The worst of all deceptions is self-deception
Goal: Disrupt attacker operations by injecting deceptive code into scripts downloaded from developer machines.
Approach: Manipulating scripts to deliver misleading information or disrupt execution.
If an attacker compromises a developer’s machine and downloads scripts or code, inject subtle errors, delays, or misleading functions into those files. This can cause the attacker’s tools to malfunction or lead them down false paths.
A threat actor is utilizing spearphishing emails with malicious attachments to gain initial access, establish persistence via scheduled tasks, and exfiltrate data over HTTP.
rundll32.exe every 5 minutes, ensuring persistence.The attacker is using a malicious scheduled task to connect back to a C2 server.
Goal: Redirect attackers attempting to authenticate to a deceptive environment.
Approach: Manipulating IdP responses to redirect authentication flows.
When an attacker attempts to authenticate through an IdP (e.g., OAuth, SAML), manipulate the response to redirect them to a fake login portal or a controlled environment.
Goal: Disrupt and delay attackers attempting to bypass Multi-Factor Authentication (MFA).
Approach: Presenting attackers with deceptive MFA prompts.
When an attacker attempts to log in, present them with an unexpected MFA prompt, even if they have valid credentials. This can be a fake push notification, a request for a non-existent biometric scan, or a challenge question with no right answer.
Goal: Expose attackers attempting to utilize compromised accounts and gather information about their activities.
Approach: Monitoring access to and usage of honeytoken accounts.
Create realistic but fake user accounts (“honeytokens”) with attractive data or access privileges. These accounts have deceptive profiles, leading attackers towards fabricated resources or triggering alerts upon access.
Pygmy Goat uses the LD_PRELOAD environment variable to inject itself into the sshd process, ensuring it’s loaded and executed whenever the SSH daemon starts.
Goal: Disrupt malware operation by manipulating file system operations.
Approach: Intercepting and altering file system requests.
This element installs a file system filter driver that intercepts file system requests and can modify or redirect them. This can be used to prevent malware from accessing sensitive files, executing malicious code, or persisting on the system.
Goal: Gather information about attacker activity by creating fake Active Directory objects.
Approach: Monitoring access to deceptive Active Directory objects.
This element creates fake user accounts, computers, or groups within Active Directory. Any attempts to access or interact with these objects are logged, providing valuable intelligence about attacker reconnaissance and lateral movement.