34 lines
1.1 KiB
JSON
34 lines
1.1 KiB
JSON
{
|
|
"id": "KB-CRED-HARVEST-PATTERNS",
|
|
"memory_type": "knowledge",
|
|
"doc_type": "kb",
|
|
"scenario": "phishing",
|
|
"title": "Credential Harvesting Indicators",
|
|
"abstract": "Common indicators that a phishing case involves credential harvesting rather than simple spam or benign mail.",
|
|
"key_points": [
|
|
"Landing page mimics Microsoft 365 or common SaaS login pages.",
|
|
"HTML attachment often acts as a redirector rather than containing malware.",
|
|
"Credential harvest campaigns frequently reuse branding and lures across tenants."
|
|
],
|
|
"investigation_guidance": [
|
|
"Capture full redirect chain.",
|
|
"Look for post-click login anomalies in identity logs.",
|
|
"Search for same lure across multiple mailboxes."
|
|
],
|
|
"decision_points": [
|
|
"User click plus sign-in anomaly greatly increases confidence.",
|
|
"Branding reuse can help link separate phishing cases into one campaign."
|
|
],
|
|
"related_refs": {
|
|
"playbooks": [
|
|
"PB-PHISH-001"
|
|
],
|
|
"cases": []
|
|
},
|
|
"source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-CRED-HARVEST-PATTERNS.json",
|
|
"tags": [
|
|
"kb",
|
|
"phishing",
|
|
"credential-harvest"
|
|
]
|
|
} |