Phishing is one of the most effective attack vectors. What's more, it is also one of the most difficult to defend against, because its success relies on the weakest link in the defense chain—human beings. Many enterprises have developed and deployed multiple layers of security in their environments, only to find out that it is the employees themselves who, one way or another, have inadvertently opened the door and let the bad guys in.
It is by this act alone that some of the world's most secure corporations have been compromised. Worse, malicious actors continue to develop new and progressively more effective TTPs, adding to the complexity of the situation. The combination of these sophisticated techniques with exploitation kits and obfuscated post-exploitation payloads makes phishing a serious problem for any security organization.
In Enterprise Security Content Update (ESCU 1.0.37), Splunk's Security Research Team decided to approach phishing by looking at it within the Lockheed Martin Kill Chain, using the Mitre ATT&CK framework as a reference to address phishing attack-chain elements in granular fashion. In this blog post, we will take a look at popular phishing frameworks and how we addressed them from a tactical defense perspective.
The social-engineering toolkit by TrustedSec is a popular phishing framework that includes features such as cloning targeted sites, creation of payloads for USBs, and sending emails and SMS messages with payloads. It is more comprehensive than some other kits, such as EvilGinx2, because it has several other types of phishing vectors and can clone almost any site. Additionally, it is not limited by the number of sites it can clone. It can integrate custom payloads, as well as the metasploit framework that allows attackers to integrate post-exploitation payloads.
One of the most effective ways of serving payloads in this framework is to clone a targeted site and, once the victim browses to it, the framework will then serve a malicious payload disguised as an update or a required application. Once the victim bypasses control mechanisms and executes malicious payloads, the next phase is comprised of a series of post-exploitation behaviors, where attackers will seek to maintain persistence and navigate through compromised organizations, looking for valuable information to exfiltrate.
The Beef browser exploitation framework is not a phishing framework per sé, but it can be used as one. Beef uses JavaScript to target browser functionality in the background using JavaScript hooks. Beef can also target mobile browsers and allow attackers to redirect browsers or pop up misleading alerts that may seem to come from legitimate sites, but actually serve malicious payloads. Beef can be a very effective tool for phishing attacks.
As seen in the screenshot above, Beef can be very effective and can bypass many security controls and target fully hardened/patched operating systems.
EvilGinx2 is a phishing toolkit that enables Man In The Middle (MiTM) attacks by setting up a transparent proxy between the targeted site and the user. This allows the attacker not only to obtain items such as passwords, but two-factor authentication tokens, as well. This framework uses a proxy template called "phishlets" that allows a registered domain to impersonate targeted sites such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and so on.
This tool goes beyond older phishing frameworks that would download/clone the targeted site and set up a transparent proxy between the phishing site and the targeted site. Even worse, the tool will register SSL certificates via Let’s Encrypt or allow the operator to import its own certificates. A registered site with a legitimate SSL certificate, camouflaged via URL shortener or puny code, can be very difficult to spot—even for the trained eye.
The following figures show a website registered by the Security Research Team and how the extraction of credentials and tokens happens in the background.
The above attack method, ATT&CK ID T1192, will be successful even if the victim uses multifactor authentication methods, such as SMS verifications or Time Based One Time Passwords (TOTP) as the transparent proxy. The proxy captures the victim's input as the MFA prompts are served. EvilGinx2 is definitely one of the most advanced phishing tools available at the moment.
The above selected phishing frameworks work differently and have different functions. Most of them cover the necessary elements to deliver malicious payloads via website or email. We decided to focus on EvilGinx2 as it is the most recent and effective phishing framework. We have also searches that can help detect other phishing attack frameworks and tools such as the use of self signed certificates, recent domain registrations, or phantom playbooks that can address rogue proxies and cloned sites.
In our research for our ESCU Analytic Story on detecting sites generated by phishing kits, we approached these attack vectors from a tactical perspective. We looked at the data sources and selected those items that give the operator the best path to detect and defend against the different indicators related to the above attack frameworks.
Phishing Technique |
ATT&CK Technique ID |
Data Source |
Splunk Tactical Resource |
Cloned site |
T1192 |
Threat intelligence |
Phantom playbook: “User prompt and block domain” |
Proxy |
T1192 |
Threat intelligence |
Phantom playbook: “User prompt and block domain” |
Self-signed certificate |
T1192 |
Certificate registration |
Splunk Enterprise “Letsencrypt” “Self Signed” detection search. Phantom playbook: “Let’s Encrypt Domain Investigate” ESCU Search: "Attempt To Add Certificate To Untrusted Store" |
New registered domain |
T1192 |
Passive DNS |
Splunk ES investigation Phantom playbook: “User prompt and block domain” |
MIME type payload delivery |
T1192 |
Web proxy, Gateway logs |
UBA detection - Suspicious http redirects |
Malicious attachment |
T1193 |
Email data logs |
ESCU search: "Email Attachments With Lots Of Spaces" ESCU search: "Suspicious Email Attachment Extension"s |
DGA |
T1323 |
Proxy logs |
UBA DGA detection: "Suspicious Domain Name" |
Potential phishing email |
T1193 |
Email data logs |
ESCU search: "Monitor Email For Brand Abuse" |
Malicious payload delivered by email and executed |
T1204 |
Email data logs, Sysmon, AD |
ESCU search: "Email files written outside of the Outlook directory" |
The above documented sources of data and corresponding Splunk tactical resources can be very effective in detecting, investigating, and defending against phishing frameworks.
As part of ESCU 1.0.37, Enterprise Security Content Updates (ESCU) included two Analytic Stories that focus on phishing. One, "Common Phishing Frameworks," is designed to detect EvilGinx2 registered domains. The other, "Phishing Payloads," includes searches that look for signs of unexpected behavior—such as outlook.exe writing a .zip file or suspicious .lnk files launching processes—that may indicate that a malicious payload has been injected into your environment.
Find all queried domains from the Network_Resolution data model |
| tstats summariesonly=true allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from data model=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)` | rex field=query ".*?(?<domain>[^./:]+\.(\S{2,3}|\S{2,3}.\S{2,3}))$" | stats count values(query) as query by domain dest src answer |
Match combination of subdomains that are associated with EvilGinx2 phishing sites via macros.conf in ESCU |
| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` |
Exclude all verified domains (amazon.com, github.com, office.com, and so on). This helps filter out false positives. |
| search NOT [ inputlookup evilginx_domains.csv | fields domain] |
Join the results with web data from the visited EvilGinx2 sites from the Web data model |
| join domain [| tstats count summariesonly=true allow_old_summaries=true values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename "Web.*" as * | rex field=site ".*?(?<domain>[^./:]+\.(\S{2,3}|\S{2,3}.\S{2,3}))$" | table dest domain url] | table count src dest query answer domain url |
The above search syntax can detect EvilGinx2 transparent proxy phishing connections (HTTP, DNS). We can see below how Splunk core can be used to detect EvilGinx2 default URI structure for the Amazon phishlet.
If the detection searches mentioned above return any results, Splunk Phantom can be used to gather additional information about the domain names and URLs used by the phishlet. The Phantom playbook called “Let’s Encrypt Domain Investigate” uses Censys, PassiveTotal, Screenshot Machine, and urlscan.io to gather essential information about the TLS certificates, website behavior, and domain registration of the website in question. The results are displayed in Mission Control and can be used to populate a ticket, update the notable event, or connect directly to a response action in another Phantom playbook.
The Splunk Security Research Team hopes that our Analytic Stories on phishing help you develop a formidable defense against this attack vector. We welcome your feedback, as well. Feel free to leave comments below and/or click on the Feedback Center tab in ESCU and let us know how to improve! (Of course, we love compliments, too.)
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.