Hidden Memory Region with Decoy Data

Engage Goals: EGO0001 Expose

Engage Approach: EAP0002 Detect

Engage Actions: EAC0015 Information Manipulation, EAC0018 Security Controls

Name of Element: Hidden Memory Region with Decoy Data

Description of Element:

Allocate a hidden memory region within a process’s address space and populate it with fabricated data that mimics sensitive information or critical code. Monitor access attempts to this region to identify attackers attempting to extract data or inject malicious code.

Technical Context:

Placement: Within the virtual memory space of a critical system process or a frequently targeted application.

Utilize the VirtualAlloc function with the MEM_COMMIT and PAGE_NOACCESS flags to allocate a memory region. Manipulate page table entries to hide the region from standard memory enumeration techniques. Populate the region with decoy data that mimics sensitive information, such as cryptographic keys, passwords, or configuration settings. Implement a kernel-mode driver or a user-mode hook to monitor memory access and log any attempts to read from or write to the hidden region.

Other:

Att&ck/Engage Mapping: T1055 Process Injection, E1504 Decoy Content

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense