C2 Honeyclients

Goal: Identify compromised systems by deploying decoy clients that mimic C2 communication patterns.

Approach: Monitoring network traffic for connections to C2 honeyclients.

Deploy decoy clients (“honeyclients”) that mimic the behavior of infected systems communicating with C2 servers. Monitor any attempts to connect to or control these honeyclients to identify compromised systems and attacker infrastructure.

Engage Goals: EGO0001 Expose

Engage Approach: EAP0002 Detect

Engage Actions: EAC0002 Network Monitoring, EAC0012 Personas

Name of Element: C2 Honeyclients

Description of Element:

Goal: Identify compromised systems by deploying decoy clients that mimic C2 communication patterns.

Approach: Monitoring network traffic for connections to C2 honeyclients.

Deploy decoy clients (“honeyclients”) that mimic the behavior of infected systems communicating with C2 servers. Monitor any attempts to connect to or control these honeyclients to identify compromised systems and attacker infrastructure.

Technical Context:

These honeyclients can be configured with various operating systems and software to blend in with the legitimate network environment. This aligns with the MITRE ATT&CK technique T1083 (File and Directory Discovery).

Other:

Combine this with deceptive network segmentation to isolate and monitor the honeyclients.

Leave a Reply