Deploy a decoy pod within an AKS cluster that mimics a legitimate application but contains fake data or triggers alerts upon access. Monitor network traffic and logs associated with this pod to identify attackers attempting to exploit vulnerabilities or gain access to sensitive information.
Author: m3c4n1sm0
Engage Report: SCATTERED SPIDER Ransomware Operations in the Cloud
- Compromise a privileged account within the victim tenant (e.g., Global Administrator or Security Administrator).
- Establish inbound synchronization from an attacker-controlled tenant to the victim tenant.
- Provision malicious accounts within the victim tenant as needed.
- Maintain persistence and potentially move laterally across connected tenants.
Azure Active Directory (AD) Decoy User Accounts
Create fake user accounts within Azure AD with enticing names or roles (e.g., “admin,” “backup_admin”). Monitor login attempts and activity related to these accounts to identify credential stuffing or brute-force attacks.
Azure Web Application Firewall (WAF) Honeytrap
Configure a decoy Azure WAF with intentionally permissive rules to attract attackers. Monitor traffic hitting this WAF to identify malicious patterns and gather intelligence on attack techniques.
Engage Report: LATRODECTUS
LATRODECTUS malware utilizes scheduled tasks for persistence, executing a copy of itself and establishing a foothold in the compromised system.
Threat Hunt for DLL SideLoad
Attackers are using phishing emails to deliver malicious attachments that use DLL side-loading to execute malicious code.
Azure Logic App Honeypot
Deploy a non-functional Azure Logic App that mimics a critical workflow. Monitor any attempts to trigger or interact with this app to detect reconnaissance or attempts to disrupt business processes.
Azure Key Vault Honeytoken
Create a fake Azure Key Vault instance containing decoy secrets and keys. Monitor access to this vault to detect attempts to steal sensitive information.
Fake SMB Share
This element involves setting up a fake SMB server that mimics a legitimate one but triggers alerts upon access or delivers deceptive payloads.
Deceptive NTP Server
This element involves setting up a fake NTP server that responds to requests with incorrect time values, potentially disrupting attacker scripts or malware that rely on accurate time.