01-Phishing-Simulation: Setup-Guide

1️⃣ Lab Overview

Purpose

This experiment evaluates the ability to detect, analyze, and respond to a simulated phishing attack inspired by StrelaStealer, a real-world credential-stealing malware. This experiment demonstrates hands-on cybersecurity skills in a home lab, focusing on professional-grade reporting (Red Team, Blue Team, Purple Team) while navigating real-world technical constraints.

Red Team Overview: This experiment will simulate a real-world phishing campaign inspired by StrelaStealer, which originally targeted businesses via phishing emails with malicious attachments. Instead of using the actual malware payload, a safer alternative will be deployed—an executable file that, when clicked, redirects the user to a simulated C2 website playing a 'Rick Roll' video as proof of concept. This will test phishing engagement and provide insights into user susceptibility within a controlled environment.

Blue Team Overview: Detection rules will be developed using Sysmon and Splunk to identify malicious payload execution and outbound C2 traffic. This setup aims to enhance a hypothetical SOC’s phishing response capabilities within the constraints of a home-lab environment. The experiment will primarily focus on post-delivery malware detection, while tracking email delivery success rates to assess phishing risk exposure. Although Postfix filtering rules will not be deployed in this phase, future testing will explore their impact on reducing phishing email delivery.

Purple Team Overview: The Purple Team will integrate findings from the Red and Blue Team efforts to assess security effectiveness and refine defensive strategies. Key objectives include quantifying phishing success rates, measuring detection rule efficiency, and identifying security gaps that require further mitigation. The results will be documented in a structured format tailored for CISO-level decision-making, ensuring actionable insights while considering the practical constraints of a home lab environment.

• Objective: Simulate a phishing attack inspired by the StrelaStealer malware campaign.

• Tools Used:

  • 🟥 Red Team: Gophish, Postfix, msfvenom (payload)

  • 🔵 Blue Team: Sysmon, Splunk, Windows Defender

  • 🟣 Purple Team: Cyber Kill Chain analysis, business impact assessment

2️⃣ Lab Environment Setup

2.1 Virtual Machines

3️⃣ Red Team Setup

3.1 Install & Configure Gophish

sudo apt update && sudo apt install gophish -y
./gophish

• Login to http://127.0.0.1:3333

GoPhish Sending Profile Configuration

• Email Spoofing Techniques:

  Send 3-5 test emails with slight variations in the subject line, sender name, and content:

  • Test 1: Plain text email, no links or attachments

  • Test 2: Email with a hyperlink (https://trillosec.com/r2)

  • Test 3: Email with the .exe attachment (r2_payload.exe)

  • Test 4: Email with a HTML attachment instead of .exe

  • Test 5: Slightly modified sender display name or subject

3.2 Generate & Deploy Payload

msfvenom -p windows/exec CMD="cmd /c start https://trillosec.com/r2" -f exe > r2_payload.exe

echo "strela" >> r2_payload.exe

• Attach r2_payload.exe to phishing email

• Send email to `bob.damark@lab.trillosec.com

• C2 simulation: When executed, the payload opens https://trillosec.com/r2 (Rickroll page)

• Evasion Techniques:

  • Hash modification (echo "strela" >> r2_payload.exe)

4️⃣ Blue Team Setup

• Install Sysmon  

• update Sysmon to use SwiftOnSecurity’s Sysmon config saved as C:\SysmonConfig\sysmonconfig.xml

• For detection phase, updated SysmonConfig.xml file run as Administrator:

<EventFiltering>  

<RuleGroup name="01-Phishing-Simulation" groupRelation="or">

    <!-- Detect execution of r2_payload.exe -->
    <ProcessCreate onmatch="include">
        <Image condition="contains">r2_payload.exe</Image>
    </ProcessCreate>

    <!-- Monitor browser processes launched by r2_payload.exe -->
    <ProcessCreate onmatch="include">
        <ParentImage condition="contains">r2_payload.exe</ParentImage>
        <Image condition="contains">chrome.exe</Image>
    </ProcessCreate>

    <ProcessCreate onmatch="include">
        <ParentImage condition="contains">r2_payload.exe</ParentImage>
        <Image condition="contains">msedge.exe</Image>
    </ProcessCreate>

    <ProcessCreate onmatch="include">
        <ParentImage condition="contains">r2_payload.exe</ParentImage>
        <Image condition="contains">firefox.exe</Image>
    </ProcessCreate>

</RuleGroup>

</EventFiltering>

and update Sysmon:

# Powershell command run as Administrator then restart SplunkForwarder service
c:\Users\nt\Downloads\Sysmon\Sysmon64.exe -c C:\SysmonConfig\sysmonconfig.xml

4.2 Set Up Splunk Detection Rules

Create Splunk Queries to detect suspicious behavior.

• Detect Process Execution:

index=sysmon_logs EventID=1 Image="*r2_payload.exe"

• Detect Parent-Child Process Execution:

index=sysmon_logs EventID=1 ParentImage="*r2_payload.exe" 

• Detect Specific Outbound C2 Traffic Generated from a Command:

index=sysmon_logs EventID=1 ParentCommandLine="*trillosec.com/r2*"

Note: Unable to successfully implement using "event ID 3" (network connection) to flag C2 connections in lab environment. Using the above query as a work around.

4.2 Set Up Postfix Filters to log .exe attachments

• Step 1: Enable checking headers and message body

# Edit the **Postfix configuration file (`/etc/postfix/main.cf`)**:
sudo nano /etc/postfix/main.cf

# Add these lines at the bottom:
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks

• Step 2: Create Rules

# Create the Header Check Rule file, if needed
sudo nano /etc/postfix/header_checks

# Add the following rule to **log any email containing `.exe` attachments**:
/-Disposition:.*filename=.*\.exe/ WARN Attachment: .exe file detected

# Create the Body Check Rule file, if needed
sudo nano /etc/postfix/body_checks

# Add this rule to **detect Base64-encoded `.exe` files** and log a warning:
/TVqQAAMAAAAEAAAA//8A/ WARN Possible .exe attachment detected

• Step 3: Apply the Changes

# Rebuild the Postfix lookup tables:
sudo postmap /etc/postfix/header_checks
sudo postmap /etc/postfix/body_checks

# Restart Postfix to apply the new rules:
sudo systemctl restart postfix

# Check logs for detection events:
sudo tail -f /var/log/mail.log | grep WARN

4.3 Disable Windows Security for Testing

• Disable Windows Defender

• Disable App and Url protection

• Disable real time AV after any reboots

5️⃣ Testing the Attack

1. Stage 1: Launch attack against default system settings (Pre-Test)

2. Stage 2: Deploy detection & alerting configurations

3. Stage 3: Launch attack again and measure improvements (Post-Test)

6️⃣ Expected Deliverables

• ✅ Red Team Report: Phishing execution, MITRE ATT&CK mapping

• ✅ Blue Team Report: Detection logs, Splunk queries, IOCs

• ✅ Purple Team Report: Business impact analysis, security improvements

7️⃣ Cleanup & Reset

rm -rf r2_payload.exe
sudo service gophish stop
splunk stop

• Restore Blue_Bob_Win10 to snapshot

• Archive logs for reporting

📌 Future Experiments Mapped to the Cyber Kill Chain

Other Reports in This Project

✔ Red Team: Simulated a phishing campaign using Gophish, tested payload execution, and mapped attack techniques to MITRE ATT&CK.

✔ Blue Team: Developed Sysmon & Splunk detection rules, reducing phishing response time from undetected → 5 minutes.

✔ Purple Team: Conducted a business risk analysis, demonstrating an estimated $80K risk reduction per attack and aligning defenses with NIST & ISO 27001 compliance.

✔ Technical Setup: Configured Postfix, Sysmon, SIEM alerts, and automated detection workflows to improve security posture.