Red Teaming & Adversary Simulation

Credential Harvesting Simulation

  • May 8, 2025
  • 0

Sherlocked Security – Credential Harvesting Simulation

Simulate Phishing and Credential Harvesting Attacks to Test Your Organization’s Defenses

1. Statement of Work (SOW)

Service Name: Credential Harvesting Simulation
Client Type: Enterprises, Financial Institutions, Healthcare, Government Agencies
Service Model: Simulated Phishing and Social Engineering Attacks to Harvest Credentials
Compliance Coverage: NIST 800-53, SOC 2, ISO 27001, PCI-DSS

Simulation Types:

  • Phishing Email Campaigns
  • Spear Phishing Attacks Targeting Key Personnel
  • Business Email Compromise (BEC) Simulation
  • SMS and Voice Phishing (Vishing)
  • Simulated Credential Harvesting via Fake Login Pages
  • Exploit Weak Authentication Mechanisms (MFA Bypass)
  • Dark Web Credential Exposure Simulation

2. Our Approach

[Pre-engagement & Test Scope] → [Phishing Campaign Design] → [Simulated Attack Execution] → [Credential Harvesting Test] → [Authentication Mechanism Testing] → [Exfiltration Simulation] → [Detection & Response Testing] → [Results Mapping & Reporting] → [Retesting & Validation]

3. Methodology

[Kickoff & Scope Agreement] → [Phishing Campaign Setup] → [Test for Phishing Vulnerabilities] → [Simulate Credential Harvesting] → [Test Multi-Factor Authentication Mechanisms] → [Exfiltration & Lateral Movement Testing] → [Assess Detection & Response Systems] → [Final Report & Remediation]

4. Deliverables to the Client

  1. Phishing Campaign Report: Detailed analysis of phishing and social engineering attacks, including success rates
  2. Credential Harvesting Report: Findings from simulated credential harvesting scenarios, including exfiltrated credentials
  3. Authentication Mechanism Vulnerability Report: Assessment of MFA and other authentication weaknesses
  4. Detection & Response Evaluation: Insights into how well your detection systems identified and mitigated phishing attempts
  5. Executive Summary: High-level summary of risks and exposure from credential harvesting simulations
  6. Remediation Recommendations: Actionable guidance for improving defenses against phishing and credential harvesting attacks
  7. Retesting & Certification: Validation of improvements and re-testing post-remediation

5. What We Need from You (Client Requirements)

  • A list of personnel to target for phishing campaigns (e.g., executives, HR, finance)
  • Access to email and authentication systems for testing vulnerabilities
  • Collaboration with security and IT teams to simulate a realistic attack environment
  • Information on any existing anti-phishing measures (e.g., email filters, MFA solutions)
  • Access to phishing detection and response capabilities (email gateway, SIEM systems)
  • Permission for social engineering tests (e.g., vishing, impersonation)
  • Availability of relevant logs and telemetry for post-campaign analysis

6. Tools & Technology Stack

  • Custom Tools / Scripts for simulating phishing and credential harvesting attacks
  • Gophish for phishing campaign management
  • Evilginx2 for advanced credential harvesting via reverse proxy (MFA bypass)
  • Setoolkit for social engineering attacks
  • Cobalt Strike for post-exploitation and credential exfiltration
  • Metasploit Framework for exploiting vulnerabilities and harvesting credentials
  • Nexpose for vulnerability scanning and attack path discovery
  • Phishing Frameworks (e.g., King Phisher, GoPhish) for automated phishing campaigns
  • Burp Suite for testing web applications against credential harvesting techniques

7. Engagement Lifecycle

1. Discovery Call → 2. Scope Definition & Strategy → 3. Phishing Campaign Setup → 4. Simulated Attack Execution → 5. Credential Harvesting Testing → 6. Exfiltration & Detection Testing → 7. Report Draft → 8. Final Report & Remediation Recommendations → 9. Retesting & Certification

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Realistic Phishing Simulations Test your employees with real-world phishing scenarios
Advanced Credential Harvesting Simulate credential harvesting via phishing, vishing, and BEC
Custom Attack Tools Tailored tools for realistic phishing campaigns and credential harvesting
Multi-Factor Authentication Testing Test the robustness of MFA mechanisms against bypass techniques
Detection & Response Testing Evaluate your detection systems’ ability to identify phishing attacks
Remediation & Retesting Post-remediation validation and certification included

9. Real-World Case Studies

Business Email Compromise (BEC) at a Tech Firm

Client: Technology Company
Scenario: A phishing attack was used to impersonate an executive, leading to fraudulent wire transfers.
Findings: The attacker bypassed email filtering systems and MFA, compromising key credentials.
Fix: Strengthened email security filters, implemented more stringent MFA policies, and trained staff on BEC awareness.

Credential Harvesting via Fake Login Pages at a Financial Institution

Client: Global Bank
Scenario: Simulated credential harvesting via a fake banking portal.
Findings: The employees were susceptible to phishing attacks, especially when linked to familiar login pages.
Fix: Implemented stricter email filtering rules, better training on phishing detection, and a more secure MFA mechanism.

10. SOP – Standard Operating Procedure

  1. Discovery call and scope agreement
  2. Setup of phishing campaign targeting selected employees
  3. Launch of simulated phishing attacks (email, SMS, voice)
  4. Simulate credential harvesting via fake login pages
  5. Test multi-factor authentication bypass techniques
  6. Perform exfiltration testing using harvested credentials
  7. Evaluate detection and response capabilities (email filtering, SIEM)
  8. Draft report and conduct review call with stakeholders
  9. Final report delivery with remediation steps
  10. Retesting post-remediation and certification

11. Credential Harvesting Simulation Checklist

1. Phishing Campaign Setup

  • Identify target personnel for phishing campaigns (e.g., executives, IT staff, finance)
  • Design phishing email templates and vishing scripts targeting key individuals
  • Test email filtering rules for common phishing indicators (e.g., suspicious links, attachments)

2. Credential Harvesting Testing

  • Simulate phishing attacks via email, SMS, and phone (Vishing)
  • Harvest credentials via fake login pages (MFA bypass with Evilginx)
  • Simulate business email compromise (BEC) scenarios to steal sensitive data or funds
  • Use social engineering methods to harvest credentials from employees (e.g., impersonation)

3. Authentication Mechanism Testing

  • Test multi-factor authentication (MFA) robustness (e.g., bypass using Evilginx)
  • Evaluate vulnerabilities in existing MFA systems (SMS-based, TOTP)
  • Test for common user pitfalls in MFA (e.g., reuse of weak passwords)

4. Exfiltration & Lateral Movement

  • Test exfiltration of harvested credentials via email or cloud services
  • Attempt lateral movement using compromised credentials across the organization’s network
  • Test for access to sensitive resources and data post-harvest

5. Detection & Response Testing

  • Test email filtering systems for phishing email detection
  • Evaluate SIEM systems for detection of credential harvesting attempts and suspicious behavior
  • Test endpoint protection tools for detection of phishing-related attacks
Emotet-Containment Campaign Simulation
Command & Control (C2) Emulation