Deceptive SMB Share with False Credentials

What is the goal of this operation: To lure attackers into interacting with a deceptive SMB share, exposing their presence and gathering intelligence on their tools, techniques, and procedures (TTPs).

Whats the approach of this operation or element? This element focuses on collecting information about attackers who interact with the deceptive share, detecting their presence and activities, and analyzing the gathered data to understand their TTPs and motivations.

Description of Element:

This active defense element involves setting up a deceptive SMB share on a dedicated Windows host within the network. The share is configured to appear as a legitimate network backup or file share, containing enticing files and documents (pocket litter) like “password.txt” or “confidential_reports.xlsx”. However, these files contain false information or are instrumented to trigger alerts upon access.

 

Engage Goals: EGO0001 Expose, EGO0003 Elicit, SGO0002 Understand

Engage Approach: EAP0001 Collect, EAP0002 Detect, SAP0002 Analyze

Engage Actions: EAC0005 Lures, EAC0011 Pocket Litter, EAC0015 Information Manipulation, SAC0002 Persona Creation, SAC0012 Engagement Environment

Name of Element: Deceptive SMB Share with False Credentials

Description of Element:

What is the goal of this operation: To lure attackers into interacting with a deceptive SMB share, exposing their presence and gathering intelligence on their tools, techniques, and procedures (TTPs).

Whats the approach of this operation or element? This element focuses on collecting information about attackers who interact with the deceptive share, detecting their presence and activities, and analyzing the gathered data to understand their TTPs and motivations.

Description of Element:

This active defense element involves setting up a deceptive SMB share on a dedicated Windows host within the network. The share is configured to appear as a legitimate network backup or file share, containing enticing files and documents (pocket litter) like “password.txt” or “confidential_reports.xlsx”. However, these files contain false information or are instrumented to trigger alerts upon access.

 

Technical Context:

The deceptive SMB share is configured with:

  • Open permissions: The share is accessible to everyone or has weak credentials to lure attackers.
  • False credentials: Files within the share may contain decoy credentials or scripts with embedded fake credentials to entice attackers to use them.
  • Monitoring: The host and share are heavily monitored to detect any access attempts, login failures, and file access activities.
  • Alerting: Alerts are configured to notify the security team upon any interaction with the share or its contents.

Other:

This deceptive SMB share can be customized to:

  • Target specific attackers: By tailoring the share’s name, contents, and access permissions to attract specific threat actors or groups.
  • Gather intelligence: By analyzing attacker interactions to understand their tools, techniques, and goals.
  • Delay attackers: By presenting a complex and time-consuming environment to distract attackers from real targets.

Additional Considerations:

  • Realism: Ensure the share and its contents appear legitimate to avoid suspicion.
  • Isolation: Isolate the host to prevent lateral movement or further compromise.
  • Legal and ethical implications: Ensure the use of deception complies with all applicable laws and regulations.

This deceptive SMB share is a targeted active defense element that can be used to proactively lure attackers, gather intelligence, and enhance an organization’s security posture.

Leave a Reply