forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcommon_phishing_frameworks.yml
More file actions
46 lines (45 loc) · 2.45 KB
/
common_phishing_frameworks.yml
File metadata and controls
46 lines (45 loc) · 2.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
category:
- Adversary Tactics
channel: ESCU
creation_date: '2019-04-29'
description: 'Detect DNS and web requests to fake websites generated by the EvilGinx2
toolkit. These websites are designed to fool unwitting users who have clicked on
a malicious link in a phishing email. '
detections:
- detection_id: 24dd17b1-e2fb-4c31-878c-d4f226595bfa
name: Detect DNS requests to Phishing Sites leveraging EvilGinx2
type: splunk
id: 9a64ab44-9214-4639-8163-7eaa2621bd61
maintainers:
- company: Splunk
email: research@splunk.com
name: Splunk Research Team
modification_date: '2019-04-29'
name: Common Phishing Frameworks
narrative: 'As most people know, these emails use fraudulent domains, [email scraping](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/),
familiar contact names inserted as senders, and other tactics to lure targets into
clicking a malicious link, opening an attachment with a [nefarious payload](https://www.cyberscoop.com/emotet-trojan-phishing-scraping-templates-cofense-geodo/),
or entering sensitive personal information that perpetrators may intercept. This
attack technique requires a relatively low level of skill and allows adversaries
to easily cast a wide net. Because phishing is a technique that relies on human
psychology, you will never be able to eliminate this vulnerability 100%. But you
can use automated detection to significantly reduce the risks.\
This Analytic Story focuses on detecting signs of MiTM attacks enabled by [EvilGinx2](https://github.com/kgretzky/evilginx2),
a toolkit that sets up a transparent proxy between the targeted site and the user.
In this way, the attacker is able to intercept credentials and two-factor identification
tokens. It employs a proxy template to allow a registered domain to impersonate
targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit,
Office 365, and others. It can even register SSL certificates and camouflage them
via a URL shortener, making them difficult to detect. Searches in this story look
for signs of MiTM attacks enabled by EvilGinx2.'
original_authors:
- company: Splunk
email: research@splunk.com
name: Splunk Research Team
references:
- https://github.com/kgretzky/evilginx2
- https://attack.mitre.org/techniques/T1192/
- https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/
spec_version: 2
usecase: Advanced Threat Detection
version: '1.0'