Fake C2 Servers

Engage Goals: EGO0003 Elicit

Engage Approach: EAP0001 Collect

Engage Actions: EAC0005 Lures, EAC0016 Network Manipulation

Name of Element: Fake C2 Servers

Description of Element:

Goal: Capture attacker communications and gather intelligence about their infrastructure and operations.

Approach: Setting up decoy C2 servers that mimic legitimate C2 infrastructure.

Deploy fake command-and-control (C2) servers that mimic the behavior of popular malware families. These servers can capture attacker commands, log communications, and even deliver deceptive responses to mislead attackers and disrupt their operations.

Technical Context:

These fake C2 servers can be configured with various protocols and functionalities to attract different types of malware. This aligns with the MITRE ATT&CK technique T1041 (Exfiltration Over C2 Channel) and the MITRE Engage™ framework, specifically the C0002 (Command and Control) tactic.

Other:

Combine this with deceptive DNS responses to redirect attacker traffic to the fake C2 servers.

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense