RP0001: External Phishing Email Message

Summary

ID	RP0001
Brief Description	Response playbook for external Phishing Email Message case
Author	@atc_project
Creation Date	2019/01/31
Modification Date	2019/01/31
ATT&CK Tactics	TA0001: Initial Access
ATT&CK Techniques	T1566.001: Spearphishing Attachment T1566.002: Spearphishing Link
Tags	Phishing
Linked Response Playbooks	Domain user enumarate attack using the Kerberos protocol without a domain account

Workflow

1. Execute Response Actions step by step. Some of them directly connected, which means you will not be able to move forward not finishing the previous step. Some of them are redundant, as those that are related to the blocking a threat using network filtering systems (containment stage)
2. Start executing containment and eradication stages concurrently with next identification steps, as soon as you will receive information about malicious hosts
3. If phishing led to code execution or remote access to victim host, immediately start executing Generic Post Exploitation Incident Response Playbook
4. Save all timestamps of implemented actions in Incident Report draft on the fly, it will save a lot of time

Playbook Actions

Preparation

Practice
Take Trainings
Make Personnel Report Suspicious Activity
Raise Personnel Awareness
Access External Network Flow Logs
Access External Http Logs
Access External Dns Logs
Get Ability To Block External Ip Address
Get Ability To Block External Domain
Get Ability To Block External Url
Get Ability To List Users Opened Email Message
Get Ability To List Email Message Receivers
Get Ability To Block Email Domain
Get Ability To Block Email Sender
Get Ability To Delete Email Message
Get Ability To Quarantine Email Message

Identification

Put Compromised Accounts On Monitoring
List Hosts Communicated With External Domain
List Hosts Communicated With External Ip
List Hosts Communicated With External Url
List Users Opened Email Message
Collect Email Message
List Email Message Receivers
Make Sure Email Message Is Phishing
Extract Observables From Email Message

Containment

Block External Ip Address
Block External Domain
Block External Url
Block Domain On Email
Block Sender On Email
Quarantine Email Message

Eradication

Report Incident To External Companies
Delete Email Message

Recovery

Unblock Blocked Ip
Unblock Blocked Domain
Unblock Blocked Url
Unblock Domain On Email
Unblock Sender On Email
Restore Quarantined Email Message

Lessons Learned

Develop Incident Report
Conduct Lessons Learned Exercise

---

Artifacts

• Email Message
• File
• Active Directory Account
• DNS Network Traffic
• IP Address