Deploy a network service that mimics a legitimate one but responds to requests with unexpected or non-compliant protocol behavior. This can be used to confuse attackers, trigger vulnerabilities in their tools, or gather information about their scanning techniques.
Author: m3c4n1sm0
Deceptive HTTP Response with Delayed Content
Craft a web server that responds to HTTP requests with a delayed response body. This can be used to frustrate attackers, slow down automated tools, or identify attackers who are actively monitoring network traffic.
Fake API Gateway
Deploy a decoy API gateway that mimics a legitimate one but intercepts requests and returns fabricated or manipulated responses. This can be used to mislead attackers, disrupt their tools, or gather information about their intentions.
Hunting CryptoBot in the wild
Attackers are using spearphishing emails containing malicious links to deliver malware that uses Rundll32 and Mshta for defense evasion.
Suspected TTPs:
- Initial Access: Spearphishing Link
- Execution: Rundll32
- Defense Evasion: Mshta
Google Cloud Functions Honeypot
Deploy a decoy Google Cloud Function that appears to perform a sensitive operation (e.g., accessing a database, processing payment information) but, in reality, only logs invocation attempts and attacker-supplied data.
Threat Hunting for Android MW – Gamaredon
Attacker is sending malicious links to mobile devices via SMS or social media posts. The links lead to the download of malicious apps that collect sensitive data.
Deceptive OAuth 2.0 Consent Screen
Craft a fake OAuth 2.0 consent screen that mimics a legitimate Google service but requests excessive or unusual permissions. Monitor interactions with this screen to identify attackers attempting to trick users into granting unauthorized access.
Fake Google Workspace Shared Drive with “Confidential” Documents
Create a decoy Google Workspace Shared Drive containing fabricated documents with names suggesting sensitive information (e.g., “Financial Projections,” “Customer Database”). Monitor access and download activity to identify attackers attempting to exfiltrate data.
Fake Google Cloud Service Accounts with High Permissions
Create decoy service accounts with names suggesting elevated privileges (e.g., “deployment-admin,” “database-owner”) but with restricted access. Monitor any attempts to utilize these accounts, which could indicate an attacker attempting privilege escalation or lateral movement.
Azure Storage Account with Honeyfiles
Create a decoy Azure Storage Account containing fabricated files that appear to be valuable or sensitive. Monitor access patterns and download attempts to identify attackers seeking to exfiltrate data or gain unauthorized access.