Defending Against Phishing Frameworks with Splunk Enterprise Security Content Updates

Phishing is one of the most effective attack vectors. Unfortunately, it is also one of the most difficult to defend against, because its success relies on the weakest link in the defense chain—human beings. Many enterprises have developed and deployed multiple layers of security in their environments, only to find out that it is the employees themselves who, one way or another, have inadvertently opened the door and let the bad guys in.

It is by this act alone that some of the world's most secure corporations have been compromised. Worse, malicious actors continue to develop new and progressively more effective TTPs, adding to the complexity of the situation. The combination of these sophisticated techniques with exploitation kits and obfuscated post-exploitation payloads makes phishing a serious problem for any security organization.

In Enterprise Security Content Updates (ESCU 1.0.37), Splunk's Security Research Team decided to approach phishing by looking at it within the Lockheed Martin Kill Chain, using the Mitre ATT&CK framework as a reference to address phishing attack-chain elements in granular fashion. In this blog post, we will take a look at popular phishing frameworks and how we addressed them from a tactical defense perspective.

Social-Engineering Toolkit

The social-engineering toolkit by TrustedSec is another popular phishing framework that includes features such as cloning targeted sites, creation of payloads for USBs, and sending emails and SMS messages with payloads. It is more comprehensive than EvilGinx2, because it has several other types of phishing vectors and can clone almost any site. Additionally, it is not limited by the number of sites it can clone. It can integrate custom payloads, as well as the metasploit framework that allows attackers to integrate post-exploitation payloads.

One of the most effective ways of serving payloads in this framework is to clone a targeted site and, once the victim browses to it, the framework will then serve a malicious payload disguised as an update or a required application. The screenshots below show SET serving a site with upgrade message that is disguising a malicious payload.

Once the victim bypasses control mechanisms and executes malicious payloads, the next phase is comprised of a series of post-exploitation behaviors, where attackers will seek to maintain persistence and navigate through compromised organizations, looking for valuable information to exfiltrate.

Beef

The Beef browser exploitation framework is not a phishing framework per sé, but it can be used as one. Beef uses JavaScript to target browser functionality in the background using JavaScript hooks. Beef can also target mobile browsers and allow attackers to redirect browsers or pop up misleading alerts that may seem to come from legitimate sites, but actually serve malicious payloads. Beef can be a very effective tool for phishing attacks. The screenshot below shows Beef's control panel and alert pushing against the victim's browser.

As seen in the screenshots below, Beef can be very effective and can bypass many security controls and target fully hardened/patched operating systems.

EvilGinx2

EvilGinx2 is a phishing toolkit that enables Man In The Middle (MiTM) attacks by setting up a transparent proxy between the targeted site and the user. This allows the attacker not only to obtain items such as passwords, but two-factor authentication tokens, as well. This framework uses a proxy template called "phishlets" that allows a registered domain to impersonate targeted sites such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and so on.  

This tool goes beyond older phishing frameworks that would download/clone the targeted site and set up a transparent proxy between the phishing site and the targeted site. Even worse, the tool will register SSL certificates via Let’s Encrypt or allow the operator to import its own certificates. A registered site with a legitimate SSL certificate, camouflaged via URL shortener or puny code, can be very difficult to spot—even for the trained eye.

The following screenshots show a website registered by the Security Research Team and how the extraction of credentials and tokens happens in the background.

The above attack method, ATT&CK ID T1192, will succeed even if the victim uses multifactor authentication methods, such as SMS verifications or Time Based One Time Passwords (TOTP) as the transparent proxy. The proxy captures the victim's input as the MFA prompts are served. EvilGinx2 is definitely one of the most advanced phishing tools available at the moment.

The above selected phishing frameworks work differently and have different functions. Most of them cover the necessary elements to deliver malicious payloads via website or email. We decided to focus on EvilGinx2 as it is the most recent and effective phishing framework. We have also searches that can help detect other phishing attack  frameworks and tools such as the use of self signed certificates, recent domain registrations, or phantom playbooks that can address rogue proxies and cloned sites.

Tactical SIEM: How to Detect, Investigate, and Defend

In our research for our ESCU Analytic Story on detecting sites generated by phishing kits, we approached these attack vectors from a tactical perspective. We looked at the data sources and selected those items that give the operator the best path to detect and defend against the different indicators related to the above attack frameworks.

Phishing delivery framework data-source breakdown:

The above documented sources of data and corresponding Splunk tactical resources can be very effective in detecting, investigating, and defending against phishing frameworks. In the following graphs we showcase how to detect and defend against phishing frameworks under the guidelines above.

New ESCU Analytic Stories

As part of ESCU 1.0.37, Enterprise Security Content Updates (ESCU) included two Analytic Stories that focus on phishing. One, "Common Phishing Frameworks," is designed to detect EvilGinx2 registered domains. The other, "Phishing Payloads," includes searches that look for signs of unexpected behavior—such as outlook.exe writing a .zip file or suspicious .lnk files launching processes—that may indicate that a malicious payload has been injected into your environment.

Splunk Enterprise searches:

The above search syntax can detect EvilGinx2 transparent proxy phishing connections (HTTP, DNS). We can see below how Splunk core can be used to detect EvilGinx2 default URI structure for the Amazon phishlet.

Phantom Playbook: Let’s Encrypt Domain Investigate

If the detection searches mentioned above return any results, Splunk Phantom can be used to gather additional information about the domain names and URLs used by the phishlet. The Phantom playbook called “Let’s Encrypt Domain Investigate” uses Censys, PassiveTotal, Screenshot Machine, and urlscan.io to gather essential information about the TLS certificates, website behavior, and domain registration of the website in question. The results are displayed in Mission Control and can be used to populate a ticket, update the notable event, or connect directly to a response action in another Phantom playbook. The screenshot below shows the Phantom playbook investigating websites using Let’s Encrypt certificates.

The Splunk Security Research Team hopes that our Analytic Stories on phishing help you develop a formidable defense against this attack vector. We welcome your feedback, as well. Feel free to leave comments below and/or click on the Feedback Center tab in ESCU and let us know how to improve! (Of course, we love compliments, too.)

Now go out there and catch some phish!