User Tools

Site Tools


create_a_phishing_campaign_with_malware_simulations

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
create_a_phishing_campaign_with_malware_simulations [2016/12/05 19:06]
lucy
create_a_phishing_campaign_with_malware_simulations [2019/07/25 12:49] (current)
Line 6: Line 6:
  
   * STEP 1 Getting the backdoor in the network (delivery)   * STEP 1 Getting the backdoor in the network (delivery)
-  * STEP 2 Excuting ​the backdoor by the user (execution)+  * STEP 2 Executing ​the backdoor by the user (execution)
   * STEP 3 Sending the data out (output delivery)   * STEP 3 Sending the data out (output delivery)
  
 ===== LUCY's approach ===== ===== LUCY's approach =====
  
-With LUCY's file based attack you are able to perform the following steps:+With LUCY's file-based attack you are able to perform the following steps:
  
   * **STEP 0 Trojan compilation**:​ Via the Web GUI you will be able to define the settings of the trojan simulation (e.g. what the file should look like & do upon execution). The trojan simulation can be either an executable (which gets compiled during the campaign), some payload which you upload to LUCY yourself or some [[create_a_phishing_campaign_with_a_word_macro|Office file that contains a Macro]].   * **STEP 0 Trojan compilation**:​ Via the Web GUI you will be able to define the settings of the trojan simulation (e.g. what the file should look like & do upon execution). The trojan simulation can be either an executable (which gets compiled during the campaign), some payload which you upload to LUCY yourself or some [[create_a_phishing_campaign_with_a_word_macro|Office file that contains a Macro]].
-  *** STEP 1 Delivery**: The trojan simulation can be integrated ​in a landing page on LUCY so it may be downloaded from the clients or it can be attached in the mail. +  *** STEP 1 Delivery**: The trojan simulation can be integrated ​into a landing page on LUCY so it may be downloaded from the clients or it can be attached in the mail. 
   * **STEP 2 Execution**:​ By using a phishing mail which can be edited on LUCY you can try to lure the recipient into opening the Trojan simulation. Once the Malware Simulation is executed on a Windows Client, you can see the file in the Task Manager as "​file.exe"​. LUCY has some command restrictions to prevent LUCY administrators from damaging the client'​s system, therefore not all shell commands are allowed.   * **STEP 2 Execution**:​ By using a phishing mail which can be edited on LUCY you can try to lure the recipient into opening the Trojan simulation. Once the Malware Simulation is executed on a Windows Client, you can see the file in the Task Manager as "​file.exe"​. LUCY has some command restrictions to prevent LUCY administrators from damaging the client'​s system, therefore not all shell commands are allowed.
  
Line 22: Line 22:
  
  
-**Note:** The files are non-intrusive,​ run only in the memory and have no effect on the System (no changes are made). In the current edition, the executable runs only on Windows (windows ​7/8).+**Note:** The files are non-intrusive,​ run only in the memory and have no effect on the System (no changes are made). In the current edition, the executable runs only on Windows (Windows ​7/8).
  
  
Line 31: Line 31:
 {{ filetempl.png?​600 }} {{ filetempl.png?​600 }}
  
-Each file type [[set_a_password_for_the_archive_in_file_based_attacks_or_change_the_file_name|can be modified]] (layout, filetype, name) before using it in a campaign. Currently LUCY comes with the following file types:+Each file type [[set_a_password_for_the_archive_in_file_based_attacks_or_change_the_file_name|can be modified]] (layout, filetype, name) before using it in a campaign. CurrentlyLUCY comes with the following file types:
  
-  * **Consolepost**:​ Execute your commands within the Windows shell and send back the output to LUCY. This tool allows you to use a limited set of commands. Some commands in Windows are not executable. They are built into the command line (Example of command with executable: whoami). ​ If you need to use a command which is a built in command line, then you should call cmd directly (example for requesting the directory content: "cmd /c dir"). Here a [[commands_that_can_be_executed_in_file_based_malware_simulations|list of possible commands]].+  * **Consolepost**:​ Execute your commands within the Windows shell and send back the output to LUCY. This tool allows you to use a limited set of commands. Some commands in Windows are not executable. They are built into the command line (Example of command with executable: whoami). ​ If you need to use a command which is a built-in command line, then you should call cmd directly (example for requesting the directory content: "cmd /c dir"). Here a [[commands_that_can_be_executed_in_file_based_malware_simulations|list of possible commands]].
   * **Recentdocs**:​ Send back a predefined number of documents listed in the recent doc cache to LUCY.   * **Recentdocs**:​ Send back a predefined number of documents listed in the recent doc cache to LUCY.
   * **ConsoleOutlook**:​ Execute commands and send the output back via Outlook (access Outlook hidden via MAPI) to a predefined email address. It also has the ability as a PoC to send back the subject line from last received email in Outlook.   * **ConsoleOutlook**:​ Execute commands and send the output back via Outlook (access Outlook hidden via MAPI) to a predefined email address. It also has the ability as a PoC to send back the subject line from last received email in Outlook.
-  * **Keylogger**:​ Record keys pressed on keyboard for a short time period. Display GUI option may have a value of 0 to 4: 0 - no GUI, 1 - Progress Bar, 2 - Decryptor Window, 3 or 4 - Error Message Window. +  * **Keylogger**:​ Record keys pressed on keyboard for a short time period. Display GUI option may have a value of 0 to 4: 0 - no GUI, 1 - Progress Bar, 2 - Decryptor Window, 3 or 4 - Error Message Window. 
-  *   ​**Microphone**:​ Get audio recording from microphone for a short period. Display GUI option may have a value of 0 to 4: 0 - no GUI, 1 - Progress Bar, 2 - Decryptor Window, 3 or 4 - Error Message Window.+  *   ​**Microphone**:​ Get audio recording from microphone for a short period. Display GUI option may have a value of 0 to 4: 0 - no GUI, 1 - Progress Bar, 2 - Decryptor Window, 3 or 4 - Error Message Window.
   * **WebRecorder**:​ Records screenshots and tries to access the webcam to record a few seconds as a PoC.   * **WebRecorder**:​ Records screenshots and tries to access the webcam to record a few seconds as a PoC.
   * **Ransomware Screenlocker**:​ Will lock the PC screen and ask the user to enter a password that can be set in the backend. The idea is to have the user call some helpdesk to ask for the password to have a better learning effect.   * **Ransomware Screenlocker**:​ Will lock the PC screen and ask the user to enter a password that can be set in the backend. The idea is to have the user call some helpdesk to ask for the password to have a better learning effect.
Line 56: Line 56:
 \\ \\
  
-**STEP 2 - Select or Create a Client:** Create a client or choose the built in client (a client can be your own organization or the company who asked you to perform a phishing test). This is important because you can also create [[user_management|view only accounts]] which are associated with those clients.\\+**STEP 2 - Select or Create a Client:** Create a client or choose the built-in client (a client can be your own organization or the company who asked you to perform a phishing test). This is important because you can also create [[user_management|view only accounts]] which are associated with those clients.\\
 \\ \\
 {{ 16.jpg?​direct&​600 }}\\ {{ 16.jpg?​direct&​600 }}\\
Line 85: Line 85:
  
 \\ \\
-**STEP 6 - Configure the Base Settings of Your Campaign** Once you have selected the scenario, you need to configure the **Base Settings** of the campaign. First give your campaign a name and then choose how your recipients will be able to access LUCY by defining the [[domain_configuration|Domain]]. Finding the appropriate domain name is a very important step for the success and it depends very much on your campaign scenario. If you plan to create a fake web mail login you might try to reserve a domain like "​webmail-server365.com"​ and point it to LUCY.\\+**STEP 6 - Configure the Base Settings of Your Campaign** Once you have selected the scenario, you need to configure the **Base Settings** of the campaign. Firstgive your campaign a name and then choose how your recipients will be able to access LUCY by defining the [[domain_configuration|Domain]]. Finding the appropriate domain name is a very important step for the success and it depends very much on your campaign scenario. If you plan to create a fake web mail login you might try to reserve a domain like "​webmail-server365.com"​ and point it to LUCY.\\
  
 {{ 24.jpg?​direct&​600 }}\\ {{ 24.jpg?​direct&​600 }}\\
Line 95: Line 95:
   * Attachments - Compress Executable Attachments:​ instead of sending the attachment as a plain file (e.g. file.exe) or providing it as an executable file to download you can set the compression option (this is recommended). Like this the file will be archived.   * Attachments - Compress Executable Attachments:​ instead of sending the attachment as a plain file (e.g. file.exe) or providing it as an executable file to download you can set the compression option (this is recommended). Like this the file will be archived.
   * Custom file name: you can give the archive a custom name (e.g. "​encrypteddoc.zip"​)   * Custom file name: you can give the archive a custom name (e.g. "​encrypteddoc.zip"​)
-  * Compress Type: you can choose which compression type you want (the common type which is supported by all windows clients is .zip; other compression types will need an additional client software)+  * Compress Type: you can choose which compression type you want (the common type which is supported by all windows clients is .zip; other compression types will need additional client software)
  
 {{ file_name.png?​600 }} {{ file_name.png?​600 }}
  
  
-**STEP 8 - Edit your Landing Web Page within Your Campaign:** After saving the Base Settings, you can now [[Edit_Landing_Page|Edit the Landing Page]], [[Upload_Your_Web_Page|Upload Your Own Webpage]] or simply [[copy_web_page|copy any website on the internet]]. The Landing Page is the webpage that the users will see when they click on the link in the email they receive. First select the drop-down menu at the top the page where you want to edit. Please note that the same landing page may be available in different languages. So make sure you [[dealing_with_multiple_languages_in_your_recipient_group|edit the correct language]]. When you choose a file based attack scenario you will see some additional configuration options appearing at the bottom of the page. Those settings define what file is provided within the download button for the recipient and what the executable should do upon opening. We recommend starting with a "​harmless",​ non-intrusive trojan simulation that doesn'​t violate the recipients data privacy. A harmless simulation is for example the ConsolePost"​ Trojan, which will stealthy ​execute a few pre-defined commands (like "​whoami"​) in the users shell and send the output back to LUCY. You have a few additional options:+**STEP 8 - Edit your Landing Web Page within Your Campaign:** After saving the Base Settings, you can now [[Edit_Landing_Page|Edit the Landing Page]], [[Upload_Your_Web_Page|Upload Your Own Webpage]] or simply [[copy_web_page|copy any website on the internet]]. The Landing Page is the webpage that the users will see when they click on the link in the email they receive. Firstselect the drop-down menu at the top the page where you want to edit. Please note that the same landing page may be available in different languages. So make sure you [[dealing_with_multiple_languages_in_your_recipient_group|edit the correct language]]. When you choose a file based attack scenario you will see some additional configuration options appearing at the bottom of the page. Those settings define what file is provided within the download button for the recipient and what the executable should do upon opening. We recommend starting with a "​harmless",​ non-intrusive trojan simulation that doesn'​t violate the recipients data privacy. A harmless simulation isfor examplethe ConsolePost"​ Trojan, which will stealthily ​execute a few pre-defined commands (like "​whoami"​) in the users shell and send the output back to LUCY. You have a few additional options:
  
   * Decide if the user should see [[file_based_gui_options|some fake GUI]] upon execution or not   * Decide if the user should see [[file_based_gui_options|some fake GUI]] upon execution or not
Line 109: Line 109:
  
  
-**STEP 9 - Configure Message Settings (Email):​** ​ It’s time to setup email communication (if you want you can also use [[smishing|SMS]] as an alternative). Choose your sender'​s name, email address and subject. Please also choose the language for each group. If you configured an English landing page, then select English also within that recipient group. If you have different groups with different languages within your company you can simply create a group and select a language for each recipient. LUCY then will direct each user to an individual landing page that [[dealing_with_multiple_languages_in_your_recipient_group|matches that language]]. Please read the [[Mail_Settings|Mail Settings Chapter]] for more configuration options.+**STEP 9 - Configure Message Settings (Email):​** ​ It’s time to setup email communication (if you want you can also use [[smishing|SMS]] as an alternative). Choose your sender'​s name, email addressand subject. Please also choose the language for each group. If you configured an English landing page, then select English also within that recipient group. If you have different groups with different languages within your company you can simply create a group and select a language for each recipient. LUCY then will direct each user to an individual landing page that [[dealing_with_multiple_languages_in_your_recipient_group|matches that language]]. Please read the [[Mail_Settings|Mail Settings Chapter]] for more configuration options.
  
 {{ 42.jpg?​direct&​600 }} {{ 42.jpg?​direct&​600 }}
Line 160: Line 160:
 {{ 84.jpg?600 }} {{ 84.jpg?600 }}
  
-You can rename the file templates from file.exe to any filename. In LUCY < 3.2 you can do that by downloading the file.exe, renaming it & the uploading it back to the generic file template.+You can rename the file templates from file.exe to any filename. In LUCY < 3.2 you can do that by downloading the file.exe, renaming it & then uploading it back to the generic file template.
  
  
Line 166: Line 166:
 ===== Technical Details about the data delivery ===== ===== Technical Details about the data delivery =====
  
-Upon execution, this tool will execute the predefined commands or access documents. It will open the built in Internet Explorer or other default browser (in hidden mode) or access Outlook and send out the collected data to LUCY via HTTP or HTTPS or via SMPT (it will automatically choose HTTPS if you run your campaign via SSL). This tool will also work in environments where the Internet is accessed with Proxy servers - only allowing access for authorized Windows users. The file can then be downloaded as a plain exe or as a zipped archive.+Upon execution, this tool will execute the predefined commands or access documents. It will open the built-in Internet Explorer or another ​default browser (in hidden mode) or access Outlook and send out the collected data to LUCY via HTTP or HTTPS or via SMPT (it will automatically choose HTTPS if you run your campaign via SSL). This tool will also work in environments where the Internet is accessed with Proxy servers - only allowing access for authorized Windows users. The file can then be downloaded as a plain exe or as a zipped archive.
  
 **Note**: The current edition of LUCY will include tools that access files on shares and upload them to the campaign or access the email client via MAPI. These features have restricted configuration options in the community edition (like maximum number of files that can be uploaded, etc.) the same goes for the number of screenshots or length of videos. Only the Commercial Editions have no limitations. You can upload your own custom payload. But keep in mind that reverse channels to LUCY won’t work; only attachments from LUCY are compiled in Real Time with certain settings (IP, Domain Name, URL etc.). **Note**: The current edition of LUCY will include tools that access files on shares and upload them to the campaign or access the email client via MAPI. These features have restricted configuration options in the community edition (like maximum number of files that can be uploaded, etc.) the same goes for the number of screenshots or length of videos. Only the Commercial Editions have no limitations. You can upload your own custom payload. But keep in mind that reverse channels to LUCY won’t work; only attachments from LUCY are compiled in Real Time with certain settings (IP, Domain Name, URL etc.).
  
- 
-**File Downloads (mail/web) are Blocked - Is There a Workaround?​** 
- 
-Yes - We have a tool which allows you to compile any executable into an Word document and convert it into a Macro. Depending on Security Settings, the user might get a security warning when opening of the Word document. The tool is only available for Commercial Clients on request. 
- 
-{{ 118.jpg?600 }} 
create_a_phishing_campaign_with_malware_simulations.1480961189.txt.gz · Last modified: 2019/07/25 12:50 (external edit)