Phantom Threads

Engage Goals: EGO0003 Elicit

Engage Approach: EAP0001 Collect

Engage Actions: EAC0014 Software Manipulation, EAC0015 Information Manipulation

Name of Element: Phantom Threads

Description of Element:

Create decoy threads within legitimate processes that exhibit unusual or suspicious behavior, such as accessing sensitive registry keys or making unexpected API calls. This can be used to lure attackers into investigating these threads, wasting their time and potentially revealing their tools and techniques.

Technical Context:

Placement: Within critical system processes or applications that are likely to be targeted by attackers.

Utilize the CreateRemoteThread function in a DLL injected into the target process. The injected code should create a new thread that executes a decoy function. This function can simulate malicious activity by accessing sensitive registry keys (e.g., HKLMSECURITY), attempting to load suspicious DLLs, or making network connections to non-existent servers. Use the SetThreadContext function to modify the thread’s execution context, such as setting its priority to a high value or manipulating its stack to mimic a malicious code injection. Implement logging within the decoy function to capture any attempts by the attacker to interact with or terminate the thread.

Other:

Att&ck/Engage Mapping: T1055 Process Injection, E1501 Honeytrap

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense