For my university cyber-security course I was asked to produce a Run Book and Play Book to document a phishing email attach where the attacker is trying to trick a user in to clicking on a malicious link which takes the user to a carefully crafted Google login screen which will capture their login credentials.
The Run Book lists all the steps necessary to conduct a phishing campaign, a fake Google account login and the control server to capture that users username and password. IF YOU ARE READING THIS - DO NOT BREAK THE LAW - THIS IS FOR INFORMATION PURPOSES ONLY.
To begin with you will need a Azure lab with A Windows 10 machine and a Kali Linux install. You could also setup a Windows 10 machine for the victim, but it was not a requirement for my assignment so I am just using Kali for both the attacker and victim machine.
RUNBOOK 1 Phishing Email Attack to Steal Login Credentials
DOCUMENT DESCRIPTION
The RD1 Phishing Email-Stealing Credentials Runbook is a guide designed to simulate a real-world phishing attack on Oz casual. The objective of this Runbook is to assess the effectiveness of both the technical and human side of Oz Casuals (fake company) cyber defensive strategy when it comes to phishing email attacks. Through this simulated exercise Oz casual can better understand its vulnerabilities to phishing email attempts. This Runbook is tailored to replicate the tactics, techniques, and procedures (TTP) deployed by malicious actors.
We have provided two email addresses to use in this exercise and all actions will be performed on the Kali attacker machine using an Azure lab.
STEP 1
Login to the Kali machine, open the terminal and update
sudo apt update -y
sudo apr upgrade -y
STEP 2
Run ipconfig in the terminal
sudo ipconfig
Make a note of your IP address (you will need this for later)
STEP 3
Once updated close the terminal and navigate to the Kali tools menu and search “setool” the first search result should be Social Engineering Tool Kit. Open the app and insert the super user password.
STEP 4
Once the Social Engineering Toolkit is open follow these menu options to craft a fake Google login page and generate a listener
From the menus select these options:
1 (social engineering)
2 (website attack vectors)
3 (credential harvester)
From the menu select 1 (web template)
Type your IP address and click Enter
Now select 2 (Google)
STEP 5
Open the Firefox browser and login to the attackers email:
Mail.com
Username: 1976231DG@engineer.com
Password: < use your own fake email >
From the menu click on email
No select Compose New Email button on your left
Address a new email to the victim: victim_machine1999@proton.me
In the subject matter type: Please reset your Google password
In the body of the message type:
Good afternoon, your Google account has been compromised, please click here to login.
Sign the email “Google Security Team”
Now double click on the word ‘click here’ in your message and from the tool bar select More^^.
Now select the link icon (looks like a chain). Enter the IP address for the attacker machine, for example: http://192.168.0.2 (Yours will be different to this !)
STEP 6
Select OK and send the email.
If the victim falls for the social engineering trap their login credentials will appear in the Social Engineering Tool Kit terminal window.
STEP 7 (Now your'e the victim)
Now acting as the victim open a new tab in Firefox.
Navigate to www.mail.proton.me
Username: victim_machine1999@proton.met
Password: < Use your own second fake email >
Click on the message from google and click on the link embedded in the email.
SPECIAL NOTE
Obviously in a real-world phishing attack a malicious actor would use a custom domain with email that more closely resembles the intent of the email. Perhaps using an email such as support@google-password-engine.com. In this example I am just using two free email accounts for the purposes of demonstrating the attack. STEP 8
Once the victim is tricked in to clicking on the link the following Google login page is displayed:
To the untrained eye this Google form looks legit and would, in a real-world attack, have a fake domain name that resembles the attack subject. The victim inserts their Google username and password in to the form and they have been hacked!
Navigating back to the terminal you will see that the attacker has captured the users login
PLAYBOOK
RD1P is a written playbook guide to assist the blue team at Oz Casual in defending the organisations IT infrastructure against phishing email attacks. The playbook describes a scenario in which an Oz Casual staff member is target with a phishing email that contains a malicious link. The malicious email requests the employee to reset their Google account password. Upon filling in and submitting the form the red team will receive a response on their machine with the users Google account credentials. STEP 1 - PREPERATION
1. If a phishing email has been detected and user has clicked on a link contact DAVID GILMORE, Incident Response Manager and complete the necessary online form with details of the incident.
2. Instigate the Incident Response plan using Oz Casuals pre-defined incident response plan.
3. Regular cyber security training to ensure all Blue Team members are trained to defend Oz Casual from this type of attack.
4. Ensure Oz Casuals End Point Detection software is installed and updated.
5. Ensure Splunk is installed and ingesting logs.
6. Conduct regular cyber security audits to discover misconfigurations and vulnerabilities.
7. Ensure regulator staff awareness training on the dangers of Phishing emails.
8. Instigate regular phishing test emails to be sent to all employees to test their phishing awareness. Such a program consists of the Red Team crafting their own phishing emails that will identify any employees who click on the link and that will open a conversation with that employee to strengthen their awareness. This is seen as an opportunity for learning and training not punishment.
STEP 2 - DETECTION AND ANALYSIS
Tools to utilize:
+ Wireshark.
+ Splunk.
+ End Point Protection software.
Indicators of Compromise: + Suspicious email attributes.
+ End Point anomalies.
+ Unusual login attempts outside of normal behavior.
+ Unexpected email attachments or links.
+ Account behavior anomalies.
+ Communication with known malicious domains/Ips.
Data Analysis:
+ Collection of logs from Splunk for analysis.
+ Analysis of the email and any hyper links or attachments.
STEP 3 - CONTAINMENT, ERADICATION AND RECOVERY
Containment: + Any affected user should have their account username and password changed immediately.
+ The new password must be substantially different from the revealed password.
Eradication:
+ All affected systems should be disconnected from the network immediately. + Block the attackers IP/domain using End Protection software or the Windows Firewall / Defender.
Recovery:
+ Once evidence has been preserved the affected systems should be reimaged from a safe backup point.
+ Once reimaged the affected system should be analyzed for vulnerabilities using a vulnerability scanner.
+ Block the attackers IP/domain using End Protection software or the Windows Firewall / Defender.
+ Install email security software such as Barracuda email gateway or Mimecast secure email gateway.
+ Ensure End Point software is installed and up to date.
STEP 4 - POST INCIDENT ACTIVITY
+ Complete the incident response report.
+ Provide analysis of the link clicked and the account compromised.
+ Provide a summary report to the Executive team.
+ Evaluate the effectiveness of the response.
+ Instigate employee training module on phishing email awareness.
+ Request that employees regularly change their passwords.