Category: ACD Elements

Deceptive LDAP Responses

Goal: To identify attackers attempting to gather information about Active Directory objects or to exploit vulnerabilities in the LDAP protocol.

Approach: Monitoring LDAP queries and analyzing attacker behavior. This element involves configuring a deceptive LDAP server that responds to specific queries with misleading or deceptive information.

Attackers who attempt to interact with the deceptive LDAP server will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the Active Directory environment.

Read more...

Fake Active Directory Domain Controller

Goal: To identify attackers attempting to enumerate or modify Active Directory objects.

Approach: Monitoring access to the fake domain controller and analyzing attacker behavior. This element involves setting up a fake domain controller that mimics a legitimate one but contains deceptive information, such as fake user accounts or group memberships.

Attackers who attempt to interact with the fake domain controller will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the Active Directory environment.

Read more...

Fake Kubernetes Secrets

Goal: To identify attackers attempting to steal sensitive information stored as Kubernetes secrets.

Approach: Monitoring access to the fake secrets and analyzing attacker behavior. This element involves creating fake Kubernetes secrets that mimic legitimate secrets but contain misleading or deceptive information.

Attackers who attempt to access or exfiltrate the fake secrets will be identified and their actions will be logged.

Read more...

Deceptive Docker Container

Goal: To identify attackers attempting to compromise or gain access to sensitive data within Docker containers.

Approach: Monitoring access to the deceptive container and analyzing attacker behavior. This element involves deploying a deceptive Docker container that mimics a legitimate container but contains fake or misleading data, or triggers alerts upon access.

Attackers who attempt to access or modify data within the deceptive container will be identified and their actions will be logged.

Read more...

Fake DNS Server

Goal: To identify attackers attempting to resolve internal domain names or perform DNS tunneling.

Approach: Monitoring queries to the fake DNS server and analyzing attacker behavior.

This element involves setting up a fake DNS server that responds to specific queries with deceptive answers or redirects them to a controlled environment.

Read more...

Deceptive Syslog Daemon

Goal: To identify attackers attempting to exploit vulnerabilities in the logging system or to gather information about the system’s activity.

Approach: Monitoring the deceptive daemon for any signs of interaction or modification.

This element involves configuring a deceptive syslog daemon that listens for specific log messages and triggers deceptive responses, such as sending fake alerts or redirecting attackers to a honeypot.

Attackers who attempt to interact with or modify the deceptive daemon will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the system.

Read more...

Fake Systemd Service

Goal: To identify attackers attempting to exploit vulnerabilities in the service or to gain persistence on the system.

Approach: Monitoring the fake service for any signs of interaction or modification.This element involves creating a fake systemd service that mimics a legitimate service but performs a deceptive action, such as logging login attempts, triggering alerts, or redirecting connections to a honeypot.

Attackers who attempt to interact with or modify the fake service will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the system.

Read more...

Fake Cron Jobs

Goal: To identify and gather information about attackers attempting to brute force SSH credentials.

Approach: Monitoring connections to the deceptive SSH server and analyzing attacker behavior.

This element involves creating fake cron jobs that mimic legitimate tasks but trigger alerts or execute harmless commands.

Attackers who attempt to modify or utilize cron jobs for malicious purposes will trigger alerts, revealing their presence and intentions.

Read more...

Deceptive SSH Server

Goal: To identify and gather information about attackers attempting to brute force SSH credentials.

Approach: Monitoring connections to the deceptive SSH server and analyzing attacker behavior.

Attackers who attempt to log in to the deceptive SSH server will have their credentials captured, and their activities will be logged. This information can be used to improve defenses and identify potential threats.

Read more...

Fake macOS System Updates

Goal: To identify attackers attempting to exploit vulnerabilities in the macOS update process.

Approach: Monitoring interaction with the fake updates and analyzing attacker behavior. This element involves creating fake macOS system updates that mimic legitimate updates but contain misleading or deceptive information or lead to a controlled environment.

Attackers who attempt to install or interact with the fake updates will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the system.

Read more...