create_a_purely_technical_test_with_the_malware_testing_suite
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
create_a_purely_technical_test_with_the_malware_testing_suite [2017/02/11 17:01] – lucy | create_a_purely_technical_test_with_the_malware_testing_suite [2019/02/08 15:40] – lucy | ||
---|---|---|---|
Line 3: | Line 3: | ||
{{ 85.jpg?600 }} | {{ 85.jpg?600 }} | ||
- | ==== The idea behind | + | ==== The idea behind |
- | You have invested time, effort, and money in defenses. But, how do you know they are working? Unless you are willing to intentionally get owned or you want to introduce a piece of malware into your environment, | + | You have invested time, effort, and money in defences. But, how do you know they are working? Unless you are willing to intentionally get owned or you want to introduce a piece of malware into your environment, |
* **Firewalls** (unfortunately, | * **Firewalls** (unfortunately, | ||
* **Web Proxies** | * **Web Proxies** | ||
- | * **IDS** (an intrusion detection system can potentially detect malware activity if a rule is triggered. This is useful as a layered | + | * **IDS** (an intrusion detection system can potentially detect malware activity if a rule is triggered. This is useful as a layered |
* **Malware/ | * **Malware/ | ||
* **Security Information and Event Management (SIEM) solutions** (Security Information and Event Management solutions can also help detect the presence of a malware, but it is usually using logs from one or more of the devices mentioned above. The advantage here is greater visibility by using multiple different types of logs—from hosts to network gear. Additionally, | * **Security Information and Event Management (SIEM) solutions** (Security Information and Event Management solutions can also help detect the presence of a malware, but it is usually using logs from one or more of the devices mentioned above. The advantage here is greater visibility by using multiple different types of logs—from hosts to network gear. Additionally, | ||
Line 20: | Line 20: | ||
Those who deal in APTs have the following in common: | Those who deal in APTs have the following in common: | ||
- | * **Customized** – An attack on your network is a carefully planned heist. Attackers carry out extensive research and tailor the attack to evade your set defenses, explore your network, and steal determined types of high-value data. | + | * **Customized** – An attack on your network is a carefully planned heist. Attackers carry out extensive research and tailor the attack to evade your set defences, explore your network, and steal determined types of high-value data. |
* **Surgical** – Rather than being scattered to the wind, targeted attacks and APTs are carefully delivered to specific targets, often using highly convincing emails intended for a single individual within your organization as a penetration vector. | * **Surgical** – Rather than being scattered to the wind, targeted attacks and APTs are carefully delivered to specific targets, often using highly convincing emails intended for a single individual within your organization as a penetration vector. | ||
- | * **Highly Sophisticated** – Today’s targeted attacks and Advanced Persistent Threats use complex techniques to conceal themselves from your defenses. Once inside the network, they can alter their appearance, switch ports and protocols, and remain undetected for long periods of time as they move around the network to find and steal your data. Detecting these attacks requires a modern advanced solution that provides visibility into every corner of your network. | + | * **Highly Sophisticated** – Today’s targeted attacks and Advanced Persistent Threats use complex techniques to conceal themselves from your defences. Once inside the network, they can alter their appearance, switch ports and protocols, and remain undetected for long periods of time as they move around the network to find and steal your data. Detecting these attacks requires a modern advanced solution that provides visibility into every corner of your network. |
- | Since there are millions of Malware types, and even more combinations of attack patterns: How would a IT security officer know if the network can prevent APT attacks? This question can now be answered with LUCY’s Malware Testing Module (initially called Low Hanging Fruit Collector). It simulates APT behavior without harming your infrastructure. It enables you to test your defenses | + | Since there are millions of Malware types, and even more combinations of attack patterns: How would a IT security officer know if the network can prevent APT attacks? This question can now be answered with LUCY’s Malware Testing Module (initially called Low Hanging Fruit Collector). It simulates APT behavior without harming your infrastructure. It enables you to test your defences |
So What is the Typical APT Behavior? APTs rapidly escalate from compromising a single computer to taking over the whole environment. They do this by reading an authentication database, stealing credentials, | So What is the Typical APT Behavior? APTs rapidly escalate from compromising a single computer to taking over the whole environment. They do this by reading an authentication database, stealing credentials, | ||
Line 45: | Line 45: | ||
===== LHFC SETUP ===== | ===== LHFC SETUP ===== | ||
- | **STEP 1 - Create a New Campaign** After the login, you can create your first Phishing Campaign by pressing the button “**New**”.\\ | + | **STEP 1 - Create a New Campaign** After the login, you can create your first Phishing Campaign by pressing the button “**New**”.Choose Your Configuration Mode: You may either continue with the Campaign or the Campaign Wizard. We recommend using the Setup Wizard when used for the first time. \\ |
\\ | \\ | ||
- | {{ 14.jpg? | + | {{ lhfs_cr_1.png? |
\\ | \\ | ||
**STEP 2 - Select or Create a Client:** Create a client or choose the built in client (a client can be your own organization or the company who asked you to perform a phishing test). This is important because you can also create [[user_management|view only accounts]] which are associated with those clients.\\ | **STEP 2 - Select or Create a Client:** Create a client or choose the built in client (a client can be your own organization or the company who asked you to perform a phishing test). This is important because you can also create [[user_management|view only accounts]] which are associated with those clients.\\ | ||
\\ | \\ | ||
- | {{ 16.jpg? | + | {{ lhfs_cr_2.png? |
\\ | \\ | ||
- | New clients can be created under " | + | New clients can be created under " |
\\ | \\ | ||
- | {{ 17.jpg? | + | {{ lhfs_cr_3.png? |
- | + | ||
- | **STEP 3 - Choose Your Configuration Mode:** You may either continue with the **Expert Setup** or the **Setup Wizard**. We recommend using the Setup Wizard when used for the first time. | + | |
- | \\ | + | |
- | {{ 15.jpg? | + | |
\\ | \\ | ||
- | **STEP | + | **STEP |
\\ | \\ | ||
- | {{ 86.jpg?600 }} | + | {{ lhfs_cr_4.png?600 }} |
\\ | \\ | ||
^ | ^ | ||
\\ | \\ | ||
- | **STEP | + | **STEP |
\\ | \\ | ||
\\ | \\ | ||
- | **STEP | + | **STEP |
- | * Attachments - Compress Executable Attachments: instead of sending the attachment as a plain file (e.g. file.exe) or providing it as an executable file to download | + | * File Type: you can choose which compression |
* Custom file name: you can give the archive a custom name (e.g. " | * Custom file name: you can give the archive a custom name (e.g. " | ||
* Password: Most common filters (HTTP,SMTP etc.) will block the download of an executable or the sending of an email attachment. Setting a password might help you to get the executable on the desired target host. | * Password: Most common filters (HTTP,SMTP etc.) will block the download of an executable or the sending of an email attachment. Setting a password might help you to get the executable on the desired target host. | ||
- | * Compress Type: you can choose which compression type you want (the common type which is supported by all windows clients is .zip; other compression types will need an additional client software) | ||
- | {{ file_name.png?600 }} | + | |
+ | {{ lhfs_cr_10.png?600 }} | ||
- | **STEP | + | **STEP |
- | {{ 87.jpg?600 }} | + | {{ lhfs_cr_7.png?600 }} |
All LHFC settings can be saved as general templates as well for future use: | All LHFC settings can be saved as general templates as well for future use: | ||
Line 96: | Line 92: | ||
- | **STEP | + | **STEP |
When choosing the LHFC scenario, LUCY will offer you additionally to send the tool via mail. If you already have chosen a landing page where LHFC can be downloaded it is not necessary to attach it via mail as well. Therefore if you don't want LUCY to send the file via mail choose " | When choosing the LHFC scenario, LUCY will offer you additionally to send the tool via mail. If you already have chosen a landing page where LHFC can be downloaded it is not necessary to attach it via mail as well. Therefore if you don't want LUCY to send the file via mail choose " | ||
- | **STEP | + | **STEP |
- | {{ 47.jpg? | + | {{ lhfs_cr_8.png? |
Please read the [[Add_Mail_Recipients|Recipients Settings Chapter]] for more configuration options. | Please read the [[Add_Mail_Recipients|Recipients Settings Chapter]] for more configuration options. | ||
- | **Step | + | **Step |
- | {{ 59.jpg? | + | {{ lhfs_cr_9.png? |
Line 183: | Line 179: | ||
===== Malware Testing Templates ===== | ===== Malware Testing Templates ===== | ||
- | Beside single checks | + | Beside single checks |
{{ templateslhcf.png? | {{ templateslhcf.png? | ||
Line 209: | Line 205: | ||
* Set an option to leave a copy of data on PC/Share or delete it after running. When the ransomware works with dummy data, it deletes the files right after the creation even if " | * Set an option to leave a copy of data on PC/Share or delete it after running. When the ransomware works with dummy data, it deletes the files right after the creation even if " | ||
- | When started the tool will create a separate executable (example: C: | + | When started the tool will create a separate executable (example: C: |
{{ xor.png?600 }} | {{ xor.png?600 }} |
create_a_purely_technical_test_with_the_malware_testing_suite.txt · Last modified: 2019/07/25 12:49 by 127.0.0.1