README.md

PRISM - Phishing Reporting and Incident Security Mitigation

This project is currently under development.

These streamlined modules and scripts are designed to efficiently mitigate phishing threats across multiple Google Workspaces automatically. The system loads and processes data from Google Email Log Search exports, enabling quick detection, analysis, and resolution. Azure support will come in the future.

Features

• Automated Graphs and Summaries: Generate insightful graphs and summaries of the provided phishing attack based on exports from Google’s Email Log Search tool.
  
• Preset Remediation Scripts: Quickly delete phishing emails and suspend affected user access with ready-to-use scripts.
  
• Incident Response Email Templates: Use customizable templates to streamline communication with internal and external users about phishing incidents.
  
• Suspicious Sign-In Monitoring: Check phishing victims for recent suspicious sign-ins to assess potential account compromise.
  
• Comprehensive Action Logging: Ensure full transparency with detailed logs of all actions performed by this tool for auditing and accountability.
  
• Multi-Instance Google Workspace Processing: Seamlessly manage multiple Google Workspace environments and perform bulk email deletions across all instances with a single script.
  

TODO

Blue Team

• Finish Google() Class
• Other Google Authentication methods
• Build a framework for handling arguments and building the log_entries from the provided file
• Create email sender class and build script to send warnings to recipents
• Create documentation for each library
• Finish README
• Improve report generation
• Azure Support
• Django Website (idk)

Red Team

• Google Drive file Stealer
• Email Reader (idk)
• Create user
• Suspend/Unsuspend User
• Delete User
• Credential file permission enumerater

Generating a Report Based on The Export from Google’s Email Log Search tool

$ python .\gmailLogReporter.py --logfile .\LogSearchResults.csv --docx report.docx --wizard

 ____  ____  ___ ____  __  __
|  _ \|  _ \|_ _/ ___||  \/  |
| |_) | |_) || |\___ \| |\/| | Script:  Google: Log Reporter
|  __/|  _ < | | ___) | |  | | Version: dev 0.0.0
|_|   |_| \_\___|____/|_|  |_| Github:  https://github.com/Drew-Alleman/PRISM

Did apply any mitigations and would you like to display them in your report? (y/n): y
Please provided a quick bullet point sentence (type 'stop' to quit) Implemented a recipient limit for outgoing emails to prevent mass distribution of malicious content.
Please provided a quick bullet point sentence (type 'stop' to quit) Suspended accounts associated with detected suspicious login activity to contain potential threats.
Please provided a quick bullet point sentence (type 'stop' to quit) Strengthened spam detection policies to identify and quarantine potentially harmful messages more effectively.
Please provided a quick bullet point sentence (type 'stop' to quit) stop
Would you like to add custom title? (y/n): n
Would you like to add additional information about the author? (y/n): y
Author Name: Drew Alleman
Authors Job Title:
Authors Email:
Date of Report:

Utilizing the Coding Module Example

google_client = Google()
log_parser = GoogleLogParser()
log_parser.read_exports(["export1.csv", "export2.csv"])

for user in log_parser.get_entries():
    google_client.delete_email(user.message_id, user.email)

    if user.opened_email:
        google_client.suspend(user.email)

Configuration

The Google Python Class is able to automatically determine what authentication to use. All we need to do is fill out /configurations/config.yaml with the service account information.

Field	Description	Example Value
name	A friendly identifier for the Google Workspace instance, used for distinguishing accounts in logs and reports.	ExampleWorkspace1
secret_file	The path to the JSON credentials file for the service account, allowing PRISM to authenticate with Google.	/path/to/service_account1.json
domains	A list of domains managed by this workspace. PRISM will use this service account for actions on any of these domains.	example.com, store.example.com

google_service_accounts:
  - name: ExampleWorkspace1
    secret_file: /path/to/service_account1.json
    domains:
      - example.com
      - store.example.com

  - name: ExampleWorkspace2
    secret_file: /path/to/service_account2.json
    domains:
      - github.com
      - docs.github.com

Setting up the Service Account

Creating a new Project

Log in to your Google Workspace Admin account and navigate to the Google Cloud Console. Click on the "Select a project" button in the top left corner, then choose "New Project" to create a new one. Feel free to name it anything you like.

Enabling the Needed API's

Now We need to enable the GMAIL and Admin API to manage emails and users.

Generating the JSON Secret File

Now we need to generate the JSON secret file to allow PRISM to authenticate to Google.

Configuring the Scopes and Delegation

Now we need to paste the client ID we copied from the cloud console and we need to input the following scopes

• https://www.googleapis.com/auth/admin.directory.user
• https://mail.google.com/