Spearphishing is a common technique to infiltrate and gain initial access to an environment. Much of the data attackers use to make an email seem legitimate is available online – and even posted by companies themselves. Public information such as employees, current projects, organizational charts, and so forth can be used to make a message appear legitimate to even discerning employees.
1. Run the Attack
A phishing email is included in this lab. Let’s launch the message, taking the place of a well-meaning employee who has assumed the email’s legitimacy.
- Open spearphishing email on Desktop "Please review ASAP.msg”
2. Use Outlook without Email Account
Note: If 'Welcome to Outlook' message appears click 'Next'. Then select 'No' when prompted to setup Outlook with an email account. Finally click the checkbox next to 'Use Outlook without email account' and click 'Finish'.
3. Double click on the malicious attachment
The attachment contains known malicious signatures.
- Double click the .docm attachment to open
Note: If prompted to run in safe mode select 'no'
Notice that prevention is applied by the popup in the lower right-hand of the screen. Carbon Black administrators can choose to have popup messages when prevention is applied on the endpoint and even customize the message the popup contains.
4. 4.2 Investigate
We will now pivot to the Carbon Black Console to review information about the attack we just ran. If you are not currently on the Alerts page, navigate to Alerts using the left-hand menu.
It is recommended to filter by endpoint to view alerts associated with the attacks run in your lab. Click the Carbon Black Malware Chrome shortcut on the Desktop to automatically be navigated to the Alerts page filtered by the appropriate tags.
You can find your device name by going to Windows Start -> Settings -> System -> About.
- Click to expand the Device tag on the left
- Click the device name associated with your VDI instance
In the spearphishing alert Carbon Black applied prevention due to the reputation of the file.
- Click the chevron to view alert details
- Click the tree icon to go to the alert triage
5. Alert Triage
Any nodes that have a red shield icon indicate that prevention was applied. Prevention actions are Deny (process not killed, prevents execution of behavior) or Terminate (kills process). Prevention actions can be configured in the policies.
- Click the trickbot.docm node
The prevention occurred due to reputation – Carbon Black Cloud assigns reputation based on known bad signatures, company assigned reputation, and cloud analytics. Note that for trickbot.docm the reputation is known malware and due to this prevention was applied.