LUCY

User Tools

Site Tools

Trace:
create_a_phishing_campaign_with_a_word_macro

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
create_a_phishing_campaign_with_a_word_macro [2019/08/07 11:37] lucycreate_a_phishing_campaign_with_a_word_macro [2019/08/07 13:03] lucy
Line 21: Line 21:
 {{ 14.jpg?direct&600 }}\\ {{ 14.jpg?direct&600 }}\\
 \\ \\
 +
 +We recommend using the Setup Wizard when used for the first time.
  
 ===== STEP 2 - Select or Create a Client ===== ===== STEP 2 - Select or Create a Client =====
  
-Create a client or choose the built in client (a client can be your own organization or the company who asked you to perform a phishing test). This is important because you can also create [[user_management|view only accounts]] which are associated with those clients.+Create a client or choose the built in the client (a client can be your own organization or the company who asked you to perform a phishing test). This is important because you can also create [[user_management|view only accounts]] which are associated with those clients.
  
  
 {{ 16.jpg?direct&600 }} {{ 16.jpg?direct&600 }}
  
-New clients can be created under "clients". In LUCY v. 2.5 and higher this is created under settings/clients.\\+New clients can be created under settings>clients.\\
  
 {{ 17.jpg?direct&600 }} {{ 17.jpg?direct&600 }}
Line 36: Line 38:
 ===== STEP 3 - Choose Your Configuration Mode ===== ===== STEP 3 - Choose Your Configuration Mode =====
  
-You may either continue with the **Expert Setup**, the **Setup Wizard** or a **Start with predefined campaign Template ** (called sample campaign in LUCY < 3.0) configuration. We recommend using the Setup Wizard when used for the first time. Another optional is to set a [[benchmark|Benchmark]] for a campaign. \\+You may either continue with the **Expert Setup** or a **Start with predefined campaign Template ** configuration. \\
  
 {{ 15.jpg?direct&600 }}\\ {{ 15.jpg?direct&600 }}\\
  
-Sometimes a remote Firewall, Spam filter or Virus Filter might automatically scan all the URL's within a link. As a result you end up with false positives and LUCY will show all link clicked (success). To avoid such automatic link requests by some 3rd party application you can enable the antivirus/firewall protection and LUCY will ignore all GET requests for the first 30 or 60 seconds:+Sometimes a remote Firewall, Spam filter or Virus Filter might automatically scan all the URL's within a link. As a resultyou end up with false positives and LUCY will show all link clicked (success). To avoid such automatic link requests by some 3rd party application you can enable the antivirus/firewall protection and LUCY will ignore all GET requests for the first 30 or 60 seconds:
  
 {{ ignorefw1.png?600 }} {{ ignorefw1.png?600 }}
Line 48: Line 50:
 ===== STEP 4 - Select a Phishing Template that supports Macro's ===== ===== STEP 4 - Select a Phishing Template that supports Macro's =====
  
-Now you need to select one or multiple phishing scenarios that supports Macro's (make sure you have [[download_templates|downloaded all the latest scenarios]] first). Please check out what [[scenario_types|different scenario types are available]]. A Macro attack is a file based attack simulation. Therefore, you can only use the following template types:+Now you need to select one or multiple phishing scenarios that support Macro's (make sure you have [[download_templates|downloaded all the latest scenarios]] first). Please check out what [[scenario_types|different scenario types are available]]. A Macro attack is a file-based attack simulation. Therefore, you can only use the following template types:
  
   * File Based Templates   * File Based Templates
Line 58: Line 60:
 {{ macro_mail.png?600 }} {{ macro_mail.png?600 }}
  
-This is an email only template that will send the users an email with a Word document file attachment that contains a macro. The macro has the ability to execute a list of harmless commands (e.g. "whoami") and send the output back to LUCY using the built in browser (HTTP). The commands can be configured with the email settings. You may also leave a copy of the output on the Desktop of the user (a text file called lucy_results.txt). If you don't wish to leave any traces, you can select "Delete Temporary File" in the Macro options. **Please note:** at the bottom drop down menu you can still switch between the different file templates and have the ability to pick a different Macro simulation (e.g. "POST ONLY", which most likely will generate less alerts on a possible AV solution).+This is an email only template that will send the users an email with a Word document file attachment that contains a macro. The macro has the ability to execute a list of harmless commands (e.g. "whoami") and send the output back to LUCY using the built in browser (HTTP). The commands can be configured with the email settings. You may also leave a copy of the output on the Desktop of the user (a text file called lucy_results.txt). If you don't wish to leave any traces, you can select "Delete Temporary File" in the Macro options. **Please note:** at the bottom drop-down menu you can still switch between the different file templates and have the ability to pick a different Macro simulation (e.g. "POST ONLY", which most likely will generate less alerts on a possible AV solution).
  
 {{ 65754.png?600 }} {{ 65754.png?600 }}
Line 68: Line 70:
 {{ macro_mixed.png?600 }}\\ {{ macro_mixed.png?600 }}\\
  
-**Note:** If you attach Office file to an email there is a much higher chance it will get filtered opposite to campaigns, where the Office File has to be downloaded from a web page. The "POST ONLY" Macro has the highest chance of not getting filtered as it is not accessing the local file system from the tested target. +**Note:** If you attach an Office file to an email there is a much higher chance it will get filtered opposite to campaigns, where the Office File has to be downloaded from a web page. The "POST ONLY" Macro has the highest chance of not getting filtered as it is not accessing the local file system from the tested target. 
  
 \\ \\
 ===== STEP 6 - Configure the Base Settings of Your Campaign ===== ===== STEP 6 - Configure the Base Settings of Your Campaign =====
  
-Once you have selected the scenario, you need to configure the **Base Settings** of the campaign. First give your campaign a name and then choose how your recipients will be able to access LUCY by defining the [[domain_configuration|Domain]]. Finding the appropriate domain name is a very important step for the success and it depends very much on your campaign scenario. If you plan to create a fake web mail login you might try to reserve a domain like "webmail-server365.com" and point it to LUCY.\\+Once you have selected the scenario, you need to configure the **Base Settings** of the campaign. Firstgive your campaign a name and then choose how your recipients will be able to access LUCY by defining the [[domain_configuration|Domain]]. Finding the appropriate domain name is a very important step for the success and it depends very much on your campaign scenario. If you plan to create a fake web mail login you might try to reserve a domain like "webmail-server365.com" and point it to LUCY.\\
  
 {{ 24.jpg?direct&600 }}\\ {{ 24.jpg?direct&600 }}\\
Line 87: Line 89:
   * **Use SSL**: If you decide to use SSL for the campaign (either generate a certificate or import a trusted certificate) you can do this via the [[ssl_configuration|SSL Wizard]].   * **Use SSL**: If you decide to use SSL for the campaign (either generate a certificate or import a trusted certificate) you can do this via the [[ssl_configuration|SSL Wizard]].
   * **Anonymous Mode**: Use this mode to hide all "Victim" data (IP address, login details, etc.) from statistics and reports.   * **Anonymous Mode**: Use this mode to hide all "Victim" data (IP address, login details, etc.) from statistics and reports.
-  * **Success Action**: Defines what LUCY considers as an successful attack. There are [[success_actions|four options]]. +  * **Success Action**: Defines what LUCY considers as successful attack. There are [[success_actions|four options]]. 
-  * **Track Opened Emails**: Inserts an invisible image into outgoing emails to track if users opened the message. Use this feature carefully as some email servers may put such emails into the Spam Folder. Also some email clients (like Outlook) block the automatic downloading of images in the Preview window. +  * **Track Opened Emails**: Inserts an invisible image into outgoing emails to track if users opened the message. Use this feature carefully as some email servers may put such emails into the Spam Folder. Alsosome email clients (like Outlook) block the automatic downloading of images in the Preview window. 
-  * **Send Link to Awareness Website Automatically**: Send a link to the [[awareness_e-learning_settings|Awareness Website]] after user has been successfully attacked. Please note that the Awareness Website should be published for this feature to work.+  * **Send Link to Awareness Website Automatically**: Send a link to the [[awareness_e-learning_settings|Awareness Website]] after the user has been successfully attacked. Please note that the Awareness Website should be published for this feature to work.
   * **BeEF Information Gathering** : Check this option to enable information gathering using BeEF.(http://beefproject.com/). BeEF is a penetration testing tool that focuses on the web browser - it helps LUCY collect advanced information about your users. More background info can be found [[beef_integration|here]].   * **BeEF Information Gathering** : Check this option to enable information gathering using BeEF.(http://beefproject.com/). BeEF is a penetration testing tool that focuses on the web browser - it helps LUCY collect advanced information about your users. More background info can be found [[beef_integration|here]].
   * **Collect Data**: Choose "Full" if you want to record all entered logins and passwords, "Partial" to record only the first 3 letters (remaining letters will be masked with asterisks) or "No" to skip user data collection.   * **Collect Data**: Choose "Full" if you want to record all entered logins and passwords, "Partial" to record only the first 3 letters (remaining letters will be masked with asterisks) or "No" to skip user data collection.
-  * **Double Barrel Attack**: When using Double Barrel Attack, the system first sends a "Lure" email containing some teaser text. After that the system waits for a while (you can configure that time in settings below) and sends an actual phishing email. The "Lure" delay defines, in seconds, the time frame between the Lure and the attack emails for a Double-Barrel Attack.+  * **Double Barrel Attack**: When using Double Barrel Attack, the system first sends a "Lure" email containing some teaser text. After thatthe system waits for a while (you can configure that time in settings below) and sends an actual phishing email. The "Lure" delay defines, in seconds, the time frame between the Lure and the attack emails for a Double-Barrel Attack.
   * **Login Regexp**: Another option is to define some login filters to only catch valid logins (you could define the Domain Name in the User Name field or say that the Password has to be at least 8 characters to be accepted from LUCY). Example: This filter here ^(?=.*\d)(?=.*[A-Za-z])[A-Za-z0-9].{8,}$ would only allow logins with minimum 1 alphabetic character, minimum 1 digit & minimum length 8.    * **Login Regexp**: Another option is to define some login filters to only catch valid logins (you could define the Domain Name in the User Name field or say that the Password has to be at least 8 characters to be accepted from LUCY). Example: This filter here ^(?=.*\d)(?=.*[A-Za-z])[A-Za-z0-9].{8,}$ would only allow logins with minimum 1 alphabetic character, minimum 1 digit & minimum length 8. 
   * **Redirect URL**: This is used for [[create_a_phishing_campaign_with_only_a_hyperlink_in_mail_no_landing_page|hyperlink based scenarios]] or within a landing page to redirect to an awareness page.   * **Redirect URL**: This is used for [[create_a_phishing_campaign_with_only_a_hyperlink_in_mail_no_landing_page|hyperlink based scenarios]] or within a landing page to redirect to an awareness page.
-  * **Compress Executable**: This setting is irrelevant for a Macro Based Campaign as a word file is not an executable.+  * **Compress Executable**: This setting is irrelevant for a Macro Based Campaign as a word file is not executable.
  
  
 ===== STEP 8 - Edit your Landing Web Page within Your Campaign ===== ===== STEP 8 - Edit your Landing Web Page within Your Campaign =====
  
-After saving the Base Settings, you can now [[Edit_Landing_Page|Edit the Landing Page]], [[Upload_Your_Web_Page|Upload Your Own Webpage]] or simply [[copy_web_page|copy any website on the internet]]. The Landing Page is the webpage that the users will see when they click on the link in the email they receive. First select the drop-down menu at the top the page where you want to edit. Please note that the same landing page may be available in different languages. So make sure you [[dealing_with_multiple_languages_in_your_recipient_group|edit the correct language]]. +After saving the Base Settings, you can now [[Edit_Landing_Page|Edit the Landing Page]], [[Upload_Your_Web_Page|Upload Your Own Webpage]] or simply [[copy_web_page|copy any website on the internet]]. The Landing Page is the webpage that the users will see when they click on the link in the email they receive. Firstselect the drop-down menu at the top the page where you want to edit. Please note that the same landing page may be available in different languages. So make sure you [[dealing_with_multiple_languages_in_your_recipient_group|edit the correct language]]. 
  
-As we want to include a download to a Macro we need to make sure the Macro is selected at the bottom of the configuration page. This drop down menu will tell LUCY what malware simulation should be attached to the download bottom on this page:+As we want to include a download to a Macro we need to make sure the Macro is selected at the bottom of the configuration page. This drop-down menu will tell LUCY what malware simulation should be attached to the download bottom on this page:
  
 {{ macro_mixed2.png?600 }} {{ macro_mixed2.png?600 }}
Line 137: Line 139:
 ===== Step 12 - Add E-learning Content to Your Campaign ===== ===== Step 12 - Add E-learning Content to Your Campaign =====
  
-There is the option to have LUCY automatically send some e-learning content to all users or only users who have failed the phishing test. This configuration setting is part of an [[Awareness_E-learning_Settings|Separate Chapter (E-learning).]] If you want the users to get an e-mail with a link to the awareness content, you need make sure that in "STEP 7 - Configure Basic Settings" the checkbox "Send Link to Awareness Website Automatically" is selected and you configured an awareness template (mail and optional landing page). It is also important that you define what you consider as an [[success_actions|successful attack]] because only those who have been successfully tested will receive the mail. If you don't want the e-learning content to be delivered via mail you can also [[redirecting_users|redirect the user directly to a landing page with the awareness content]]. +There is the option to have LUCY automatically send some e-learning content to all users or only users who have failed the phishing test. This configuration setting is part of an [[Awareness_E-learning_Settings|Separate Chapter (E-learning).]] If you want the users to get an e-mail with a link to the awareness content, you need to make sure that in "STEP 7 - Configure Basic Settings" the checkbox "Send Link to Awareness Website Automatically" is selected and you configured an awareness template (mail and optional landing page). It is also important that you define what you consider as an [[success_actions|successful attack]] because only those who have been successfully tested will receive the mail. If you don't want the e-learning content to be delivered via mail you can also [[redirecting_users|redirect the user directly to a landing page with the awareness content]]. 
  
  
Line 153: Line 155:
 {{ 63.jpg?600 }} {{ 63.jpg?600 }}
  
-You will be able to track if the macro has been activated if you enabled the [[success_actions|success action]] as "file data receive". The actual output of the macro'can be found within the campaign under statistics/collected data.+You will be able to track if the macro has been activated if you enabled the [[success_actions|success action]] as "file data receive". The actual output of the macros can be found within the campaign under statistics/collected data.
  
 ===== Step 15 - Create Reports ===== ===== Step 15 - Create Reports =====
Line 170: Line 172:
  
 **Example: create a copy of an existing template** **Example: create a copy of an existing template**
-Lets say you want to create a new macro template based on the existing template "info.doc" (POST only) called mydocument.doc, you need to go through the following steps:+Let'say you want to create a new macro template based on the existing template "info.doc" (POST only) called mydocument.doc, you need to go through the following steps:
   * Step 1: Select the template "Macros (POST only)   * Step 1: Select the template "Macros (POST only)
   * Step 2: Press the copy button   * Step 2: Press the copy button
Line 180: Line 182:
  
 **Example: create a new template from scratch** **Example: create a new template from scratch**
-You can create your own file based macro templates using any MS office file (ppt, doc, xls...):+You can create your own file-based macro templates using any MS office file (ppt, doc, xls...):
  
-  * 1) create a VB macro with main function named AutoOpen+  * 1) create a VB macro with the main function named AutoOpen
   * 2) use all variables you will pass from lucy in this form - "%my_variable%###################" - don't forget to pad the value with "#" symbols, so the string is long enough to hold all possible values (Lucy replaces #s with actual data when running a campaign)   * 2) use all variables you will pass from lucy in this form - "%my_variable%###################" - don't forget to pad the value with "#" symbols, so the string is long enough to hold all possible values (Lucy replaces #s with actual data when running a campaign)
   * 3) use %lucy_url% as Lucy URL   * 3) use %lucy_url% as Lucy URL
   * 4) use variables in macro only after you process them with "Clean" function (see attached bas file) - it cleans excess # in the end before using the actual data passed from Lucy   * 4) use variables in macro only after you process them with "Clean" function (see attached bas file) - it cleans excess # in the end before using the actual data passed from Lucy
-  * 5) open word, excel or powerpoint document, go to developer tab and hit "Edit Macro"+  * 5) open word, excel or powerpoint document, go to the developer tab and hit "Edit Macro"
   * 6) there choose "AutoOpen" function or create it and press "Edit"   * 6) there choose "AutoOpen" function or create it and press "Edit"
   * 7) paste your macro code, save the document and quit   * 7) paste your macro code, save the document and quit
Line 196: Line 198:
 ===== Macro Template for Mac ===== ===== Macro Template for Mac =====
  
-Existing Macro Templates are more focused on Windows systems. If you want to attack Mac OS system, please use {{ :macos-sample.zip |this file}}.+Existing Macro Templates are more focused on Windows systems. If you want to attack the Mac OS system, please use {{ :macos-sample.zip |this file}}.
  
  
create_a_phishing_campaign_with_a_word_macro.txt · Last modified: 2020/08/19 16:31 by lucy