Differences

This shows you the differences between two versions of the page.

--- create_a_purely_technical_test_with_the_malware_testing_suite [2017/02/11 17:01] – lucy
+++ create_a_purely_technical_test_with_the_malware_testing_suite [2019/02/08 15:40] – lucy
@@ Line 3: / Line 3: @@
 {{ 85.jpg?600 }}
-==== The idea behind LHCF: testing your defenses ====
+==== The idea behind LHFC: testing your defences ====
-You have invested time, effort, and money in defenses. But, how do you know they are working? Unless you are willing to intentionally get owned or you want to introduce a piece of malware into your environment, you need safe and effective ways to test your visibility. This is where LUCY's LHCF comes in place. There are multiple products that may help detect a malware activity. While it can be detected at the host level, you have another chance detecting it at the network level. These devices include, but are not limited to:
+You have invested time, effort, and money in defences. But, how do you know they are working? Unless you are willing to intentionally get owned or you want to introduce a piece of malware into your environment, you need safe and effective ways to test your visibility. This is where LUCY's LHFC comes in place. There are multiple products that may help detect a malware activity. While it can be detected at the host level, you have another chance detecting it at the network level. These devices include, but are not limited to:
   * **Firewalls** (unfortunately, the larger the network, the more difficult it can be to track down a host and determine the functionality of the host. Knowing the functionality can be instrumental in determining if the traffic is normal or suspicious)
   * **Web Proxies**
-  * **IDS** (an intrusion detection system can potentially detect malware activity if a rule is triggered. This is useful as a layered defense, but the traffic will usually have to be something that is previously known and understood in order for a rule to hit. If the IDS has additional intelligence such as traffic thresholds or trending, then there is a low chance it could be detected from this capability)
+  * **IDS** (an intrusion detection system can potentially detect malware activity if a rule is triggered. This is useful as a layered defence, but the traffic will usually have to be something that is previously known and understood in order for a rule to hit. If the IDS has additional intelligence such as traffic thresholds or trending, then there is a low chance it could be detected from this capability)
   * **Malware/anomalous traffic detection appliances** (Malware detection appliances go a step beyond traditional IDS by integrating multiple detection mechanisms into one device. Some for example, use an layered detection mechanism with Antivirus definitions, Network signatures, File Reputation, IP reputation & Static file analysis.
   * **Security Information and Event Management (SIEM) solutions** (Security Information and Event Management solutions can also help detect the presence of a malware, but it is usually using logs from one or more of the devices mentioned above. The advantage here is greater visibility by using multiple different types of logs—from hosts to network gear. Additionally, some advanced SIEMs can do trending to detect and understand what is normal and then set thresholds to alert on unusual traffic).
@@ Line 20: / Line 20: @@
 Those who deal in APTs have the following in common:
-  * **Customized** – An attack on your network is a carefully planned heist. Attackers carry out extensive research and tailor the attack to evade your set defenses, explore your network, and steal determined types of high-value data.
+  * **Customized** – An attack on your network is a carefully planned heist. Attackers carry out extensive research and tailor the attack to evade your set defences, explore your network, and steal determined types of high-value data.
   * **Surgical** – Rather than being scattered to the wind, targeted attacks and APTs are carefully delivered to specific targets, often using highly convincing emails intended for a single individual within your organization as a penetration vector.
-  * **Highly Sophisticated** – Today’s targeted attacks and Advanced Persistent Threats use complex techniques to conceal themselves from your defenses. Once inside the network, they can alter their appearance, switch ports and protocols, and remain undetected for long periods of time as they move around the network to find and steal your data. Detecting these attacks requires a modern advanced solution that provides visibility into every corner of your network.
+  * **Highly Sophisticated** – Today’s targeted attacks and Advanced Persistent Threats use complex techniques to conceal themselves from your defences. Once inside the network, they can alter their appearance, switch ports and protocols, and remain undetected for long periods of time as they move around the network to find and steal your data. Detecting these attacks requires a modern advanced solution that provides visibility into every corner of your network.
-Since there are millions of Malware types, and even more combinations of attack patterns: How would a IT security officer know if the network can prevent APT attacks? This question can now be answered with LUCY’s Malware Testing Module (initially called Low Hanging Fruit Collector). It simulates APT behavior without harming your infrastructure. It enables you to test your defenses (AV, hardening, monitoring etc.).
+Since there are millions of Malware types, and even more combinations of attack patterns: How would a IT security officer know if the network can prevent APT attacks? This question can now be answered with LUCY’s Malware Testing Module (initially called Low Hanging Fruit Collector). It simulates APT behavior without harming your infrastructure. It enables you to test your defences (AV, hardening, monitoring etc.).
 So What is the Typical APT Behavior? APTs rapidly escalate from compromising a single computer to taking over the whole environment. They do this by reading an authentication database, stealing credentials, and reusing them. They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. APTs often add stolen data to internal collection points before moving it outside over different channels.
@@ Line 45: / Line 45: @@
 ===== LHFC SETUP =====
-**STEP 1 - Create a New Campaign** After the login, you can create your first Phishing Campaign by pressing the button “**New**”.\\
+**STEP 1 - Create a New Campaign** After the login, you can create your first Phishing Campaign by pressing the button “**New**”.Choose Your Configuration Mode: You may either continue with the Campaign or the Campaign Wizard. We recommend using the Setup Wizard when used for the first time. \\
 \\
-{{ 14.jpg?direct&600 }}\\
+{{ lhfs_cr_1.png?direct&600 }}\\
 \\
 **STEP 2 - Select or Create a Client:** Create a client or choose the built in client (a client can be your own organization or the company who asked you to perform a phishing test). This is important because you can also create [[user_management|view only accounts]] which are associated with those clients.\\
 \\
-{{ 16.jpg?direct&600 }}\\
+{{ lhfs_cr_2.png?direct&600 }}\\
 \\
-New clients can be created under "clients". In LUCY v. 2.5 and higher this is created under settings/clients.\\
+New clients can be created under "clients". In LUCY this is created under settings/clients.\\
 \\
-{{ 17.jpg?direct&600 }}
+{{ lhfs_cr_3.png?direct&600 }}
-**STEP 3 - Choose Your Configuration Mode:** You may either continue with the **Expert Setup** or the **Setup Wizard**. We recommend using the Setup Wizard when used for the first time.
-\\
-{{ 15.jpg?direct&600 }}\\
 \\
-**STEP 4 - Select your Phishing Scenario:** Now you need to select one or multiple phishing scenarios. Since you are going to do a technical testing you need to pick the technical malware testing template:
+**STEP 3 - Select your Phishing Scenario:** Now you need to select one or multiple phishing scenarios. Since you are going to do a technical testing you need to pick the technical malware testing template:
 \\
-{{ 86.jpg?600 }}
+{{ lhfs_cr_4.png?600 }}
 \\
 ^
 \\
-**STEP 6 - Configure the Base Settings of Your Campaign** Once you have selected the scenario, you need to configure the **Base Settings** of the campaign. First give your campaign a name and then choose how your admin will be able to access LUCY by defining the [[domain_configuration|Domain]]. As this is a technical scenario it will work with an IP address as well.
+**STEP 4 - Configure the Base Settings of Your Campaign** Once you have selected the scenario, you need to configure the **Base Settings** of the campaign. First give your campaign a name and then choose how your admin will be able to access LUCY by defining the [[domain_configuration|Domain]]. As this is a technical scenario it will work with an IP address as well.
 \\
 \\
-**STEP 7 - Fine Tune the Basic Settings (each scenario has its own base settings): ** There a few **Optional Settings** that you can apply within the Base Settings. For the technical testing you can adjust those settings within the "scenario settings":
+**STEP 5 - Fine Tune the Basic Settings (each scenario has its own base settings): ** There a few **Optional Settings** that you can apply within the Base Settings. For the technical testing you can adjust those settings within the "scenario settings":
-  * Attachments - Compress Executable Attachments: instead of sending the attachment as a plain file (e.g. file.exe) or providing it as an executable file to download you can set the compression option (this is recommended). Using this option will create an archived version of the file (e.g. file.zip).
+  * File Type: you can choose which compression type you want (the common type which is supported by all windows clients is .zip; other compression types will need an additional client software)
   * Custom file name: you can give the archive a custom name (e.g. "LHFC.zip")
   * Password: Most common filters (HTTP,SMTP etc.) will block the download of an executable or the sending of an email attachment. Setting a password might help you to get the executable on the desired target host.
-  * Compress Type: you can choose which compression type you want (the common type which is supported by all windows clients is .zip; other compression types will need an additional client software)
-{{ file_name.png?600 }}
+{{ lhfs_cr_10.png?600 }}
-**STEP 8 - Edit the LHFC download page:** After saving the Base Settings, you can now [[Edit_Landing_Page|Edit the Landing Page]]. On this page, you can configure the settings of the tool. When downloaded via email or the Web, the tool will be pre-configured with those settings.
+**STEP 6 - Edit the LHFC download page:** After saving the Base Settings, you can now [[Edit_Landing_Page|Edit the Landing Page]]. On this page, you can configure the settings of the tool. When downloaded via email or the Web, the tool will be pre-configured with those settings.
-{{ 87.jpg?600 }}
+{{ lhfs_cr_7.png?600 }}
 All LHFC settings can be saved as general templates as well for future use:
@@ Line 96: / Line 92: @@
-**STEP 9 - Configure Message Settings (Email):**  It’s time to setup email communication. Choose your sender's name, email address and subject. The reason why you need a mail recipient is because within the mail you will find a custom download link to LHFC (keep in mind that LHFC is compiled on the fly within the campaign. That's why you cannot just download the tool from the file based templates).
+**STEP 7 - Configure Message Settings (Email):**  It’s time to setup email communication. Choose your sender's name, email address and subject. The reason why you need a mail recipient is because within the mail you will find a custom download link to LHFC (keep in mind that LHFC is compiled on the fly within the campaign. That's why you cannot just download the tool from the file based templates).
 When choosing the LHFC scenario, LUCY will offer you additionally to send the tool via mail. If you already have chosen a landing page where LHFC can be downloaded it is not necessary to attach it via mail as well. Therefore if you don't want LUCY to send the file via mail choose "NA" within the malware simulation template dropdown menu.
-**STEP 10 - Add Recipients to Your Campaign**: You need to create the Recipients List in the Menu item "Recipients". In this case it would be the account of an admin, who will execute the file on the target host.
+**STEP 8 - Add Recipients to Your Campaign**: You need to create the Recipients List in the Menu item "Recipients". In this case it would be the account of an admin, who will execute the file on the target host.
-{{ 47.jpg?direct&600 }}
+{{ lhfs_cr_8.png?direct&600 }}
 Please read the [[Add_Mail_Recipients|Recipients Settings Chapter]] for more configuration options.
-**Step 11 - Start Your Campaign:** Now you are ready to start. If you want to skip the checks, press "Skip Checks". Your first recipients should receive the emails within seconds. Please read the [[Start_a_Campaign_Campaign_Checks|Start Campaign Settings Page]] for more configuration options. If you experience any problems with starting/running your campaign, please [[Troubleshooting_Known_Issues|Consult the Troubleshoot Section]] first.
+**Step 9 - Start Your Campaign:** Now you are ready to start. If you want to skip the checks, press "Skip Checks". Your first recipients should receive the emails within seconds. Please read the [[Start_a_Campaign_Campaign_Checks|Start Campaign Settings Page]] for more configuration options. If you experience any problems with starting/running your campaign, please [[Troubleshooting_Known_Issues|Consult the Troubleshoot Section]] first.
-{{ 59.jpg?direct&600 }}
+{{ lhfs_cr_9.png?direct&600 }}
@@ Line 183: / Line 179: @@
 ===== Malware Testing Templates =====
-Beside single checks LHCF is also able to perform tests based on a template (please note that it is not possible to run single checks and a template at the same time). Currently there are two templates implemented which are described in detail.
+Beside single checks LHFC is also able to perform tests based on a template (please note that it is not possible to run single checks and a template at the same time). Currently there are two templates implemented which are described in detail.
 {{ templateslhcf.png?400 }}
@@ Line 209: / Line 205: @@
   * Set an option to leave a copy of data on PC/Share or delete it after running. When the ransomware works with dummy data, it deletes the files right after the creation even if "Delete data" is unchecked. (it should not delete any data when it works with real data). This setting is necessary because the ransomware creates many files with relatively big sizes. By default it creates 1000 files with 512 kb size each, so it will be 0.5 Gb overall.
-When started the tool will create a separate executable (example: C:\Users\Test\Desktop\2afbaff8-f048-445c-bcf3-05b7d8d33133\rnsmw.exe) which will try to discover local and remote share drives (as an anonymous and an authenticated user). LHCF will then make read/write tests on the discovered dives. If the setting "work with real data" is selected LHCF will search recent docs to get a file list as well. If a write right on a share drives exist, LHCF will place a folder "LUCY RANSOMWARE SIMULATION" there. If no write right exists, LHCF will create a folder locally based on the path specified in the settings. In real data mode LHCF will make a COPY of files which were previously enumerated (the original files will not be touched by tge tool) and then encrypt the COPY and place in that new folder. If you selected "leave data" you can look at the harvested information using the SimpleXorEncrypter.exe. All harvested files can be decypted with the tool. So in order to unencrypt a file you should use this {{:simplexorencrypter.zip|unencrypter}}. It is a command line tool. For example, command "SimpleXorEncrypter.exe -u avdata.txt avdata_unencrypted.txt" will unencrypt the file avdata.txt.
+When started the tool will create a separate executable (example: C:\Users\Test\Desktop\2afbaff8-f048-445c-bcf3-05b7d8d33133\rnsmw.exe) which will try to discover local and remote share drives (as an anonymous and an authenticated user). LHFC will then make read/write tests on the discovered dives. If the setting "work with real data" is selected LHFC will search recent docs to get a file list as well. If a write right on a share drives exist, LHFC will place a folder "LUCY RANSOMWARE SIMULATION" there. If no write right exists, LHFC will create a folder locally based on the path specified in the settings. In real data mode LHFC will make a COPY of files which were previously enumerated (the original files will not be touched by tge tool) and then encrypt the COPY and place in that new folder. If you selected "leave data" you can look at the harvested information using the SimpleXorEncrypter.exe. All harvested files can be decypted with the tool. So in order to unencrypt a file you should use this {{:simplexorencrypter.zip|unencrypter}}. It is a command line tool. For example, command "SimpleXorEncrypter.exe -u avdata.txt avdata_unencrypted.txt" will unencrypt the file avdata.txt.
 {{ xor.png?600 }}