Differences

This shows you the differences between two versions of the page.

--- create_a_phishing_campaign_with_malware_simulations [2019/07/25 12:49] – external edit 127.0.0.1
+++ create_a_phishing_campaign_with_malware_simulations [2021/12/15 13:20] (current) – lucy
@@ Line 22: / Line 22: @@
-**Note:** The files are non-intrusive, run only in the memory and have no effect on the System (no changes are made). In the current edition, the executable runs only on Windows (Windows 7/8).
+**Note:** The files are non-intrusive, run only in the memory and have no effect on the System (no changes are made). In the current edition, the executable runs only on Windows (Windows 7/8/10).
 ===== File based attack simulation templates =====
-LUCY can compile different custom Malware Simulations:
+List of all **file-based attack templates**, with **Success actions** and **Preferable delivery methods** can be found [[file_based_attack_simulation_templates|here]].
-{{ filetempl.png?600 }}
-Each file type [[set_a_password_for_the_archive_in_file_based_attacks_or_change_the_file_name|can be modified]] (layout, filetype, name) before using it in a campaign. Currently, LUCY comes with the following file types:
-  * **Consolepost**: Execute your commands within the Windows shell and send back the output to LUCY. This tool allows you to use a limited set of commands. Some commands in Windows are not executable. They are built into the command line (Example of command with executable: whoami).  If you need to use a command which is a built-in command line, then you should call cmd directly (example for requesting the directory content: "cmd /c dir"). Here a [[commands_that_can_be_executed_in_file_based_malware_simulations|list of possible commands]].
-  * **Recentdocs**: Send back a predefined number of documents listed in the recent doc cache to LUCY.
-  * **ConsoleOutlook**: Execute commands and send the output back via Outlook (access Outlook hidden via MAPI) to a predefined email address. It also has the ability as a PoC to send back the subject line from last received email in Outlook.
-  * **Keylogger**: Record keys pressed on a keyboard for a short time period. Display GUI option may have a value of 0 to 4: 0 - no GUI, 1 - Progress Bar, 2 - Decryptor Window, 3 or 4 - Error Message Window.
-  *   **Microphone**: Get audio recording from a microphone for a short period. Display GUI option may have a value of 0 to 4: 0 - no GUI, 1 - Progress Bar, 2 - Decryptor Window, 3 or 4 - Error Message Window.
-  * **WebRecorder**: Records screenshots and tries to access the webcam to record a few seconds as a PoC.
-  * **Ransomware Screenlocker**: Will lock the PC screen and ask the user to enter a password that can be set in the backend. The idea is to have the user call some helpdesk to ask for the password to have a better learning effect.
-  * **ConsoleInteractive**: This tool allows you to establish a reverse HTTP/HTTPS channel to LUCY. Once the file has been executed, you can see the session in “Sessions”. The tool only runs in the memory (called “file” in Process View). After the termination, the session can no longer be established. You can click on the IP and start executing commands within the Windows shell. The output should appear after a few seconds automatically. This Tool only works with Windows 7/8 in combination with IE and Firefox. More background info can be found [[interactive_reverse_http_s_sessions|here]].
-{{ 81.jpg?600 }}
-{{ 82.jpg?600 }}
@@ Line 51: / Line 34: @@
 ===== File based attack simulation configuration =====
-**STEP 1 - Create a New Campaign** After the login, you can create your first Phishing Campaign by pressing the button “**New**”.\\
+**STEP 1 - Create a New Campaign:** After the login, you can create your first Phishing Campaign by pressing the button “**New Campaign**”. Then choose **Attack Simulation** campaign type. \\
 \\
-{{ 14.jpg?direct&600 }}\\
+{{ file-1.png?600 }}\\
 \\
+**STEP 2 - Choose Attack Type:** In order to configure file-based campaign choose **File Attack** type.\\
-**STEP 2 - Select or Create a Client:** Create a client or choose the built-in client (a client can be your own organization or the company who asked you to perform a phishing test). This is important because you can also create [[user_management|view only accounts]] which are associated with those clients.\\
 \\
-{{ 16.jpg?direct&600 }}\\
+{{ file-2.png?600 }}\\
 \\
-New clients can be created under "clients". In LUCY v. 2.5 and higher this is created under settings/clients.\\
+**STEP 3 - Select or Create a Client:** Create a client or choose the built-in client (a client can be your own organization or the company that asked you to perform a phishing test). This is important because you can also create [[user_management|view only accounts]] which are associated with those clients.\\
 \\
-{{ 17.jpg?direct&600 }}
+{{ file-3.png?600 }}\\
+\\
-**STEP 3 - Choose Your Configuration Mode:** You may either continue with the **Expert Setup** or the **Setup Wizard**. We recommend using the Setup Wizard when used for the first time.
+New clients are created under **Settings -> Clients -> New Client**.\\
 \\
-{{ 15.jpg?direct&600 }}\\
+{{ file-4.png?600 }}\\
 \\
-**STEP 4 - Select your Phishing Scenario:** Now you need to select one or multiple phishing scenarios. Since you are going to do a file based attack you need to pick a scenario either from the "file based templates" or the "mixed templates"\\
+**STEP 4 - Select your Phishing Scenario:** Now you need to select one or multiple phishing scenarios. Since you are going to do a file-based attack you need to pick a scenario either from the "file-based templates" or the "mixed templates"\\
 \\
-{{ template_s_f.png?600 }}
+{{ file-5.png?600 }}\\
 \\
 You are able to preview every template before selecting it. In the **[[links_in_preview_mode|Preview Mode]]** you can test the site using all the features (just enter some random login to get to the next page). \\
 \\
-{{ 22.jpg?direct&600 }}\\
+{{ file-6.png?600 }}\\
 \\
 **Note**: **You can allocate multiple scenarios within one campaign** and they can all be started simultaneously! Example: A company might want to split the employees into 2 or 3 groups. One group could get a phishing mail with a landing page that contains many obvious errors and should be easily detectable while the other scenario is almost perfect. This way the client can identify the variables that drive the awareness in one single campaign.\\
 \\
-**STEP 5:** For this tutorial, as an example, we select the “cloud encryption template”, where the user will be asked to download some encrypted file.\\
+**STEP 5:** For this tutorial, as an example, we select the **SRA Cloud Encryption 1.1** template, where the user will be asked to download an encrypted file. To select the template for the campaign click the **Select Language** button and choose the preferred language from the drop-down menu.\\
 \\
-{{ template_file_cloud.png?600 }}
+{{ file-7.png?600 }}\\
 \\
-**STEP 6 - Configure the Base Settings of Your Campaign** Once you have selected the scenario, you need to configure the **Base Settings** of the campaign. First, give your campaign a name and then choose how your recipients will be able to access LUCY by defining the [[domain_configuration|Domain]]. Finding the appropriate domain name is a very important step for the success and it depends very much on your campaign scenario. If you plan to create a fake web mail login you might try to reserve a domain like "webmail-server365.com" and point it to LUCY.\\
+**STEP 6 - Configure basic attack settings of Your Campaign** Once you have selected the scenario, you need to configure the **Base Settings** of the campaign. First, give your campaign a name and then choose how your recipients will be able to access LUCY by defining the [[domain_configuration|Domain]]. Finding the appropriate domain name is a very important step for success and it depends very much on your campaign scenario. If you plan to create a fake webmail login you might try to reserve a domain like "webmail-server365.com" and point it to LUCY.\\
-{{ 24.jpg?direct&600 }}\\
+{{ file-8.png?600 }}\\
 \\
-**STEP 7 - Fine Tune the Basic Settings (each scenario has its own base settings): ** There a few **Optional Settings** that you can apply within the Base Settings. For the file based scenario you can adjust those settings within the "scenario settings":
+**STEP 7 - Configure Your File:** There are several types of the file available in a file-based campaign:
+  * Archive
+  * Tunnel Executable
+  * Java Applet
+  * PDF document
-  * Attachments - Compress Executable Attachments: instead of sending the attachment as a plain file (e.g. file.exe) or providing it as an executable file to download you can set the compression option (this is recommended). Like this the file will be archived.
+In this particular case, we choose the Archive type of the file with .RAR extension. Instead of sending the attachment as a plain file (e.g. file.exe) or providing it as an executable file to download, you can set the compression option (this is recommended). Like this, the file will be archived.
-  * Custom file name: you can give the archive a custom name (e.g. "encrypteddoc.zip")
+\\
-  * Compress Type: you can choose which compression type you want (the common type which is supported by all windows clients is .zip; other compression types will need additional client software)
+{{ file-9.png?600 }}\\
+\\
-{{ file_name.png?600 }}
+**Custom file name**: you can give the archive a custom name (e.g. "encrypteddoc.zip")\\
+**Archive Type**: you can choose which compression type you want (the common type which is supported by all windows clients is .zip; other compression types will need additional client software)\\
+**Password**: You can set up a password for your archive and insert it into the message to make the simulation more realistic.
-**STEP 8 - Edit your Landing Web Page within Your Campaign:** After saving the Base Settings, you can now [[Edit_Landing_Page|Edit the Landing Page]], [[Upload_Your_Web_Page|Upload Your Own Webpage]] or simply [[copy_web_page|copy any website on the internet]]. The Landing Page is the webpage that the users will see when they click on the link in the email they receive. First, select the drop-down menu at the top the page where you want to edit. Please note that the same landing page may be available in different languages. So make sure you [[dealing_with_multiple_languages_in_your_recipient_group|edit the correct language]]. When you choose a file based attack scenario you will see some additional configuration options appearing at the bottom of the page. Those settings define what file is provided within the download button for the recipient and what the executable should do upon opening. We recommend starting with a "harmless", non-intrusive trojan simulation that doesn't violate the recipients data privacy. A harmless simulation is, for example, the ConsolePost" Trojan, which will stealthily execute a few pre-defined commands (like "whoami") in the users shell and send the output back to LUCY. You have a few additional options:
+**Delivery Method** checkbox:
+\\
+{{ file-10.png?600 }}\\
+\\
+Then add Recipients to the campaign and watch through the **Review** of the campaign.
+\\
+{{ file-11.png?600 }}\\
+\\
+The campaign can be started from that point by pushing the **Start** button. Otherwise, push **Go to the Campaign** button in order to set up the campaign further.
+\\
+\\
+All the further configuration is performed through **Base Settings**.
+\\
+{{ file-12.png?600 }}\\
+\\
+**STEP 8 - Edit your Landing Web Page within Your Campaign:** After saving the Base Settings, you can now [[Edit_Landing_Page|Edit the Landing Page]], [[Upload_Your_Web_Page|Upload Your Own Webpage]] or simply [[copy_web_page|copy any website on the internet]]. The Landing Page is the webpage that the users will see when they click on the link in the email they receive. First, select the drop-down menu at the top of the page where you want to edit. Please note that the same landing page may be available in different languages. So make sure you [[dealing_with_multiple_languages_in_your_recipient_group|edit the correct language]]. When you choose a file-based attack scenario you will see some additional configuration options appearing at the bottom of the page. Those settings define what file is provided within the download button for the recipient and what the executable should do upon opening. We recommend starting with a "harmless", non-intrusive trojan simulation that doesn't violate the recipients' data privacy. A harmless simulation is, for example, the ConsolePost" Trojan, which will stealthily execute a few pre-defined commands (like "whoami") in the user's shell and send the output back to LUCY. You have a few additional options:
   * Decide if the user should see [[file_based_gui_options|some fake GUI]] upon execution or not
@@ Line 109: / Line 110: @@
-**STEP 9 - Configure Message Settings (Email):**  It’s time to setup email communication (if you want you can also use [[smishing|SMS]] as an alternative). Choose your sender's name, email address, and subject. Please also choose the language for each group. If you configured an English landing page, then select English also within that recipient group. If you have different groups with different languages within your company you can simply create a group and select a language for each recipient. LUCY then will direct each user to an individual landing page that [[dealing_with_multiple_languages_in_your_recipient_group|matches that language]]. Please read the [[Mail_Settings|Mail Settings Chapter]] for more configuration options.
+**STEP 9 - Configure Message Settings (Email):**  It’s time to set up email communication (if you want you can also use [[smishing|SMS]] as an alternative). Choose your sender's name, email address, and subject. Please also choose the language for each group. If you configured an English landing page, then select English also within that recipient group. If you have different groups with different languages within your company you can simply create a group and select a language for each recipient. LUCY then will direct each user to an individual landing page that [[dealing_with_multiple_languages_in_your_recipient_group|matches that language]]. Please read the [[Mail_Settings|Mail Settings Chapter]] for more configuration options.
 {{ 42.jpg?direct&600 }}
-When choosing a file based scenario LUCY will offer you additionally to send the Trojan simulation via mail. If you already have chosen a landing page where the Trojan simulation can be downloaded it is not necessary to attach it via mail as well. Therefore if you don't want LUCY to send the file via mail choose "NA" within the malware simulation template dropdown menu:
+When choosing a file-based scenario LUCY will offer you additionally to send the Trojan simulation via mail. If you already have chosen a landing page where the Trojan simulation can be downloaded it is not necessary to attach it via mail as well. Therefore if you don't want LUCY to send the file via mail choose "NA" within the malware simulation template dropdown menu:
 {{ mail_file.png?600 }}
@@ Line 122: / Line 123: @@
 {{ 47.jpg?direct&600 }}
-This is the list of users that will get the phishing emails. You can add them manually, import a file with all your recipients or even search them on the internet. Once you have created that group, you can select it in your campaign and map them to a specific scenario. You can also define if they should be used only for the Landing Page link, the [[Awareness_E-learning_settings|Awareness site link (e-learning)]] or both.
+This is the list of users that will get the phishing emails. You can add them manually, import a file with all your recipients or even search them on the internet. Once you have created that group, you can select it in your campaign and map it to a specific scenario. You can also define if they should be used only for the Landing Page link, the [[Awareness_E-learning_settings|Awareness site link (e-learning)]], or both.
 {{ 49.jpg?direct&600 }}
@@ Line 170: / Line 171: @@
 **Note**: The current edition of LUCY will include tools that access files on shares and upload them to the campaign or access the email client via MAPI. These features have restricted configuration options in the community edition (like maximum number of files that can be uploaded, etc.) the same goes for the number of screenshots or length of videos. Only the Commercial Editions have no limitations. You can upload your own custom payload. But keep in mind that reverse channels to LUCY won’t work; only attachments from LUCY are compiled in Real Time with certain settings (IP, Domain Name, URL etc.).
+===== Delivery Challenges =====
+Executable files usually cannot be delivered to a user via e-mail attachment. These are blocked by most email programs.
+In order to deliver a malware simulation to the user, the attachment should not be provided via email, but via download on a website. There you have the possibility to download the file:
+  * Inside an archve (zip, jar, rar etc.)
+  * Inside an encrypted file (e.g. zip with a password)
+  * [[pdf_attacks|Inside a PDF]]
+  * [[create_a_phishing_campaign_with_a_java_dropper_applet|Tunneled through an aplet]]
+  * Download as a plain exe
+Those settings can be applied within the scenario settings of the specific template. Choose archive (1), Tunnel (2) or PDF (3) for the according method:
+{{ sc_et_fil.png?600 }}
+===== Q&A =====
+**Q: Do the files need to be installed?** \\
+A: No, the files are non-intrusive, run only in the memory and have no effect on the System (no changes are made).
+**Q: Do the files need to be run with elevated permissions?** \\
+A: No. The files can run with limited, standard windows user rights.
+**Q: Our filters block file types like .exe- How can I still use the files?** \\
+A: Use a different file format within the scenario settings (e.g. place the exe in an archive like a zip file or place it within a PDF as an attachment).
+**Q: Can I run the files on MAC or Linux?** \\
+A: No. In the current edition, the executable runs only on Windows (Windows 7/8/10).
+**Q: Windows Defender blocks the files - can this be prevented?** \\
+A: Yes, It can be prevented using "whitelisting" inside the Windows Defender Security Center. But it is normal that the defender blocks the code as the defender will block any unknown code which is not officially signed. The files unfortunately cannot be signed, as the hash value is different for each user (the files get compiled on the fly individually for every single user)