Your document is downloading. If the download does not start, click here.
``` ### Macro-Enabled Document Workflow ``` 1. Create legitimate-looking document template 2. Add VBA macro for payload execution: - AutoOpen() or Document_Open() trigger - Download cradle using PowerShell or certutil - Execute payload from %TEMP% directory 3. Test against target's known AV/EDR solution 4. Obfuscate macro code to bypass static analysis ``` ### ISO/LNK Payload Chain ``` 1. Create ISO file containing: - Legitimate-looking LNK shortcut - Hidden DLL or executable payload - Decoy document for user satisfaction 2. LNK file executes hidden payload via: - rundll32.exe to load DLL - mshta.exe to execute HTA - PowerShell download cradle 3. ISO bypasses Mark-of-the-Web (MotW) on older Windows ``` ## Workflow 4: Campaign Execution and Monitoring ### Pre-Launch Checklist ``` - [ ] Domain aged and categorized - [ ] SPF/DKIM/DMARC configured - [ ] SSL certificates installed - [ ] Email templates tested for rendering - [ ] Landing pages functional and capturing data - [ ] Payload tested against target's security stack - [ ] C2 callback verified - [ ] Tracking pixels loading correctly - [ ] Target list finalized and imported - [ ] Campaign schedule confirmed with engagement lead ``` ### Launch Procedure ``` 1. Send initial test email to red team operator 2. Verify delivery, rendering, and link tracking 3. Launch Wave 1: High-priority targets (5-10 users) 4. Monitor for 1 hour - check delivery and open rates 5. Verify no immediate blocks or quarantine 6. Launch Wave 2: Remaining targets (staggered over 2-4 hours) 7. Monitor dashboard continuously for first 4 hours 8. Check for credential captures and payload executions 9. Document all interactions with timestamps ``` ### Real-Time Monitoring ``` Track and document: - Email delivery success/failure rates - Email open rates (tracking pixel) - Link click rates - Credential submission events - Payload download events - Callback/beacon events - User reports to SOC - Time between delivery and interaction ``` ## Workflow 5: Post-Campaign Reporting ### Metrics Calculation ``` Delivery Rate = (Emails Delivered / Emails Sent) x 100 Open Rate = (Unique Opens / Emails Delivered) x 100 Click Rate = (Unique Clicks / Emails Delivered) x 100 Credential Capture Rate = (Credentials Captured / Emails Delivered) x 100 Payload Execution Rate = (Payloads Executed / Emails Delivered) x 100 Report Rate = (Users Who Reported / Emails Delivered) x 100 ``` ### Evidence Collection ``` For each successful interaction: 1. Screenshot of GoPhish dashboard showing the event 2. Captured credentials (hash, not plaintext in report) 3. C2 beacon screenshot showing initial callback 4. Timeline of events from delivery to compromise 5. Email headers showing delivery path ```