The worst of all deceptions is self-deception
Goal: Expose attackers attempting to utilize compromised accounts and gather information about their activities.
Approach: Monitoring access to and usage of honeytoken accounts.
Create realistic but fake user accounts (“honeytokens”) with attractive data or access privileges. These accounts have deceptive profiles, leading attackers towards fabricated resources or triggering alerts upon access.
Goal: Disrupt malware operation by manipulating file system operations.
Approach: Intercepting and altering file system requests.
This element installs a file system filter driver that intercepts file system requests and can modify or redirect them. This can be used to prevent malware from accessing sensitive files, executing malicious code, or persisting on the system.
Goal: Gather information about attacker activity by creating fake Active Directory objects.
Approach: Monitoring access to deceptive Active Directory objects.
This element creates fake user accounts, computers, or groups within Active Directory. Any attempts to access or interact with these objects are logged, providing valuable intelligence about attacker reconnaissance and lateral movement.
Goal: Redirect attacker traffic to a controlled environment by providing deceptive DNS responses.
Approach: Manipulating DNS resolution to redirect traffic.
This element intercepts DNS requests for known malicious domains and returns a deceptive IP address, leading attackers to a honeypot or sinkhole.
Goal: Detect attempts to steal credentials by hooking API calls related to credential management.
Approach: Monitoring API calls for suspicious activity.
This element hooks API calls related to credential management, such as CredEnumerate or LogonUser. When a suspicious call is detected, the element can log the event, alert security personnel, or even inject a deceptive credential.
Goal: Detect attempts to communicate with known malicious named pipes.
Approach: Monitoring for connections to deceptive named pipes.
This element creates a named pipe with a name commonly used by malware. When malware attempts to connect, the deceptive server captures information about the malware and can optionally deliver a deceptive payload.
T1566.001 – Attackers send emails containing a malicious LNK file disguised as a PDF document, likely targeting business professionals in the United States.
T1140 – The LNK file uses certutil.exe to decode a Base64-encoded payload.
T1562.004 – The malware uses PowerShell commands to disable Windows Defender.
T1059.003 – The decoded payload is executed using cmd.exe, leading to the execution of the Ursnif banking Trojan.
T1071.001 – The malware establishes communication with a command-and-control (C2) server using web protocols, likely HTTP or HTTPS.
T1041 – The malware exfiltrates stolen sensitive information, such as banking credentials and personal data, to the C2 server.
Goal: Gather information about web-based attacks by deploying a deceptive browser extension.
Approach: Collecting data on attacker activity through a deceptive browser extension.
This element involves creating a browser extension that mimics legitimate functionality but secretly collects information about attacker activity.
Goal: Disrupt malware operation by manipulating API calls made by specific processes.
Approach: Intercepting and altering API calls to disrupt malicious activity.
This element involves monitoring API calls made by specific processes and selectively manipulating their responses to disrupt malware operation.
Goal: Detect rootkit activity by presenting a deceptive view of kernel modules.
Approach: Monitoring kernel module activity for anomalies.
This element involves creating a deceptive kernel module that mimics legitimate modules but provides false information when queried by malicious actors.