Deceive, Detect, Engage

Honeytokened Administrative Tools

Goal: Detect and track the usage of administrative tools by unauthorized users.

Approach: Monitoring access to and usage of honeytokened tools.

Deploy decoy versions of administrative tools (e.g., PowerShell, PsExec) that mimic their legitimate counterparts but log usage, trigger alerts, or provide misleading information.

Engage Goals: EGO0001 Expose

Engage Approach: EAP0002 Detect

Engage Actions: EAC0003 System Activity Monitoring, EAC0010 Peripheral Management

Name of Element: Honeytokened Administrative Tools

Description of Element:

Goal: Detect and track the usage of administrative tools by unauthorized users.

Approach: Monitoring access to and usage of honeytokened tools.

Deploy decoy versions of administrative tools (e.g., PowerShell, PsExec) that mimic their legitimate counterparts but log usage, trigger alerts, or provide misleading information.

Technical Context:

These honeytokened tools can be placed in locations where attackers are likely to find them. Monitor their usage to identify malicious activity and gather intelligence about attacker techniques. This aligns with the MITRE ATT&CK technique T1053 (Scheduled Task/Job).

Other:

Combine this with deceptive file metadata or timestamps to make the honeytokened tools appear more legitimate.

Honeytokened Administrative Tools

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense