npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
MITRE D3FEND
Overview
A pretext call (vishing) is a social engineering technique where an attacker impersonates a trusted authority figure over the phone to manipulate targets into divulging sensitive information, performing actions, or granting access. In red team engagements, pretext calls test the human element of security controls, measuring employee adherence to verification procedures and security awareness training effectiveness. MITRE ATT&CK maps this to T1566.004 (Phishing for Information: Voice) and T1598 (Phishing for Information).
When to Use
- When conducting security assessments that involve conducting social engineering pretext call
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Written authorization specifying social engineering scope and boundaries
- List of approved target employees (usually provided by client)
- OSINT research on targets and organization
- Spoofed caller ID capability (authorized for testing)
- Call recording equipment (with legal consent as required)
- Pretext scenarios approved by client
MITRE ATT&CK Mapping
| Technique ID | Name | Tactic |
|---|---|---|
| T1566.004 | Phishing: Voice | Initial Access |
| T1598 | Phishing for Information | Reconnaissance |
| T1598.003 | Phishing for Information: Spearphishing Voice | Reconnaissance |
| T1589 | Gather Victim Identity Information | Reconnaissance |
| T1591 | Gather Victim Org Information | Reconnaissance |
Phase 1: OSINT and Target Research
# LinkedIn employee enumeration
theHarvester -d targetcorp.com -b linkedin -l 200
# Company org chart and employee roles
# Review LinkedIn, corporate website "About Us" / "Team" pages
# Technology stack identification
# Check job postings for technology references (VPN vendor, email, helpdesk tool)
# Phone system identification
# Call main line, note IVR options, department names, extension patternsKey intelligence to gather:
- Internal helpdesk phone number and procedures
- IT department names and staff
- VPN/remote access vendor (Cisco AnyConnect, Fortinet, Pulse Secure)
- Corporate email format (first.last, flast, etc.)
- Recent events (mergers, office moves, system upgrades)
- Employee names, titles, departments
Phase 2: Pretext Development
Common Pretext Scenarios
IT Helpdesk Impersonation (Most Effective):
"Hi, this is [name] from the IT Service Desk. We're migrating everyone to the new VPN client this week, and I see your account hasn't been updated yet. I need to verify your current credentials to ensure the migration goes smoothly. Can you confirm your username and current password?"
Vendor/Contractor:
"Hi, I'm [name] from [known vendor]. We're doing an emergency patch deployment for [product] and I need remote access to your system. Could you help me connect via TeamViewer?"
Executive Assistant (Authority):
"This is [name] calling on behalf of [CFO name]. [He/She] needs an urgent wire transfer processed for a deal that's closing today. I'll email you the details, but we need this done in the next hour."
Building/Facilities:
"Hi, this is [name] from facilities management. We're updating the badge access system this weekend. I need to confirm your employee ID and current badge number so your access isn't interrupted."
Pretext Checklist
- Is the pretext believable for this organization?
- Does it create appropriate urgency without being threatening?
- Does it align with OSINT findings (real dept names, real systems)?
- Does it have a plausible reason for requesting information?
- Is there a fallback if the target pushes back?
- Has the client approved this specific pretext?
Phase 3: Call Execution
Call Structure
- Introduction (10 seconds): State name, department, reason for calling
- Building rapport (30 seconds): Reference something real (recent event, shared context)
- Authority establishment (20 seconds): Reference manager name, ticket number, urgency
- Information request (30 seconds): Ask for the target information naturally
- Handling objections: If challenged, respond calmly with prepared answers
- Closing (10 seconds): Thank them, leave no suspicion
Objection Handling
| Objection | Response |
|---|---|
| "Can I call you back?" | "Of course, call the main helpdesk line and ask for [name]. But this needs to be done by EOD." |
| "I need to verify this" | "Absolutely, I appreciate your diligence. You can check with [manager name]." |
| "I was told never to give passwords" | "You're right, and normally we wouldn't ask. This is a special case because [reason]. I can have my manager call you." |
| "What's your employee ID?" | Pivot: "It's [made-up ID]. Listen, I have 50 more people to call today. Can we just get this done?" |
| "I'll email IT instead" | "Sure, but the system migration happens tonight. If it's not done by then..." |
Phase 4: Data Collection and Metrics
Track the following for each call:
| Metric | Description |
|---|---|
| Target Name | Employee called |
| Department | Target's department |
| Date/Time | When call was made |
| Duration | Length of call |
| Pretext Used | Which scenario |
| Information Obtained | What was disclosed |
| Credential Disclosed | Yes/No (and type) |
| Verification Attempted | Did target try to verify caller? |
| Reported to Security | Did target report the call? |
| Social Engineering Score | 1-5 susceptibility rating |
Phase 5: Reporting
Success Metrics
| Metric | Target | Result |
|---|---|---|
| Credential Disclosure Rate | <10% | XX% |
| Sensitive Info Disclosure Rate | <20% | XX% |
| Verification Rate | >80% | XX% |
| Security Reporting Rate | >50% | XX% |
Ethical and Legal Considerations
- Always obtain written authorization before conducting vishing tests
- Never use threatening language or create genuine fear
- Document consent and legal requirements for call recording
- Protect disclosed credentials - immediately report to client
- Debrief targets after the engagement if client approves
- Never publicly identify specific employees who failed
- Comply with telecommunications laws in your jurisdiction
References
- Verizon DBIR 2025: 74% of breaches involve human element
- MITRE ATT&CK T1598: https://attack.mitre.org/techniques/T1598/
- Social Engineering Penetration Testing by Gavin Watson (Syngress)
- The Art of Deception by Kevin Mitnick (Wiley)
- NIST SP 800-50: Building an Information Technology Security Awareness and Training Program
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.9 KB
Social Engineering Pretext Call — API Reference
Libraries
| Library | Install | Purpose |
|---|---|---|
| requests | pip install requests |
API integration with tracking platforms |
| twilio | pip install twilio |
Programmatic phone call management |
| jinja2 | pip install Jinja2 |
Pretext script template rendering |
Pretext Call Phases
| Phase | Description |
|---|---|
| Reconnaissance | Research target name, role, department, reporting chain |
| Pretext Development | Create believable scenario and script |
| Call Execution | Make the call, follow script, adapt to responses |
| Documentation | Record outcome, information obtained, duration |
| Analysis | Calculate success rates, identify vulnerable departments |
Success Criteria Categories
| Category | Description |
|---|---|
| Full Success | Target provided credentials, access, or completed action |
| Partial Success | Target revealed organizational info but not credentials |
| Failed | Target refused or became suspicious |
| Reported | Target reported the call to security team |
Key Metrics
| Metric | Formula |
|---|---|
| Success Rate | successful_calls / total_calls x 100 |
| Report Rate | calls_reported_to_security / total_calls x 100 |
| Avg Call Duration | total_duration / total_calls |
| Dept Vulnerability | dept_successes / dept_total x 100 |
Legal Considerations
| Requirement | Description |
|---|---|
| Written Authorization | Signed Rules of Engagement from client |
| Recording Consent | Follow state/jurisdiction recording laws |
| Scope Boundaries | Only call authorized targets |
| Data Handling | Securely store any obtained credentials, delete after report |
External References
standards.md1.4 KB
Standards and References: Social Engineering Pretext Call
MITRE ATT&CK Techniques
- T1566.004 - Phishing: Voice (Vishing)
- T1598 - Phishing for Information
- T1598.003 - Phishing for Information: Spearphishing Voice
- T1589 - Gather Victim Identity Information
- T1589.001 - Gather Victim Identity Information: Credentials
- T1589.002 - Gather Victim Identity Information: Email Addresses
- T1591 - Gather Victim Org Information
- T1591.004 - Gather Victim Org Information: Identify Roles
- T1593 - Search Open Websites/Domains
NIST References
- NIST SP 800-50 - Building an IT Security Awareness and Training Program
- NIST SP 800-53 Rev. 5 - AT-2: Literacy Training and Awareness
- NIST SP 800-53 Rev. 5 - AT-3: Role-Based Training
- NIST SP 800-115 - Section 3.3: Social Engineering
Legal Frameworks
- Computer Fraud and Abuse Act (CFAA) - Authorization requirements
- GDPR Article 6 - Lawful basis for processing (if recording EU citizens)
- State wiretapping laws - One-party vs two-party consent states
- Telecommunications Act - Caller ID spoofing regulations (47 U.S.C. 227)
Industry Standards
- PTES - Social Engineering section
- OSSTMM - Human Security Testing module
- CREST - Social Engineering guidelines
- SE Code of Ethics - Social engineering testing ethical standards
workflows.md4.6 KB
Workflows: Social Engineering Pretext Call
Vishing Campaign Workflow
┌─────────────────────────────────────────────────────────────────┐
│ VISHING CAMPAIGN WORKFLOW │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 1. AUTHORIZATION & SCOPING │
│ ├── Obtain written authorization │
│ ├── Define target list (departments, roles) │
│ ├── Define boundaries (no C-suite, no threats) │
│ ├── Agree on pretext scenarios │
│ ├── Confirm call recording legality │
│ └── Establish deconfliction process │
│ │
│ 2. OSINT RECONNAISSANCE │
│ ├── Employee enumeration (LinkedIn, website) │
│ ├── Organizational structure mapping │
│ ├── Technology stack identification │
│ ├── Internal terminology and process research │
│ └── Target prioritization │
│ │
│ 3. PRETEXT DEVELOPMENT │
│ ├── Select scenario(s) per target role │
│ ├── Draft call scripts with key phrases │
│ ├── Prepare objection handling responses │
│ ├── Set up caller ID spoofing (authorized) │
│ └── Rehearse delivery │
│ │
│ 4. CALL EXECUTION │
│ ├── Execute calls according to schedule │
│ ├── Record calls (with legal authorization) │
│ ├── Document responses and disclosures │
│ ├── Note verification attempts by targets │
│ └── Track time-to-disclosure metrics │
│ │
│ 5. ANALYSIS & REPORTING │
│ ├── Calculate disclosure rates by department │
│ ├── Identify patterns (role, tenure, training) │
│ ├── Compare against industry benchmarks │
│ ├── Generate remediation recommendations │
│ └── Present findings to stakeholders │
│ │
└─────────────────────────────────────────────────────────────────┘Pretext Selection Decision Tree
Select Pretext Based on Target Role
│
├── IT/Technical Staff
│ ├── Vendor support call (patch emergency)
│ ├── Cloud provider security alert
│ └── Penetration test notification (meta-pretext)
│
├── Finance/Accounting
│ ├── Wire transfer verification (CEO fraud)
│ ├── Vendor payment update
│ └── Audit compliance request
│
├── HR/Recruiting
│ ├── Benefits enrollment verification
│ ├── Background check follow-up
│ └── Payroll system update
│
├── Executive Assistants
│ ├── Executive impersonation (travel issue)
│ ├── Board meeting preparation
│ └── Urgent document request
│
├── General Employees
│ ├── IT Helpdesk (password reset/VPN update)
│ ├── Facilities (badge system update)
│ └── Survey/research call
│
└── Front Desk/Reception
├── Delivery/courier pretext
├── Visitor registration
└── Employee directory requestScripts 2
agent.py5.3 KB
#!/usr/bin/env python3
"""Social engineering pretext call planning and tracking agent."""
import json
import argparse
from datetime import datetime
def generate_pretext_templates():
"""Generate pretext call templates for authorized engagements."""
return [
{
"name": "IT Help Desk Password Reset",
"target_role": "General employee",
"objective": "Obtain credentials or MFA bypass",
"opening": "Hi, this is [Name] from the IT help desk. We noticed unusual activity on your account.",
"key_questions": [
"Can you verify your employee ID?",
"What is your current password so we can compare against the compromised list?",
"Can you read me the code from your authenticator app?",
],
"success_criteria": "Target provides password, MFA token, or confirms identity details",
"difficulty": "easy",
},
{
"name": "Executive Assistant Urgency",
"target_role": "Executive assistant / Finance",
"objective": "Initiate wire transfer or reveal financial info",
"opening": "Hi, this is [Name] calling on behalf of [CEO]. They need an urgent wire processed.",
"key_questions": [
"Can you process this payment today?",
"What account do we usually wire from?",
"The CEO said to skip the usual approval — can you make an exception?",
],
"success_criteria": "Target initiates process or reveals account details",
"difficulty": "hard",
},
{
"name": "Vendor Support Callback",
"target_role": "IT administrator",
"objective": "Gain remote access or credential disclosure",
"opening": "This is [Name] from [Vendor] support returning your call about the ticket.",
"key_questions": [
"Can you give me remote access to troubleshoot?",
"What is the admin password for the [system]?",
"Can you add our support account to the admin group temporarily?",
],
"success_criteria": "Target provides remote access or admin credentials",
"difficulty": "medium",
},
]
def create_call_tracking_sheet(targets):
"""Create tracking sheet for pretext calls."""
tracking = []
for target in targets:
tracking.append({
"name": target.get("name", ""),
"phone": target.get("phone", ""),
"department": target.get("department", ""),
"pretext": target.get("pretext", "IT Help Desk"),
"status": "pending",
"result": None,
"info_obtained": [],
"call_duration": None,
"notes": "",
})
return tracking
def analyze_results(call_results):
"""Analyze pretext call results for reporting."""
total = len(call_results)
success = sum(1 for c in call_results if c.get("result") == "success")
partial = sum(1 for c in call_results if c.get("result") == "partial")
failed = sum(1 for c in call_results if c.get("result") == "failed")
reported = sum(1 for c in call_results if c.get("result") == "reported")
return {
"total_calls": total,
"successful": success,
"partial_success": partial,
"failed": failed,
"reported_to_security": reported,
"success_rate": round(success / max(total, 1) * 100, 1),
"report_rate": round(reported / max(total, 1) * 100, 1),
}
def run_planning(targets_file=None, results_file=None):
"""Execute pretext call planning and analysis."""
print(f"\n{'='*60}")
print(f" SOCIAL ENGINEERING PRETEXT CALL PLANNER")
print(f" Generated: {datetime.utcnow().isoformat()} UTC")
print(f"{'='*60}\n")
templates = generate_pretext_templates()
print(f"--- PRETEXT TEMPLATES ({len(templates)}) ---")
for t in templates:
print(f" [{t['difficulty'].upper()}] {t['name']}")
print(f" Target: {t['target_role']}")
print(f" Objective: {t['objective']}")
if targets_file:
with open(targets_file, "r") as f:
targets = json.load(f)
sheet = create_call_tracking_sheet(targets)
print(f"\n--- TRACKING SHEET ({len(sheet)} targets) ---")
for s in sheet[:10]:
print(f" {s['name']} ({s['department']}): {s['pretext']}")
if results_file:
with open(results_file, "r") as f:
results = json.load(f)
metrics = analyze_results(results)
print(f"\n--- CAMPAIGN METRICS ---")
for k, v in metrics.items():
print(f" {k}: {v}")
return {"templates": templates}
def main():
parser = argparse.ArgumentParser(description="Pretext Call Planning Agent")
parser.add_argument("--targets", help="Target list JSON file")
parser.add_argument("--results", help="Call results JSON file for analysis")
parser.add_argument("--output", help="Save report to JSON file")
args = parser.parse_args()
report = run_planning(args.targets, args.results)
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"\n[+] Report saved to {args.output}")
if __name__ == "__main__":
main()
process.py10.0 KB
#!/usr/bin/env python3
"""
Social Engineering Campaign Tracker
Tracks vishing (pretext call) campaign results, calculates susceptibility
metrics, and generates reports for security awareness improvement.
"""
import json
import os
import csv
from datetime import datetime
from collections import defaultdict
from dataclasses import dataclass, field, asdict
@dataclass
class VishingCall:
"""Represents a single vishing call attempt."""
call_id: str
timestamp: str
target_name: str
target_department: str
target_role: str
pretext_used: str
call_duration_seconds: int
call_answered: bool
credential_disclosed: bool
sensitive_info_disclosed: bool
info_type_disclosed: str = "" # password, username, badge_number, etc.
verification_attempted: bool = False
reported_to_security: bool = False
susceptibility_score: int = 0 # 1-5
notes: str = ""
operator: str = ""
class VishingCampaignTracker:
"""Track and analyze vishing campaign results."""
def __init__(self, campaign_id: str, client_name: str):
self.campaign_id = campaign_id
self.client_name = client_name
self.calls: list[VishingCall] = []
def log_call(self, call: VishingCall) -> None:
"""Log a vishing call result."""
self.calls.append(call)
def calculate_metrics(self) -> dict:
"""Calculate campaign metrics."""
answered = [c for c in self.calls if c.call_answered]
total_answered = len(answered)
if total_answered == 0:
return {"error": "No answered calls to analyze"}
cred_disclosed = [c for c in answered if c.credential_disclosed]
info_disclosed = [c for c in answered if c.sensitive_info_disclosed]
verified = [c for c in answered if c.verification_attempted]
reported = [c for c in answered if c.reported_to_security]
# Per-department breakdown
dept_stats = defaultdict(lambda: {
"total": 0, "cred_disclosed": 0, "info_disclosed": 0,
"verified": 0, "reported": 0,
})
for call in answered:
dept = call.target_department
dept_stats[dept]["total"] += 1
if call.credential_disclosed:
dept_stats[dept]["cred_disclosed"] += 1
if call.sensitive_info_disclosed:
dept_stats[dept]["info_disclosed"] += 1
if call.verification_attempted:
dept_stats[dept]["verified"] += 1
if call.reported_to_security:
dept_stats[dept]["reported"] += 1
# Per-pretext breakdown
pretext_stats = defaultdict(lambda: {"total": 0, "success": 0})
for call in answered:
pretext_stats[call.pretext_used]["total"] += 1
if call.credential_disclosed or call.sensitive_info_disclosed:
pretext_stats[call.pretext_used]["success"] += 1
avg_duration = sum(c.call_duration_seconds for c in answered) / total_answered
avg_susceptibility = sum(c.susceptibility_score for c in answered) / total_answered
return {
"campaign_id": self.campaign_id,
"total_calls": len(self.calls),
"calls_answered": total_answered,
"answer_rate": total_answered / len(self.calls) * 100,
"credential_disclosure_rate": len(cred_disclosed) / total_answered * 100,
"sensitive_info_disclosure_rate": len(info_disclosed) / total_answered * 100,
"verification_rate": len(verified) / total_answered * 100,
"security_reporting_rate": len(reported) / total_answered * 100,
"avg_call_duration_seconds": avg_duration,
"avg_susceptibility_score": avg_susceptibility,
"department_breakdown": dict(dept_stats),
"pretext_effectiveness": dict(pretext_stats),
}
def generate_report(self) -> str:
"""Generate campaign report."""
metrics = self.calculate_metrics()
if "error" in metrics:
return metrics["error"]
lines = []
lines.append("=" * 70)
lines.append("VISHING CAMPAIGN ASSESSMENT REPORT")
lines.append(f"Campaign: {self.campaign_id}")
lines.append(f"Client: {self.client_name}")
lines.append(f"Date: {datetime.now().strftime('%Y-%m-%d')}")
lines.append("=" * 70)
lines.append(f"\nOVERALL METRICS:")
lines.append(f" Total Calls Made: {metrics['total_calls']}")
lines.append(f" Calls Answered: {metrics['calls_answered']}")
lines.append(f" Answer Rate: {metrics['answer_rate']:.1f}%")
lines.append(f" Credential Disclosure Rate: {metrics['credential_disclosure_rate']:.1f}%")
lines.append(f" Info Disclosure Rate: {metrics['sensitive_info_disclosure_rate']:.1f}%")
lines.append(f" Verification Rate: {metrics['verification_rate']:.1f}%")
lines.append(f" Security Reporting Rate: {metrics['security_reporting_rate']:.1f}%")
lines.append(f" Avg Call Duration: {metrics['avg_call_duration_seconds']:.0f}s")
lines.append(f" Avg Susceptibility (1-5): {metrics['avg_susceptibility_score']:.1f}")
# Risk assessment
cred_rate = metrics['credential_disclosure_rate']
risk = "CRITICAL" if cred_rate > 30 else "HIGH" if cred_rate > 15 else "MEDIUM" if cred_rate > 5 else "LOW"
lines.append(f"\n OVERALL RISK RATING: {risk}")
# Department breakdown
lines.append(f"\nDEPARTMENT BREAKDOWN:")
lines.append("-" * 70)
for dept, stats in metrics["department_breakdown"].items():
total = stats["total"]
cred_pct = stats["cred_disclosed"] / total * 100 if total else 0
verify_pct = stats["verified"] / total * 100 if total else 0
lines.append(
f" {dept:<20} Calls: {total:>3} | "
f"Cred Disclosed: {cred_pct:>5.1f}% | "
f"Verified: {verify_pct:>5.1f}%"
)
# Pretext effectiveness
lines.append(f"\nPRETEXT EFFECTIVENESS:")
lines.append("-" * 70)
for pretext, stats in metrics["pretext_effectiveness"].items():
success_rate = stats["success"] / stats["total"] * 100 if stats["total"] else 0
lines.append(f" {pretext:<30} Success: {success_rate:.1f}% ({stats['success']}/{stats['total']})")
# Recommendations
lines.append(f"\nRECOMMENDATIONS:")
lines.append("-" * 70)
if metrics["credential_disclosure_rate"] > 10:
lines.append(" [CRITICAL] Implement mandatory caller verification procedures")
if metrics["verification_rate"] < 50:
lines.append(" [HIGH] Enhance security awareness training on verification")
if metrics["security_reporting_rate"] < 30:
lines.append(" [HIGH] Establish easy-to-use suspicious call reporting process")
lines.append(" [MEDIUM] Conduct quarterly vishing simulations")
lines.append(" [MEDIUM] Implement callback verification for sensitive requests")
return "\n".join(lines)
def export_csv(self, output_path: str) -> None:
"""Export results to CSV."""
with open(output_path, "w", newline="") as f:
writer = csv.writer(f)
writer.writerow([
"Call ID", "Timestamp", "Target", "Department", "Role",
"Pretext", "Duration(s)", "Answered", "Cred Disclosed",
"Info Disclosed", "Verified", "Reported", "Score",
])
for call in self.calls:
writer.writerow([
call.call_id, call.timestamp, call.target_name,
call.target_department, call.target_role, call.pretext_used,
call.call_duration_seconds, call.call_answered,
call.credential_disclosed, call.sensitive_info_disclosed,
call.verification_attempted, call.reported_to_security,
call.susceptibility_score,
])
def main():
"""Demonstrate vishing campaign tracking."""
tracker = VishingCampaignTracker("VISH-2025-001", "Example Corp")
sample_calls = [
VishingCall("V001", "2025-02-01T09:00:00", "Alice Johnson", "Finance",
"Accountant", "IT Helpdesk - VPN Update", 180, True, True,
True, "password", False, False, 5),
VishingCall("V002", "2025-02-01T09:30:00", "Bob Smith", "IT",
"Sysadmin", "Vendor Support Call", 45, True, False,
False, "", True, True, 1),
VishingCall("V003", "2025-02-01T10:00:00", "Carol Davis", "HR",
"HR Manager", "Benefits Verification", 120, True, False,
True, "employee_id", False, False, 3),
VishingCall("V004", "2025-02-01T10:30:00", "Dan Wilson", "Finance",
"Controller", "Wire Transfer Request", 60, True, False,
False, "", True, True, 1),
VishingCall("V005", "2025-02-01T11:00:00", "Eve Brown", "Marketing",
"Manager", "IT Helpdesk - Password Reset", 150, True, True,
True, "password", False, False, 4),
VishingCall("V006", "2025-02-01T11:30:00", "Frank Lee", "Engineering",
"Developer", "IT Helpdesk - VPN Update", 30, True, False,
False, "", True, False, 2),
VishingCall("V007", "2025-02-01T13:00:00", "Grace Kim", "Reception",
"Front Desk", "Delivery Confirmation", 90, True, False,
True, "employee_directory", False, False, 3),
VishingCall("V008", "2025-02-01T13:30:00", "Henry Chen", "IT",
"Help Desk", "New Employee Onboarding", 20, True, False,
False, "", True, True, 1),
]
for call in sample_calls:
tracker.log_call(call)
print(tracker.generate_report())
tracker.export_csv("vishing_results.csv")
print(f"\n[+] Results exported to vishing_results.csv")
if __name__ == "__main__":
main()