detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

[Meta] EvilNoVNC Threat Detection Coverage Assessment

Open terrancedejesus opened this issue 1 year ago • 1 comments

Parent Epic (If Applicable)

  • https://github.com/elastic/ia-trade-team/issues/271

Meta Summary

This meta was created to assess threat detection coverage for EvilNoVNC phishing platform/toolkit. Since this toolkit can target various SaaS platforms and tenants, the scope of this should focus on our core SaaS integrations, O365, Okta, Google Workspace, GitHub, and SalesForce.

We may follow-up with assessments against CSPs (Azure, AWS, GCP) as well.

Estimated Time to Complete

2 weeks

Potential Blockers

Tasklist

Potential Detection Rules:

  • Stolen Cookies from Browser
  • Anomalies in user sessions via active or during instantiation
  • Geolocation anomalies
  • Access to stored objects in common browsers
  • Anomalous endpoint URL requests and content
  • Anomalous user-agents
  • SAMLjacking
  • OAuth anomalies
  • Keylogger capabilities
### Meta Tasks
- [ ] Provide Week 1 Update Comment
- [ ] Provide Week 2 Update or Closeout Comment

Resources / References

  • https://github.com/JoelGMSec/EvilnoVNC

terrancedejesus avatar Jun 13 '24 15:06 terrancedejesus

Closing this issue as it is currently out of scope for TRADE's cloud threat research.

terrancedejesus avatar Apr 27 '25 15:04 terrancedejesus