MITRE ATT&CK CoA - T1566 - Phishing

This playbook Remediates the Phishing technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1566: Phishing Kill Chain phases: - Initial Access MITRE ATT&CK Description: Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of Valid Accounts. Phishing may also be conducted via third-party services, like social media platforms. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

MITRE ATT&CK - Courses of Action · 20 tasks · 4 inputs · 1 output

Inputs

  • template — Template name to enforce WildFire best practices profile.
  • pre_post — Rules location. Can be 'pre-rulebase' or 'post-rulebase'. Mandatory for Panorama instances.
  • device-group — The device group for which to return addresses (Panorama instances).
  • tag — Tag for which to filter the results.

Outputs

  • Handled.Techniques — The techniques handled in this playbook

Flowchart

yes yes yes Start Start Manual - Cortex XDR - Setup file blocking Manual - Cortex XDR - Set... PAN-OS - Enforce Anti-Virus Best Practices Profile - PAN-OS - Enforce Anti-Virus Best Practices Profile PAN-OS - Enforce Anti-Vir... PAN-OS - Enforce Anti-Virus B... PAN-OS - Enforce WildFire Best Practices Profile - PAN-OS - Enforce WildFire Best Practices Profile PAN-OS - Enforce WildFire... PAN-OS - Enforce WildFire Bes... Manual - Cortex XDR - Configure Malware Security Profile Manual - Cortex XDR - Con... Phishing Investigation - Generic v2 - Phishing Investigation - Generic v2 Phishing Investigation - ... Phishing Investigation - Gene... Endpoint Malware Investigation - Generic - Endpoint Malware Investigation - Generic Endpoint Malware Investig... Endpoint Malware Investigatio... Would you like to use "Phishing Investigation - Generic v2? Would you like to use "Ph... Would you like to use "Access Investigation - Generic" playbook? Would you like to use "Ac... Set technique handled Set technique handled Deploy Cortex XSOAR Playbook – Phishing Investigation - Generic v2 Deploy Cortex XSOAR Playb... Deploy Cortex XSOAR Playbook – Endpoint Malware Investigation - Generic Deploy Cortex XSOAR Playb... Setup file blocking in Cortex XDR Setup file blocking in Co... PAN-OS - Enforce Anti-Virus Best Practices Profile PAN-OS - Enforce Anti-Vir... PAN-OS - Enforce WildFire Best Practices Profile PAN-OS - Enforce WildFire... Configure Malware Security Profile in Cortex XDR Configure Malware Securit... Done Done Is Cortex XDR integration Enabled? Is Cortex XDR integration... Manual - Enable Cortex XDR integration Manual - Enable Cortex XD... Set grid field Set grid field