Defending Against Common Phishing Frameworks Kits with Splunk Enterprise Security Content Update

Phishing is one of the most effective attack vectors. What's more, it is also one of the most difficult to defend against, because its success relies on the weakest link in the defense chain—human beings. Many enterprises have developed and deployed multiple layers of security in their environments, only to find out that it is the employees themselves who, one way or another, have inadvertently opened the door and let the bad guys in.

It is by this act alone that some of the world's most secure corporations have been compromised. Worse, malicious actors continue to develop new and progressively more effective TTPs, adding to the complexity of the situation. The combination of these sophisticated techniques with exploitation kits and obfuscated post-exploitation payloads makes phishing a serious problem for any security organization.

In Enterprise Security Content Update (ESCU 1.0.37), Splunk's Security Research Team decided to approach phishing by looking at it within the Lockheed Martin Kill Chain, using the Mitre ATT&CK framework as a reference to address phishing attack-chain elements in granular fashion. In this blog post, we will take a look at popular phishing frameworks and how we addressed them from a tactical defense perspective.

Social-Engineering Toolkit

The social-engineering toolkit by TrustedSec is a popular phishing framework that includes features such as cloning targeted sites, creation of payloads for USBs, and sending emails and SMS messages with payloads. It is more comprehensive than some other kits, such as EvilGinx2, because it has several other types of phishing vectors and can clone almost any site. Additionally, it is not limited by the number of sites it can clone. It can integrate custom payloads, as well as the metasploit framework that allows attackers to integrate post-exploitation payloads.

One of the most effective ways of serving payloads in this framework is to clone a targeted site and, once the victim browses to it, the framework will then serve a malicious payload disguised as an update or a required application. Once the victim bypasses control mechanisms and executes malicious payloads, the next phase is comprised of a series of post-exploitation behaviors, where attackers will seek to maintain persistence and navigate through compromised organizations, looking for valuable information to exfiltrate.


The Beef browser exploitation framework is not a phishing framework per sé, but it can be used as one. Beef uses JavaScript to target browser functionality in the background using JavaScript hooks. Beef can also target mobile browsers and allow attackers to redirect browsers or pop up misleading alerts that may seem to come from legitimate sites, but actually serve malicious payloads. Beef can be a very effective tool for phishing attacks.

As seen in the screenshot above, Beef can be very effective and can bypass many security controls and target fully hardened/patched operating systems.


EvilGinx2 is a phishing toolkit that enables Man In The Middle (MiTM) attacks by setting up a transparent proxy between the targeted site and the user. This allows the attacker not only to obtain items such as passwords, but two-factor authentication tokens, as well. This framework uses a proxy template called "phishlets" that allows a registered domain to impersonate targeted sites such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and so on.  

This tool goes beyond older phishing frameworks that would download/clone the targeted site and set up a transparent proxy between the phishing site and the targeted site. Even worse, the tool will register SSL certificates via Let’s Encrypt or allow the operator to import its own certificates. A registered site with a legitimate SSL certificate, camouflaged via URL shortener or puny code, can be very difficult to spot—even for the trained eye.

The following figures show a website registered by the Security Research Team and how the extraction of credentials and tokens happens in the background.

The above attack method, ATT&CK ID T1192, will be successful even if the victim uses multifactor authentication methods, such as SMS verifications or Time Based One Time Passwords (TOTP) as the transparent proxy. The proxy captures the victim's input as the MFA prompts are served. EvilGinx2 is definitely one of the most advanced phishing tools available at the moment.

The above selected phishing frameworks work differently and have different functions. Most of them cover the necessary elements to deliver malicious payloads via website or email. We decided to focus on EvilGinx2 as it is the most recent and effective phishing framework. We have also searches that can help detect other phishing attack  frameworks and tools such as the use of self signed certificates, recent domain registrations, or phantom playbooks that can address rogue proxies and cloned sites.

Tactical SIEM: How to Detect, Investigate, and Defend

In our research for our ESCU Analytic Story on detecting sites generated by phishing kits, we approached these attack vectors from a tactical perspective. We looked at the data sources and selected those items that give the operator the best path to detect and defend against the different indicators related to the above attack frameworks.

Phishing delivery framework data-source breakdown:

Phishing Technique

ATT&CK Technique ID

Data Source

Splunk Tactical Resource

Cloned site


Threat intelligence

Phantom playbook: “User prompt and block domain”



Threat intelligence

Phantom playbook: “User prompt and block domain”

Self-signed certificate


Certificate registration

Splunk Enterprise “Letsencrypt” “Self Signed” detection search.

Phantom playbook: “Let’s Encrypt Domain Investigate”

ESCU Search: "Attempt To Add Certificate To Untrusted Store"

New registered domain


Passive DNS

Splunk ES investigation

Phantom playbook: “User prompt and block domain”

MIME type payload delivery


Web proxy, Gateway logs

UBA detection - Suspicious http redirects

Malicious attachment


Email data logs

ESCU search: "Email Attachments With Lots Of Spaces"

ESCU search: "Suspicious Email Attachment Extension"s



Proxy logs

UBA DGA detection: "Suspicious Domain Name"

Potential phishing email


Email data logs

ESCU search: "Monitor Email For Brand Abuse"

Malicious payload delivered by email and  executed


Email data logs, Sysmon, AD

ESCU search: "Email files written outside of the Outlook directory"

The above documented sources of data and corresponding Splunk tactical resources can be very effective in detecting, investigating, and defending against phishing frameworks.  

New ESCU Analytic Stories

As part of ESCU 1.0.37, Enterprise Security Content Updates (ESCU) included two Analytic Stories that focus on phishing. One, "Common Phishing Frameworks," is designed to detect EvilGinx2 registered domains. The other, "Phishing Payloads," includes searches that look for signs of unexpected behavior—such as outlook.exe writing a .zip file or suspicious .lnk files launching processes—that may indicate that a malicious payload has been injected into your environment.

Splunk Enterprise searches:

Find all queried domains from the Network_Resolution data model

| tstats summariesonly=true allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from data model=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host

| `drop_dm_object_name(DNS)`

| rex field=query ".*?(?<domain>[^./:]+\.(\S{2,3}|\S{2,3}.\S{2,3}))$"

| stats count values(query) as query by domain dest src answer

Match combination of subdomains that are associated with EvilGinx2 phishing sites via macros.conf in ESCU

| search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google`

Exclude all verified domains (,,, and so on). This helps filter out false positives.

| search NOT

   [ inputlookup evilginx_domains.csv

   | fields domain]

Join the results with web data from the visited EvilGinx2 sites from the Web data model

| join domain

   [| tstats count summariesonly=true allow_old_summaries=true values(Web.url) as url from datamodel=Web.Web by Web.dest

   | rename "Web.*" as *

   | rex field=site ".*?(?<domain>[^./:]+\.(\S{2,3}|\S{2,3}.\S{2,3}))$"

   | table dest domain url]

| table count src dest query answer domain url

The above search syntax can detect EvilGinx2 transparent proxy phishing connections (HTTP, DNS). We can see below how Splunk core can be used to detect EvilGinx2 default URI structure for the Amazon phishlet.

Phantom Playbook: Let’s Encrypt Domain Investigate

If the detection searches mentioned above return any results, Splunk Phantom can be used to gather additional information about the domain names and URLs used by the phishlet. The Phantom playbook called “Let’s Encrypt Domain Investigate” uses Censys, PassiveTotal, Screenshot Machine, and to gather essential information about the TLS certificates, website behavior, and domain registration of the website in question. The results are displayed in Mission Control and can be used to populate a ticket, update the notable event, or connect directly to a response action in another Phantom playbook.

The Splunk Security Research Team hopes that our Analytic Stories on phishing help you develop a formidable defense against this attack vector. We welcome your feedback, as well. Feel free to leave comments below and/or click on the Feedback Center tab in ESCU and let us know how to improve! (Of course, we love compliments, too.)

Go find 'em and crush 'em!



The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Read more Splunk Security Content

Show All Tags
Show Less Tags