create_a_phishing_campaign_with_malware_simulations
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
create_a_phishing_campaign_with_malware_simulations [2016/12/05 19:04] – lucy | create_a_phishing_campaign_with_malware_simulations [2021/12/15 13:20] (current) – lucy | ||
---|---|---|---|
Line 6: | Line 6: | ||
* STEP 1 Getting the backdoor in the network (delivery) | * STEP 1 Getting the backdoor in the network (delivery) | ||
- | * STEP 2 Excuting | + | * STEP 2 Executing |
* STEP 3 Sending the data out (output delivery) | * STEP 3 Sending the data out (output delivery) | ||
===== LUCY's approach ===== | ===== LUCY's approach ===== | ||
- | With LUCY's file based attack you are able to perform the following steps: | + | With LUCY's file-based attack you are able to perform the following steps: |
* **STEP 0 Trojan compilation**: | * **STEP 0 Trojan compilation**: | ||
- | *** STEP 1 Delivery**: The trojan simulation can be integrated | + | *** STEP 1 Delivery**: The trojan simulation can be integrated |
* **STEP 2 Execution**: | * **STEP 2 Execution**: | ||
Line 22: | Line 22: | ||
- | **Note:** The files are non-intrusive, | + | **Note:** The files are non-intrusive, |
===== File based attack simulation templates ===== | ===== File based attack simulation templates ===== | ||
- | LUCY can compile different custom Malware Simulations: | + | List of all **file-based attack templates**, with **Success actions** and **Preferable delivery methods** can be found [[file_based_attack_simulation_templates|here]]. |
- | + | ||
- | {{ filetempl.png? | + | |
- | + | ||
- | Each file type [[set_a_password_for_the_archive_in_file_based_attacks_or_change_the_file_name|can be modified]] (layout, filetype, name) before using it in a campaign. Currently LUCY comes with the following file types: | + | |
- | + | ||
- | * **Consolepost**: | + | |
- | | + | |
- | * **ConsoleOutlook**: | + | |
- | * **Keylogger**: | + | |
- | | + | |
- | | + | |
- | | + | |
- | * **ConsoleInteractive**: | + | |
- | + | ||
- | {{ 81.jpg?600 }} | + | |
- | + | ||
- | {{ 82.jpg?600 }} | + | |
Line 51: | Line 34: | ||
===== File based attack simulation configuration ===== | ===== File based attack simulation configuration ===== | ||
- | **STEP 1 - Create a New Campaign** After the login, you can create your first Phishing Campaign by pressing the button “**New**”.\\ | + | **STEP 1 - Create a New Campaign:** After the login, you can create your first Phishing Campaign by pressing the button “**New |
\\ | \\ | ||
- | {{ 14.jpg?direct&600 }}\\ | + | {{ file-1.png?600 }}\\ |
\\ | \\ | ||
- | + | **STEP 2 - Choose Attack Type:** In order to configure file-based campaign choose **File Attack** type.\\ | |
- | **STEP 2 - Select or Create a Client:** Create a client or choose the built in client (a client can be your own organization or the company who asked you to perform a phishing test). This is important because you can also create [[user_management|view only accounts]] which are associated with those clients.\\ | + | |
\\ | \\ | ||
- | {{ 16.jpg?direct&600 }}\\ | + | {{ file-2.png?600 }}\\ |
\\ | \\ | ||
- | New clients | + | **STEP 3 - Select or Create a Client:** Create a client or choose the built-in client (a client |
\\ | \\ | ||
- | {{ 17.jpg?direct&600 }} | + | {{ file-3.png?600 }}\\ |
- | + | \\ | |
- | **STEP 3 - Choose Your Configuration Mode:** You may either continue with the **Expert Setup** or the **Setup Wizard**. We recommend using the Setup Wizard when used for the first time. | + | New clients are created under **Settings |
\\ | \\ | ||
- | {{ 15.jpg?direct&600 }}\\ | + | {{ file-4.png?600 }}\\ |
\\ | \\ | ||
- | **STEP 4 - Select your Phishing Scenario:** Now you need to select one or multiple phishing scenarios. Since you are going to do a file based attack you need to pick a scenario either from the "file based templates" | + | **STEP 4 - Select your Phishing Scenario:** Now you need to select one or multiple phishing scenarios. Since you are going to do a file-based attack you need to pick a scenario either from the "file-based templates" |
\\ | \\ | ||
- | {{ template_s_f.png?600 }} | + | {{ file-5.png?600 }}\\ |
\\ | \\ | ||
You are able to preview every template before selecting it. In the **[[links_in_preview_mode|Preview Mode]]** you can test the site using all the features (just enter some random login to get to the next page). \\ | You are able to preview every template before selecting it. In the **[[links_in_preview_mode|Preview Mode]]** you can test the site using all the features (just enter some random login to get to the next page). \\ | ||
\\ | \\ | ||
- | {{ 22.jpg?direct&600 }}\\ | + | {{ file-6.png?600 }}\\ |
\\ | \\ | ||
**Note**: **You can allocate multiple scenarios within one campaign** and they can all be started simultaneously! Example: A company might want to split the employees into 2 or 3 groups. One group could get a phishing mail with a landing page that contains many obvious errors and should be easily detectable while the other scenario is almost perfect. This way the client can identify the variables that drive the awareness in one single campaign.\\ | **Note**: **You can allocate multiple scenarios within one campaign** and they can all be started simultaneously! Example: A company might want to split the employees into 2 or 3 groups. One group could get a phishing mail with a landing page that contains many obvious errors and should be easily detectable while the other scenario is almost perfect. This way the client can identify the variables that drive the awareness in one single campaign.\\ | ||
\\ | \\ | ||
- | **STEP 5:** For this tutorial, as an example, we select the “cloud encryption | + | **STEP 5:** For this tutorial, as an example, we select the **SRA Cloud Encryption 1.1** template, where the user will be asked to download |
\\ | \\ | ||
- | {{ template_file_cloud.png?600 }} | + | {{ file-7.png?600 }}\\ |
\\ | \\ | ||
- | **STEP 6 - Configure | + | **STEP 6 - Configure |
- | {{ 24.jpg?direct&600 }}\\ | + | {{ file-8.png?600 }}\\ |
\\ | \\ | ||
- | **STEP 7 - Fine Tune the Basic Settings (each scenario has its own base settings): ** There a few **Optional Settings** that you can apply within the Base Settings. For the file based scenario you can adjust those settings within the " | + | **STEP 7 - Configure Your File:** There are several types of the file available in a file-based campaign: |
+ | | ||
+ | | ||
+ | | ||
+ | | ||
- | * Attachments - Compress Executable Attachments: | + | In this particular case, we choose the Archive type of the file with .RAR extension. Instead |
- | * Custom file name: you can give the archive a custom name (e.g. " | + | \\ |
- | * Compress | + | {{ file-9.png? |
- | + | \\ | |
- | {{ file_name.png?600 }} | + | **Custom file name**: you can give the archive a custom name (e.g. " |
- | + | **Archive | |
- | + | **Password**: | |
- | **STEP 8 - Edit your Landing Web Page within Your Campaign:** After saving the Base Settings, you can now [[Edit_Landing_Page|Edit the Landing Page]], [[Upload_Your_Web_Page|Upload Your Own Webpage]] or simply [[copy_web_page|copy any website on the internet]]. The Landing Page is the webpage that the users will see when they click on the link in the email they receive. First select the drop-down menu at the top the page where you want to edit. Please note that the same landing page may be available in different languages. So make sure you [[dealing_with_multiple_languages_in_your_recipient_group|edit the correct language]]. When you choose a file based attack scenario you will see some additional configuration options appearing at the bottom of the page. Those settings define what file is provided within the download button for the recipient and what the executable should do upon opening. We recommend starting with a " | + | **Delivery Method** checkbox: |
+ | \\ | ||
+ | {{ file-10.png?600 }}\\ | ||
+ | \\ | ||
+ | Then add Recipients to the campaign and watch through the **Review** of the campaign. | ||
+ | \\ | ||
+ | {{ file-11.png? | ||
+ | \\ | ||
+ | The campaign can be started from that point by pushing the **Start** button. Otherwise, push **Go to the Campaign** button in order to set up the campaign further. | ||
+ | \\ | ||
+ | \\ | ||
+ | All the further configuration is performed through **Base Settings**. | ||
+ | \\ | ||
+ | {{ file-12.png? | ||
+ | \\ | ||
+ | **STEP 8 - Edit your Landing Web Page within Your Campaign:** After saving the Base Settings, you can now [[Edit_Landing_Page|Edit the Landing Page]], [[Upload_Your_Web_Page|Upload Your Own Webpage]] or simply [[copy_web_page|copy any website on the internet]]. The Landing Page is the webpage that the users will see when they click on the link in the email they receive. First, select the drop-down menu at the top of the page where you want to edit. Please note that the same landing page may be available in different languages. So make sure you [[dealing_with_multiple_languages_in_your_recipient_group|edit the correct language]]. When you choose a file-based attack scenario you will see some additional configuration options appearing at the bottom of the page. Those settings define what file is provided within the download button for the recipient and what the executable should do upon opening. We recommend starting with a " | ||
* Decide if the user should see [[file_based_gui_options|some fake GUI]] upon execution or not | * Decide if the user should see [[file_based_gui_options|some fake GUI]] upon execution or not | ||
Line 109: | Line 110: | ||
- | **STEP 9 - Configure Message Settings (Email): | + | **STEP 9 - Configure Message Settings (Email): |
{{ 42.jpg? | {{ 42.jpg? | ||
- | When choosing a file based scenario LUCY will offer you additionally to send the Trojan simulation via mail. If you already have chosen a landing page where the Trojan simulation can be downloaded it is not necessary to attach it via mail as well. Therefore if you don't want LUCY to send the file via mail choose " | + | When choosing a file-based scenario LUCY will offer you additionally to send the Trojan simulation via mail. If you already have chosen a landing page where the Trojan simulation can be downloaded it is not necessary to attach it via mail as well. Therefore if you don't want LUCY to send the file via mail choose " |
{{ mail_file.png? | {{ mail_file.png? | ||
Line 122: | Line 123: | ||
{{ 47.jpg? | {{ 47.jpg? | ||
- | This is the list of users that will get the phishing emails. You can add them manually, import a file with all your recipients or even search them on the internet. Once you have created that group, you can select it in your campaign and map them to a specific scenario. You can also define if they should be used only for the Landing Page link, the [[Awareness_E-learning_settings|Awareness site link (e-learning)]] or both. | + | This is the list of users that will get the phishing emails. You can add them manually, import a file with all your recipients or even search them on the internet. Once you have created that group, you can select it in your campaign and map it to a specific scenario. You can also define if they should be used only for the Landing Page link, the [[Awareness_E-learning_settings|Awareness site link (e-learning)]], or both. |
{{ 49.jpg? | {{ 49.jpg? | ||
Line 152: | Line 153: | ||
- | ===== File based templates ===== | + | ===== Edit File based templates ===== |
All attachments can be edited within LUCY. The Attachments Settings can be stored as Default templates under Settings/ | All attachments can be edited within LUCY. The Attachments Settings can be stored as Default templates under Settings/ | ||
Line 159: | Line 160: | ||
{{ 84.jpg?600 }} | {{ 84.jpg?600 }} | ||
+ | |||
+ | You can rename the file templates from file.exe to any filename. In LUCY < 3.2 you can do that by downloading the file.exe, renaming it & then uploading it back to the generic file template. | ||
Line 164: | Line 167: | ||
===== Technical Details about the data delivery ===== | ===== Technical Details about the data delivery ===== | ||
- | Upon execution, this tool will execute the predefined commands or access documents. It will open the built in Internet Explorer or other default browser (in hidden mode) or access Outlook and send out the collected data to LUCY via HTTP or HTTPS or via SMPT (it will automatically choose HTTPS if you run your campaign via SSL). This tool will also work in environments where the Internet is accessed with Proxy servers - only allowing access for authorized Windows users. The file can then be downloaded as a plain exe or as a zipped archive. | + | Upon execution, this tool will execute the predefined commands or access documents. It will open the built-in Internet Explorer or another |
**Note**: The current edition of LUCY will include tools that access files on shares and upload them to the campaign or access the email client via MAPI. These features have restricted configuration options in the community edition (like maximum number of files that can be uploaded, etc.) the same goes for the number of screenshots or length of videos. Only the Commercial Editions have no limitations. You can upload your own custom payload. But keep in mind that reverse channels to LUCY won’t work; only attachments from LUCY are compiled in Real Time with certain settings (IP, Domain Name, URL etc.). | **Note**: The current edition of LUCY will include tools that access files on shares and upload them to the campaign or access the email client via MAPI. These features have restricted configuration options in the community edition (like maximum number of files that can be uploaded, etc.) the same goes for the number of screenshots or length of videos. Only the Commercial Editions have no limitations. You can upload your own custom payload. But keep in mind that reverse channels to LUCY won’t work; only attachments from LUCY are compiled in Real Time with certain settings (IP, Domain Name, URL etc.). | ||
- | **File Downloads | + | ===== Delivery Challenges ===== |
+ | |||
+ | Executable files usually cannot be delivered to a user via e-mail attachment. These are blocked by most email programs. | ||
+ | |||
+ | In order to deliver a malware simulation to the user, the attachment should not be provided via email, but via download on a website. There you have the possibility to download the file: | ||
+ | |||
+ | | ||
+ | | ||
+ | * [[pdf_attacks|Inside a PDF]] | ||
+ | * [[create_a_phishing_campaign_with_a_java_dropper_applet|Tunneled through an aplet]] | ||
+ | * Download as a plain exe | ||
+ | |||
+ | Those settings can be applied within the scenario settings of the specific template. Choose archive (1), Tunnel (2) or PDF (3) for the according method: | ||
+ | |||
+ | {{ sc_et_fil.png? | ||
+ | |||
+ | |||
+ | ===== Q&A ===== | ||
+ | |||
+ | **Q: Do the files need to be installed? | ||
+ | A: No, the files are non-intrusive, run only in the memory and have no effect on the System (no changes are made). | ||
+ | |||
+ | **Q: Do the files need to be run with elevated permissions? | ||
+ | A: No. The files can run with limited, standard windows user rights. | ||
+ | |||
+ | **Q: Our filters block file types like .exe- How can I still use the files?** \\ | ||
+ | A: Use a different file format within the scenario settings (e.g. place the exe in an archive like a zip file or place it within a PDF as an attachment). | ||
+ | |||
+ | |||
+ | **Q: Can I run the files on MAC or Linux?** \\ | ||
+ | A: No. In the current edition, the executable runs only on Windows (Windows 7/ | ||
- | Yes - We have a tool which allows you to compile any executable into an Word document and convert it into a Macro. Depending on Security Settings, the user might get a security warning when opening of the Word document. The tool is only available for Commercial Clients on request. | ||
- | {{ 118.jpg?600 }} | + | **Q: Windows Defender blocks the files - can this be prevented?** \\ |
+ | A: Yes, It can be prevented using " |
create_a_phishing_campaign_with_malware_simulations.1480961057.txt.gz · Last modified: 2019/07/25 12:50 (external edit)