SafeBreach Labs has updated the Hacker's Playbook™ with new simulations for attacks described in US-CERT Alert (TA18-201A), centered around an advanced banking trojan called Emotet.

Additionally, thanks to the depth of the Hacker's Playbook™, a portion of this multi-stage attack campaign has already been simulated, so customers were already able to validate their security controls against parts of this attack. As always, SafeBreach Labs will continue to monitor the situation, and develop new simulations as necessary.

This alert is focused around Emotet, a modular Trojan that primarily functions as a dropper to install additional malware. Additionally, Emotet causes harm by attempting to steal and send sensitive information, as well as simply disrupting systems or destroying data.

These attacks have targeted multiple industries —both public and private. SafeBreach recommends all industries and businesses simulate this attack to identify whether or not they are protected against this campaign. To assess security control effectiveness against techniques involved in this attack, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Existing Playbook methods related to TA18-201A

Playbook #172 - SMB Brute Force

  • Network Controls - Are security controls in place to prevent brute-forcing of credentials that allow subsequent attacks used in this campaign?

Playbook #1269 - Creating Windows Scheduled Tasks

  • Endpoint Controls - Are endpoint security controls or hardening in place to prevent the creation or execution of malicious scheduled tasks?

New Playbook methods related to TA18-201A

Playbook #1609 - Transfer of Emotet DOC downloader over HTTP/S

  • Network Controls - Are security controls in place to prevent the download and transfer of the malicious .DOC file used for initial infection in this attack?

Playbook #1613 - Write to disk of Emotet DOC downloader

  • Endpoint Controls - Are security controls in place to prevent the saving the malicious Microsoft Office Word document (.DOC) file used for initial infection in this attack?

Playbook #1608 - Transfer of Emotet payload over HTTP/S

  • Network Controls - Are security controls in place to prevent the download and transfer of the Emotet Trojan used in this attack?

Playbook #1612 - Write to disk of Emotet payload

  • Endpoint Controls - Are security controls in place to prevent the local deployment of the Emotet Trojan used in this attack?

Playbook #1610 - Transfer of password extraction tools over HTTP/S

  • Network Controls - Are security controls in place to prevent the download and transfer of the password extraction tools used in this attack?

Playbook #1611 - Write to disk of password extraction tools

  • Endpoint Controls - Are security controls in place to prevent the local installation of the password extraction tools used in this attack?


Additional breach methods added recently include:


Subscribe to blog post