Fake Interrupt Handler

Engage Goals: EGO0003 Elicit

Engage Approach: EAP0001 Collect

Engage Actions: EAC0014 Software Manipulation, EAC0017 Hardware Manipulation

Name of Element: Fake Interrupt Handler

Description of Element:

Register a decoy interrupt handler that intercepts specific hardware or software interrupts and responds with misleading information or triggers deceptive actions. This can be used to confuse attackers, disrupt their tools, or gather information about their techniques.

Technical Context:

Placement: Within the Interrupt Descriptor Table (IDT), replacing or hooking a legitimate interrupt handler.

Utilize the KeSetHandlerAddress function to register a custom interrupt handler for a specific interrupt vector. Implement the handler to log interrupt details, modify registers or memory contents, or trigger deceptive actions such as generating fake system events or redirecting execution flow.

Other:

Att&ck/Engage Mapping: T1056 Input Capture, E1501 Honeytrap

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense