Technical Documentation
WebsiteLinkedIn
  • Technical Documentation
  • Admin Guides
    • Epiphany Intelligence Platform Administrator Guide
      • Epiphany Intelligence Platform Overview
      • Using Epiphany: A Quickstart Guide
      • Epiphany Tools
        • Dashboards
        • Path Finder
          • Path Finder Search Strings
        • Impact Matrix
        • Vulnerabilities
        • Rogue Report
          • Coverage Area
          • Host List and the Query Builder
        • Inventory
          • Active Directory
        • Tickets
          • Creating Tickets
          • Adding comments to a ticket
          • Ticket Activity
          • Closing A Ticket
          • Reveald Ticket Synchronization
          • Supported Markdown
      • Administration
        • User Management
        • Source Management
          • Site Collectors Setup
          • Cloud-Based Data Sources
            • Data Source Examples
          • On-Prem Data Sources
            • Example
      • Search and Query Guidelines
        • Search Basics
        • Query Operators
        • Complex Epiphany Queries
        • Search Keywords
      • Other Resources
    • Epiphany Validation Engine User's Guide
      • Chapter 1: Architecture of EVE
        • Endpoint
        • Platform
      • Chapter 2 : EVE Endpoint
        • Hardware Requirements
        • Operating System Requirements
        • Custom Threat Module Requirements
        • EVE Agent Requirements
          • Endpoint (physical or VM) with Golden Image.
          • Exclusion of E.V.E. paths in third-party Endpoint solutions
          • Third-party communications configuration in the EVE Platform.
          • Privileges
          • Communication between Endpoint and Platform
          • Frameworks
        • Obtaining The EVE Agent
        • The E.V.E. Agent
          • Controls
          • Notifications
          • Isolation
        • Installing the EVE Agent
          • EVE Agent Installation on Windows EndPoints
          • Validating the Installation of EVE Agent on Windows
          • EVE Agent Installation on Linux Endpoints
          • Validating the Installation of EVE Agent on Linux
          • Backup of the Virtual Machine with Golden Image
        • Updating EVE Agent
        • Uninstalling the EVE Agent
        • Troubleshooting
          • Obtaining Logs of the Agent from the cloud instance
          • Obtaining Logs locally of the EVE Agent on Windows Systems
          • Obtaining Logs locally of the EVE Agent on Linux Systems
          • Obtaining Logs of the Isolation Process
      • Chapter 3: EVE Platform
        • Logging in to the Platform for the first time
        • Navigation Tabs
          • Dashboard
          • Emulation Control
            • Endpoints
              • Endpoints Table
              • Obtaining Endpoint Details
              • Rename an Endpoint: Alias
              • Restart an Agent
              • Emulation History of an Endpoint
              • Remove a Host
              • EVE Agent
              • Download the EVE Agent
              • Download Endpoints Report
              • Windows Installer Update
              • Linux Installer Update
              • Delete an Installer Version
            • Threat Library
              • View the MITRE Matrix Related to a Sample
              • Artifacts Severity
              • Artifacts
            • Emulations
              • Scheduled Emulations
              • Emulation Results
              • Export a .xlsx Report of an Emulation
              • Export a .PDF Report of an Emulation
              • Continuous Validation
            • Custom Threats
            • Email Fraud and Infiltration
              • Accessing the EFI Module
              • EFI Campaigns Table
              • Attack Campaigns Distribution
              • Creating an Attack Campaign
              • Campaign Report
          • System Configuration
            • Users
              • Account Types
              • 2FA
              • SSO
        • License
        • Help
        • Support
        • Users Management
        • API
    • Data Usage Guide
      • Primer: How Epiphany Works
      • Data Sources: A Deeper Dive
      • Getting Results: Data Source Outputs
      • Data Privacy and Security
    • Epiphany Security and Trust
      • Introduction
      • Program Details
      • Primary Risks
      • Our Responsibility to You
      • Your Responsibility to Yourself
      • Supplemental Information
      • Secure by Design
      • Conclusion
  • Use Cases
    • Overview
    • 6 Essential Cybersecurity Questions
    • Validate and Manage Assets and Devices in Your Environment
    • Deep Inspection and Audit of Identity Services
    • Manage Exploitability
    • Manage Business Impact
    • Effectively Manage Attack Paths to Enable Better Risk Decisions
  • Epiphany Workflows
    • Technical Analysis
      • Create an Analysis-Focused Dashboard
        • Dashboard Widgets
        • Attack Path Widgets
        • Exposure Widgets
        • Occurrence Widgets
        • Environmental Widgets
        • Administrative Widgets
        • Ticketing Widgets
        • Example Analyst Dashboard
        • Report Features in Dashboard Widgets
      • Attack Path Management
        • Analyze the Attack Path
        • Select a Remediation Recommendation
        • Track Remediation Progress
        • View Potential Exposure to Material impact
        • Tag a Node
      • Vulnerability Management
        • Search for Vulnerabilities
        • Prioritize Vulnerabilities for Remediation
      • Identity Management
        • Identify Risky Conditions in Active Directory (Kerberoastable Users and AS-REP Roastable Users)
        • Identify Risky Conditions in Active Directory (Exposed Active Directory Domain Administrators)
        • Audit High Value Groups
      • Device Management
        • Explore Device Inventory
        • Identify a Rogue System
  • Site Collectors
    • Epiphany Collector Prerequisites
    • Site Collector Guide
      • Create a Site Collector in Epiphany
      • Download a Site Collector Image
      • Generate an Activation Key and Activate Your Epiphany Site Collector
      • Windows GPO Configuration for Epiphany Collector v2.0
      • (Deprecated) Windows GPO Configuration for Epiphany Collector
  • Data Sources
    • Azure Services
      • Obtain the Tenant ID in Azure
      • Register Epiphany as an Application in Azure
      • Add Permissions to the Application - Azure AD
      • Add Permissions to the Application - Defender for Endpoint
      • Add the Azure Credentials to Epiphany
      • How Epiphany Interacts With the Azure API
      • Supplemental Information
    • Carbon Black Cloud
      • Create a Role in Carbon Black Cloud
      • Create a New Carbon Black Cloud User
      • Generate a Carbon Black Cloud API Key
      • Add the Carbon Black Cloud Credentials to Epiphany
      • Supplemental Information
    • Cisco IOS
      • Create a New Cisco IOS User
      • Add the Cisco IOS Credentials to Epiphany
      • Supplemental Information
      • Cisco IOS Manual Collection
    • Claroty
      • Create a Claroty Read-Only User
      • Add the Claroty Credentials to Epiphany
      • How Epiphany Interacts With the Claroty API
    • CrowdStrike
      • Create a CrowdStrike API Key
      • Add the CrowdStrike Credentials to Epiphany
      • How Epiphany Interacts With the CrowdStrike API
      • Supplemental Information
    • Cylance
      • Create a New Cylance User
      • Add the User's Cylance Credentials to Epiphany
      • How Epiphany Interacts With the Cylance API
      • Supplemental Information
    • Manage Engine Patch Manager Plus
      • Create a New Patch Manager Plus User
      • Create a New Patch Manager Plus API Key
      • Add the Patch Manager Plus Credentials to Epiphany
      • How Epiphany Interacts With the Patch Manager Plus API
    • NCentral
      • Create an NCentral Read-Only User and an API Key
      • Add the NCentral Credentials to Epiphany
      • How Epiphany Interacts With the NCentral API
    • Nessus
    • Qualys
      • Create a New Qualys User
      • Add the Qualys Credentials to Epiphany
      • How Epiphany Interacts With the Qualys API
      • Supplemental Information
    • Rapid7 Nexpose
      • Create a New Rapid7 Nexpose User
      • Add the User's Credentials to Epiphany
      • Deploy an Epiphany Site Collector
      • Associate the Site Collector and the Data Source
      • How Epiphany Interacts With the Rapid7 Nexpose Data Source
      • Supplemental Information
    • SentinelOne
      • Create a New Sentinel One User and Generate an API Key
      • Add the User's Sentinel One Credentials and API Key to Epiphany
      • Supplemental Information
    • Tenable
      • Create a New Tenable User
      • Tenable IO Permissions
      • Generate an API Key
      • Add the User's Credentials to Epiphany
      • Deploy a Site Collector (Tenable.sc only)
      • Associate the Site Collector and the Data Source (Tenable.sc only)
      • How Epiphany Interacts With the Tenable Data Source
      • Supplemental Information
    • Trend Micro Apex One
      • Create a Trend Micro Apex One API Key
      • Add the Trend Micro Apex One Credentials to Epiphany
      • How Epiphany Interacts With the Apex Server
      • Supplemental Information
    • Trend Micro Cloud One Deep Security
      • Create a Trend Micro Cloud One Account and API Key
      • Add the Trend Micro Cloud One Credentials to Epiphany
      • How Epiphany Interacts With the Trend Micro Cloud One API
      • Supplemental Information
    • Vicarious vRx
      • Create an API key in Vicarious vRx
      • Add the Vicarious vRx API Key to Epiphany
    • Windows AD
      • Create an AD Service Account for Epiphany
      • Create the Windows AD GPO
      • Deploy the Epiphany Site Collector
      • Add the Windows AD Credentials to the Windows AD Data Source Configuration in Epiphany
      • Supplemental Information
  • Data Sources (Early Access)
    • Armis
      • Create a New Armis User
      • Generate an Armis API Key
      • Add the Armis User's Credentials to Epiphany
      • How Epiphany Interacts With the Armis API
      • Supplemental Information
    • ArubaOS
      • Use SSH to Collect ArubaOS Network Appliance Information
      • Add the ArubaOS Credentials to Epiphany
      • ArubaOS Manual Collection
      • Supplemental Information
    • Automox
      • Create a New Automox User and a New Automox API Key
      • Add the Automox Credentials to Epiphany
      • How Epiphany Interacts with the Automox API
      • Supplemental Information
    • AWS
      • Create a New AWS User and AWS API Credentials
      • Add the AWS Credentials to Epiphany
      • How Epiphany Interacts with the AWS API
      • Supplemental Information
    • BeyondTrust
      • Create an Explicit User Account in BeyondTrust
      • Deploy an Epiphany Site Collector
      • Add the BeyondTrust Credentials to Epiphany
      • Supplemental Information
    • Bloodhound
      • Bloodhound Set Up 1
      • Bloodhound Set Up 2
      • Add the Bloodhound Credentials to Epiphany
      • How Epiphany Interacts With the Bloodhound Data Source
      • Supplemental Information
    • Cisco Meraki
      • Generate a Read-Only Meraki Account
      • Generate a Meraki API Key
      • Collect the Meraki Network Maps
      • Add the Cisco Meraki Credentials to Epiphany
      • Supplemental Information
    • FortiOS
      • Generate a FortiOS API Token
      • Add the API Token to Epiphany
      • Supplemental Information
    • HPE Comware
      • Data Collection for Epiphany
      • Supplemental Information
    • Juniper OS
      • Configure and Verify the Rest API
      • Data Collection for Epiphany
      • Supplemental Information
    • Okta
      • Okta Set Up 1
      • Okta Set Up 2
      • Add the Okta Credentials to Epiphany
      • How Epiphany Interacts With the Okta Data Source
      • Supplemental Information
    • Palo Alto PAN-OS and Panorama
      • Create a New PAN-OS or Panorama User
      • Add the Panorama or PAN-OS Credentials to Epiphany
      • Add the SSH Credentials to Epiphany
      • PAN-OS and Panorama SSH/Manual Collection
      • How Epiphany Interacts With the Palo Alto API/Console
      • Supplemental Information
    • Windows AD (Legacy Version)
      • Create the Windows AD GPO
      • Supplemental Information
    • VMware vSphere
      • Create the vSphere User Account
      • Create a Role
      • Assign Read-Only permissions to vCenter
      • Assign a User Account the Role on a single Object
      • Add vSphere as a Data Source within the Console
  • Changelog
    • 2023-08-02: Phase 1 Customer Portal
    • 2023-08-25: Epiphany Administrator Guide v1.0
    • 2023-09-14: Product Update
    • 2023-09-27: Product Update
    • 2023-10-13: Product Update
    • 2023-12-01: Product Update
  • Legal Notice
    • Terms and Conditions
    • Privacy
Powered by GitBook
On this page
  • General Information
  • Campaign Selection
  • Threat Selection
  • Distribution
  • Payload Configuration
  • Save and Launch
  1. Admin Guides
  2. Epiphany Validation Engine User's Guide
  3. Chapter 3: EVE Platform
  4. Navigation Tabs
  5. Emulation Control
  6. Email Fraud and Infiltration

Creating an Attack Campaign

PreviousAttack Campaigns DistributionNextCampaign Report

Last updated 1 month ago

EFI allows security teams to create highly customizable email attack campaigns that emulate real-world phishing and malware delivery scenarios. These campaigns can be configured with different payload types, delivery methods, and execution modes to test various layers of email and endpoint defenses.

Campaign creation is handled through a guided interface that walks the user through all the necessary steps, from naming the campaign to selecting the payload and scheduling execution.

To create an Email Attack Campaign:

  1. Click on the Add campaign button at the top of the EFI Campaigns Table

  2. Follow the wizard.

General Information

The first step in creating an EFI campaign is to define its basic metadata and scheduling parameters. This step ensures that each campaign is properly identified, scheduled, and targeted based on the intended scenario.

Field

Description

Campaign Name

Enter a unique name to identify the campaign. Use meaningful names that describe the test scenario.

On Demand Start

Enable this option if you want to manually start the campaign later. Disables the scheduling fields.

Campaign Start

Select the date and time when the campaign should begin.

Campaign End

Define when the campaign should expire and stop collecting telemetry.

Campaign Description

Provide an overview of the campaign's objective, scope, or target audience.

Target OS Distribution

Choose the operating system intended to receive and execute the payload. Options include Windows and Linux. Currently, Windows is the most common target.

  • If On Demand Start is checked, the campaign will start as soon as the campaign is published.

  • Start and End Times are essential for scheduled campaigns and help determine the Active or Expired status later.

  • The Target OS influences the type of payload generated and the behavior of the emulation.

This information sets the foundation for the rest of the campaign configuration and ensures operational context is recorded for future reporting.

Campaign Selection

Selects the type of campaign execution mode, which defines how the simulated attack will behave and whether telemetry will be collected from the endpoint.

You must choose between:

Realistic and Controlled Attack Campaigns

This mode provides full observability of the simulated attack lifecycle.

  • Payloads are generated from EFI’s internal library or uploaded scripts.

  • The EVE agent is embedded to collect telemetry from the endpoint.

  • EFI tracks:

    • Delivery and interaction (clicks, opens)

    • Payload execution status

    • Endpoint response

    • C2 (command and control) communication behavior.

Ideal for testing real-world attack scenarios and validating detection and response capabilities across email, endpoint, and network layers.

Unattended Attack Campaign

This mode is designed for basic validations with no endpoint telemetry.

  • Organizations can use their own artifacts or scripts.

  • EVE does not embed the agent in the payload.

  • The platform does not collect post-delivery telemetry, even though payloads may still execute if the user interacts.

  • Used primarily to verify email delivery, routing, and gateway-level filtering.

Recommended for infrastructure testing and environments where deeper tracking is not needed or permitted.

Threat Selection

In this step, users select the synthetic threat that will be embedded into the campaign. EFI allows the use of both predefined synthetic samples and custom uploaded artifacts, enabling flexible and realistic emulation of attacker behavior.

The selection interface displays a table of available threats with the following attributes:

Column

Description

Name

File name of the threat or payload to be used in the campaign.

Severity

Assigned severity level.

Platform

Indicates the operating system compatibility (e.g., Windows).

Size (KB)

File size of the payload in kilobytes.

Arguments

Displays if any execution arguments are defined (for executable payloads).

Users can search, filter, and navigate through available files using the toolbar at the top.

Threat Types

At the top of the view, you’ll find:

  • THREAT: Refers to EFI’s built-in synthetic threats.

  • CUSTOM THREAT: Refers to artifacts uploaded by the user or organization (scripts).

Notes

  • Multiple threats can be selected per campaign.

  • The selected threat will later be delivered via the chosen broadcast method (Email, Link, QR).

  • The payload’s behavior and observability will depend on the campaign mode selected in Step 2:

    • Controlled: Embedded agent collects telemetry.

    • Unattended: No post-delivery tracking.

This step allows security teams to simulate realistic threat vectors by tailoring the type of file, severity, and behavior they wish to validate.

Distribution

Each method ultimately leverages an attacker URL generated by the platform, but the delivery and presentation differ depending on the selected channel.

Email Distribution

This is the most comprehensive and customizable method. It includes the following configuration fields:

Field

Description

Email Template

Select from a variety of predefined phishing templates categorized under tabs such as Alerts, E-Commerce, Government, Login, Social Media, and more.

Login Page (visual)

Choose the appearance of the login or bait content (e.g., spoofed financial institution, login portal). A preview is displayed on the right.

Subject

Define the subject line that will appear in the phishing email.

Email Recipients

Manually input the email addresses of intended targets.

Artifact Delivery Method

Defines how the synthetic threat is embedded or linked inside the email.

Attached Agent in Email

If selected, embeds the lightweight EVE agent to enable full telemetry collection.

This setup allows for realistic phishing simulations, closely mimicking what end users would see in real-world attack attempts.

QR Code and Direct Link Distribution

When using QR Code or Direct Link as the broadcast method, the user must define the Artifact Delivery Method, which determines how the payload is structured and delivered, as well as how telemetry is handled.

Artifact Delivery Method

Bundled with Agent

  • The full payload, including the synthetic threat and the embedded light EVE agent, is delivered in a single bundled file.

  • Once the user executes the file, telemetry is collected immediately, covering:

    • Agent report to console.

    • Monitoring of payload execution.

  • This method is best for Controlled Campaigns with full end-to-end observability.

Network Download

  • The initial file delivered is a lightweight launcher, typically just the embedded EVE agent.

  • Once executed, this agent triggers the download of the actual synthetic threat from the configured attacker URL.

  • This two-stage execution allows the campaign to test the network vector, as the second-stage malware is retrieved via HTTP or HTTPS, defined in a later configuration step.

  • Telemetry starts once the malware is downloaded and executed, enabling visibility into:

    • Whether the malware was downloaded.

    • Monitoring of payload execution.

This method is ideal for testing real-world scenarios where malware is not delivered directly, but instead downloaded after initial access, mirroring common attacker techniques like dropper behavior and C2 staging.

Payload Configuration

Users define the final behavioral and visual characteristics of the payload. This includes execution parameters, file appearance, delivery behavior, and execution order of the threat components.

Execution Configuration

Option

Description

Secure Download

Forces the network download (used in "Network Download" mode) to occur via HTTPS.

Zipped

Wraps the payload in a ZIP archive, simulating common malware evasion techniques.

Threat Timeout

Timeout (in seconds) for synthetic threats to run before being forcefully terminated.

Custom Threat Timeout

Timeout specifically for custom threats/scripts.

Payload Information

  • Name: Label used internally to identify the payload configuration.

  • Payload Description: Additional notes or metadata to describe the behavior or intent of the payload.

  • Payload Organization: Logical grouping or classification for organizational or reporting purposes.

Installer Icon

This section defines the visual icon that will represent the payload when delivered to the end user (e.g., as an attachment or executable). Options include common productivity apps, document formats, and social media platforms to simulate real-world deception tactics.

Selecting an icon helps make the payload more convincing to the user during the test.

Execution Order (Sorting)

Users can define the execution sequence of the selected payloads. This is especially useful when multiple components are bundled together.

  • Drag and drop files to determine execution order.

  • The first item in the list will be executed first once the emulation is triggered on the endpoint.

Save and Launch

The final step in the EFI campaign creation process is where all configuration inputs come together. At this point, you can finalize and initiate the build process for your email emulation campaign.

  • Once all steps have been completed, the interface displays a summary screen titled "Campaign Creator", indicating the campaign is ready for deployment.

  • To confirm and initiate creation, click the “CREATE” button at the bottom of the screen.

  • If changes are needed, you may click “BACK” to return to any previous step.

What Happens Next

After clicking “Create”, the platform returns you to the EFI Campaign Table, where the new campaign now appears with its current status.

In this step, users define how the simulated threat will be delivered to the target users. EFI supports three broadcast channels: • Link • Email • QR Code

To monitor the build progress and lifecycle, click on the Status indicator of the campaign. See details on .

Campaign Status