Lucy Awareness
Visit our WebsiteContact Support
  • Wiki Overview
  • Guides
    • Quick Guides
      • Create Your First Campaign
        • Adding a New Client
        • Register an Attack Domain
        • Campaign Setup
          • Selecting an Attack
          • Attack Settings
          • Awareness Settings
          • Recipients
          • Review
        • Whitelisting
    • Installing Lucy
      • On-Premise vs Cloud Installation
      • Architecture
      • Hardware Requirements
      • Network Communication
      • Installing Lucy
      • Post Installation
    • Manage Blacklisted Domains
      • Managing Google SafeBrowsing Alerts
    • Whitelisting a Lucy Server
      • Google Workspace Whitelisting
      • Microsoft O365 Whitelisting
      • File Attack Whitelisting
    • Attack Simulations
      • Attack Types
        • Data Entry Attack
        • Hyperlink Attack
        • File Attack
        • Portable Media
        • Smishing
        • Lures
        • QR Codes
        • Ransomware Emulation
        • Technical Malware Test
          • Malware Toolkit Test Suite
        • Mail & Web Filter Test
        • Email Spoofing Test
      • Attack Template Customization
      • Firewall Protection Interval
      • Email Tracking Technologies
      • Advanced Information Gathering
      • Regular Expressions in Login Fields
      • Copy a Website
      • Redirecting Users
    • Awareness Training
      • Awareness Template Customization
      • Awareness Only Campaigns
        • Using Multiple Awareness Trainings
      • Use extended method of tracking the end of the quiz
    • Reporting Plugin
      • Deploying Office 365
      • Deploying Outlook Native
      • Deploying Gmail
  • Application Screens Reference
    • Statistics Dashboard
    • Campaigns Dashboards
    • Campaigns
      • New Campaign
        • Wizard Mode
          • Selecting an Attack
          • Attack Settings
          • Awareness Settings
          • Recipients
          • Review
        • Expert Mode
      • Campaign Settings
        • Configuration
          • Base Settings
          • Awareness Settings
          • Attack Settings
          • Schedule
            • Schedule Plan
          • Recipients
        • Advanced Settings
          • User Settings
          • Filters
          • Custom Fields
          • Reminders
        • Campaign Checks
        • Logs
        • Results
          • Summary
          • Statistics
          • Reports
          • Exports
    • Templates
      • Attack Templates
      • Awareness Templates
      • File Templates
      • Report Templates
      • Campaign Templates
      • Training Diploma
      • Download templates
      • Variables in Lucy
    • Users
      • Recipient Groups
      • End Users
      • End User Portal Settings
      • Administrative Users
      • Reputation Levels
    • Settings
      • Common System Settings
        • Domains
          • Supported TLDs
        • Firewall
        • Web Proxy
        • Mail Settings
        • SMTP Servers
        • SSL Settings
          • SSL for Campaigns
        • SMS Settings
        • Filter Settings
        • API Whitelist
          • API Routes
        • LDAP Servers
          • LDAP Sync Tool
        • LDAP Settings
        • Azure Applications
        • Azure AD Settings
        • SSO Configuration
      • Advanced System Settings
        • Advanced Settings
        • SSH Password
      • Submitted Email Settings
        • Custom Rules & Score Factors
        • Abuse Reports
        • Incident Autoresponder
        • Plugin Settings
      • Clients
        • Client Invoices
        • Client Invoice Settings
      • Backup and Restore
        • Backup Settings
      • Benchmark Sectors
      • Whitelabeling
      • File Browser
    • Incidents
    • Support
      • Status
        • Status
        • System Monitoring
        • System Health Check
        • Notifications
      • System Tests
        • Test Email
        • Performance Test
        • Spam Test
        • Mail Spoofing Test
        • Mail and Web Filter Test
      • System Logs
      • Manual
      • Update
      • Reboot
      • Mail Manager
      • Terms & Conditions
    • Account Settings
      • Two Factor Authentication
      • License
      • Invoices
    • Notifications
  • Release Notes
    • 5.4
    • 5.3.5
    • 5.3.4
    • 5.3.3
    • 5.3.2
    • 5.3.1
    • 5.3
    • 5.2.1
    • 5.2
    • 5.1
    • 5.0
    • Version 4
      • 4.14
      • 4.13
      • 4.12.1
      • 4.11
      • 4.10.1
      • 4.9.5
      • 4.9.2
      • 4.9.1
  • Legal
    • EULA
    • Privacy Policy
    • DPA, Customer and Partner Info
    • Service Level Agreement
    • Confidentiality of Campaign Data
  • When to Contact Us
    • Contact Technical Support
Powered by GitBook
On this page
  • Introduction
  • Important Considerations
  • Scenario Example
  • Excluding a File Path in Active Directory via GPO:
  • Enabling Editing and Content in Excel:

Was this helpful?

  1. Guides
  2. Whitelisting a Lucy Server

File Attack Whitelisting

PreviousMicrosoft O365 WhitelistingNextAttack Simulations

Last updated 7 months ago

Was this helpful?

Introduction

To simulate file-based malware attacks with Microsoft Defender, you need to configure Active Directory (AD) Group Policy Object (GPO) settings to exclude specific files from being scanned. This guide provides step-by-step instructions for whitelisting files by path using GPOs.


Important Considerations

Whitelisting Lucy IP:

  • Ensure that Lucy's IP is whitelisted at the mail gateway level to guarantee email delivery.

  • Refer to the following links for detailed instructions:


Additional Security Measures:

  • This guide covers GPO settings for AD. If your organization uses additional antivirus software or firewall protection, equivalent whitelisting must be configured accordingly.

Macro-Related Attacks:

  • For macro-related attacks, users will still need to enable editing and macros in Office documents. Design the attack scenario to prompt users to perform these actions.


Scenario Example

Scenario:

  • Successful Attack = Data Submit / File Data Received

  • Attack Vector: Mixed Attack (Harvest credentials via user login on a web-hosted page + download and execute payload).

Idea:

  • The user receives an email from the CEO with a link to a list of top clients.

  • The user logs in to a landing page, completing phase 1 (credential harvesting).

  • The user downloads an Excel file, which is excluded from virus scanning.

  • Upon opening the file and enabling editing and macros, the script runs, completing phase 2 (data submission).


Below is the process for adding a file to the exclusion list at the machine level:

  1. Open Windows Security:

    • Go to Start -> Settings -> Update & Security -> Windows Security -> Virus & Threat Protection.

Add Exclusion:

  • Under Virus & Threat Protection settings, select Manage Settings.

  • Scroll down to Exclusions and select Add or Remove Exclusions.

  • Click Add an Exclusion and choose File.

  • Select the file to be excluded.

This workflow demonstrates the process at an individual level, but for organizational-scale implementation, the Network Administrator will perform these steps via AD GPO.


Excluding a File Path in Active Directory via GPO:

Open Group Policy Management:

  • Navigate to Tools -> Group Policy Management.

Create or Edit a GPO:

  • Select the domain associated with the end users.

  • Right-click on the policy and select Edit.

Navigate to Windows Defender Settings:

  • Go to Policies > Administrative Templates.

  • Click on Windows Components.

  • Scroll down to Microsoft Defender Antivirus.

  • Click on Exclusions.

Define Path Exclusion:

  • Select Path Exclusions.

  • Click Enable and then Show.

  • Enter the file path, e.g., C:\Users\local.user\Downloads\List of Top clients V2.xls.

  • Set the value to 0.

  • Click OK and Apply.

Enforce the Policy:

  • Right-click on the policy in Group Policy Management and select Enforce.

  • Run gpupdate /force to update the policy for all users.


Enabling Editing and Content in Excel:

Enable Editing:

  • When the file is opened, click Enable Editing.

Enable Content:

  • Click Enable Content to allow macros to run.

By following these steps, you can ensure that Defender does not block the file download and execution, allowing the simulation to proceed as intended.

References

O365 Whitelisting
Google Workspace Whitelisting
Configure Extension File Exclusions in Microsoft Defender Antivirus
Page cover image