoft Word Launches PowerShell… Eventually\r\nThis chain of obfuscated commands ultimately led to PowerShell, which is where things started to get interesting.\r\nhttps://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/\r\nPage 2 of 5\n\nIn the detection timeline, PowerShell made an outbound network connection to a compromised website and\r\ndownloaded an executable binary. Our internal threat intelligence (and VirusTotal) revealed that the hash of the\r\ndownloaded binary was associated with the Emotet trojan.\r\nPowerShell eventually executed that binary, which, in turn, wrote a new binary and deleted itself.\r\nhttps://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/\r\nPage 3 of 5\n\nWhat Next?\r\nIn an uninhibited Emotet infection, it’s likely the malware would have then attempted to move laterally to other\r\nmachines in the environment. There are numerous means for lateral movement, but Emotet has been known to\r\nmove from machine to machine by leveraging a server message block (SMB) vulnerability exploit like\r\nETERNALBLUE or by brute-forcing credentials for access to Windows Administrative Shares. Malwarebytes has\r\nsome good analyses of Emotet if you’re looking for further reading.\r\nDetecting Emotet\r\nOf course, many security tools or services can detect and block an attempted Emotet infection when the MD5 hash\r\nof the binary is known to be malicious and when the site hosting that binary is known to have been compromised.\r\nHowever, the malicious binary and the compromised website, while certainly helpful in this particular detection\r\nscenario, are not required for detection. In fact, we have at least five distinct opportunities here—each of which\r\ntriggered an event in our backend—for the Red Canary CIRT to have detected this activity in the absence of a\r\nknown bad hash or compromised website:\r\n1. Microsoft Word spawned command line\r\n2. A command line contained obfuscated environmental variables\r\n3. A PowerShell command leveraged the Invoke-Item cmdlet\r\n4. A PowerShell command contained a URL\r\n5. PowerShell downloaded a file\r\nAny one of these elements would have raised a flag for our CIRT, which would have then investigated the\r\nsurrounding context and informed the customer of this confirmed threat accordingly. Looking for similar activity\r\nin your environment can yield similar results, once you tune out authorized activity such as that from client\r\nmanagement tools.\r\nhttps://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/\r\nPage 4 of 5\n\nConclusion\r\nWe hope this article proves useful for anyone seeking out strategies for detecting Emotet and many other email-born malware that use PowerShell to load malicious binaries—known or otherwise—from external hosts. As\r\nmentioned at the outset, this threat detection blog is a predecessor to an on-demand webinar on lateral movement.\r\nOur intention is to first offer strategies so you can detect and ultimately prevent Emotet and other malware\r\ninfections with this blog, and then to offer additional guidance in the webinar so you can apply lateral movement\r\ndetection strategies to root out traces of higher-level adversaries in your environment.\r\nWith the right combination of visibility and context, you can own your network and stop adversaries in their\r\ntracks!\r\nSource: https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/\r\nhttps://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/"
	],
	"report_names": [
		"stopping-emotet-before-it-moves-laterally"
	],
	"threat_actors": [],
	"ts_created_at": 1775434894,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d5576267c274913a515a85ad3264de9afc19594d.pdf",
		"text": "https://archive.orkl.eu/d5576267c274913a515a85ad3264de9afc19594d.txt",
		"img": "https://archive.orkl.eu/d5576267c274913a515a85ad3264de9afc19594d.jpg"
	}
}