The worst of all deceptions is self-deception
Goal: To identify attackers attempting to exploit vulnerabilities or gain information through exception handling mechanisms.
Approach: Monitoring exception handling routines and providing deceptive responses. This element involves modifying exception handling routines to provide misleading information or redirect execution flow.
By manipulating exception handling, this element can disrupt attacker tools, gather information about their activities, or conceal sensitive data.
Goal: To identify and mislead attackers attempting to hijack system calls for malicious purposes.
Approach: Monitoring system call activity and providing deceptive responses. This element involves manipulating the System Call Table to redirect specific calls to deceptive functions.
By redirecting system calls, this element can disrupt attacker tools, gather information about their activities, or lead them to controlled environments.
Goal: To identify and mislead attackers attempting to manipulate system behavior through API hooking.
Approach: Monitoring API calls and providing deceptive responses. This element involves intercepting specific API calls and returning misleading or unexpected data to attackers.
By manipulating API call responses, this element can confuse attackers, disrupt their tools, or lead them down false paths.
TA397 utilizes a malicious shortcut (LNK) file embedded within a RAR archive. This LNK file, when activated, executes PowerShell code that creates a scheduled task on the victim’s machine. This scheduled task enables the download and execution of additional payloads, establishing persistence on the compromised system.
Attackers are using phishing emails to deliver malicious attachments that gather system information and exfiltrate it to a remote server.
Goal: To identify attackers attempting to gather information about Active Directory objects or to exploit vulnerabilities in the LDAP protocol.
Approach: Monitoring LDAP queries and analyzing attacker behavior. This element involves configuring a deceptive LDAP server that responds to specific queries with misleading or deceptive information.
Attackers who attempt to interact with the deceptive LDAP server will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the Active Directory environment.
Goal: To identify attackers attempting to enumerate or modify Active Directory objects.
Approach: Monitoring access to the fake domain controller and analyzing attacker behavior. This element involves setting up a fake domain controller that mimics a legitimate one but contains deceptive information, such as fake user accounts or group memberships.
Attackers who attempt to interact with the fake domain controller will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the Active Directory environment.
Attackers are exploiting vulnerabilities in Microsoft Management Console (MMC) snap-in files to execute malicious code.
The threat actors utilize Microsoft Common Console Document (MSC) files to execute malicious JavaScript code. These MSC files are designed to mimic the appearance of PDF documents, deceiving users into opening them. Upon execution, the embedded JavaScript code facilitates the download and execution of a backdoor payload.
Goal: To identify attackers attempting to steal sensitive information stored as Kubernetes secrets.
Approach: Monitoring access to the fake secrets and analyzing attacker behavior. This element involves creating fake Kubernetes secrets that mimic legitimate secrets but contain misleading or deceptive information.
Attackers who attempt to access or exfiltrate the fake secrets will be identified and their actions will be logged.