Spearphishing
Initial Access > Phishing > Spearphishing Attachment
The Basics
You are likely familiar with electronic phishing messages that seek to convince users to engage with the content to reveal personal information. The adversary might persuade a user to click a malicious link or reply to a message with personal information like bank account details. In a spearphishing attachment attack (T1566.001), threat adversaries will create malicious attachments and send them to users via email in an effort to gain access to a specific victim’s system. Mostly, spearphishing relies on the attached end-user to interact in some way with the sent malicious attachment to fully execute the payload.
Spearphishing attachments can be office files, executables, or even PDFs. Most attempts involve trying to get the targeted end user to interact with a variable within the file, which is considered a social engineering attack.
The Risks
The overall risk of falling for a message with a spearphishing attachment is severe. With just the click of a button, you could provide an attacker with full access to your system or any system that you may have access to.
Command and Scripting interpreter: PowerShell
The Basics
PowerShell is a powerful Windows programming command language that is legitimately used by Systems Administrators for management purposes. In the sense of a sub-technique, PowerShell (T1059.001) is used to create scripts that run on local or remote systems. You can create these scripts to elevate current privileges and gain persistence on a system.
The Risks
While there are benefits to utilizing PowerShell, you should also be aware of some serious risks associated with having PowerShell enabled on a system that is not being utilized. An attacker can exploit PowerShell on a system to gain access to an enormous toolset that the attacker can use to gather information and data, or to continue to elevate privilege around the network.
Detection Configuration Recommendations
In order to effectively detect the attack simulation laid out in this course, the following configuration is recommended.
Have some sort of SIEM solution in place
Collect Windows event logs
Collect Sysmon logs
Devise a way to gather and observe email transactions (email DLP)
Ensure that PowerShell logging is also activated through the Windows logs
Now, that’s just the setup. In order to effectively detect for both spearphishing and then the PowerShell execution from a malicious email, you must implement the following steps.
Spearphising
In our simulation, we determined that there was no email gateway in place to help monitor email transactions. But if you did have a way to provide email or file level DLP, you would want to ensure that email filtering (DKIM plus SPF) as well as header analysis were enabled.
If you really want to get fancy, you could attempt to implement DMARC to truly establish a more zero-trust style of sending and receiving emails. With DMARC, you can narrow the scope of what can be sent or received depending on factors like source, domain, content, etc.
Last updated
