Fake Network Service with Unexpected Protocol Behavior

Engage Goals: EGO0003 Elicit

Engage Approach: EAP0001 Collect

Engage Actions: EAC0014 Software Manipulation, EAC0016 Network Manipulation

Name of Element: Fake Network Service with Unexpected Protocol Behavior

Description of Element:

Deploy a network service that mimics a legitimate one but responds to requests with unexpected or non-compliant protocol behavior. This can be used to confuse attackers, trigger vulnerabilities in their tools, or gather information about their scanning techniques.

Technical Context:

Placement: Deployed on a host exposed to the internet or within a DMZ.

Utilize scapy to craft custom TCP or UDP packets that deviate from expected protocol specifications. Implement a service using a scripting language like Python that listens on a specific port and responds with these malformed packets. Monitor network traffic using tcpdump or Wireshark to analyze attacker interactions and gather intelligence on their scanning tools and techniques.

Other:

Att&ck/Engage Mapping: T1046 Network Service Scanning, E1505 Decoy Network

Fake Network Service with Unexpected Protocol Behavior

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense