Tag: Active Defense

Fake Industrial Control System (ICS) Honeypot

What is the goal of this operation: To attract and trap adversaries targeting ICS systems, exposing their presence, understanding their TTPs, and gathering intelligence on their tools and motives.

Whats the approach of this operation or element? This element focuses on collecting adversary activity data within the honeypot environment, detecting their interactions with the ICS components, and analyzing the information to understand their capabilities and intentions.

This active defense element involves deploying a realistic, yet fake, ICS environment within a segregated network segment. This honeypot mimics real-world ICS components, such as programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, and human-machine interfaces

 

1 (HMIs). The environment is designed to lure attackers interested in disrupting or sabotaging critical infrastructure.

Read more...

Deceptive SMB Share with False Credentials

What is the goal of this operation: To lure attackers into interacting with a deceptive SMB share, exposing their presence and gathering intelligence on their tools, techniques, and procedures (TTPs).

Whats the approach of this operation or element? This element focuses on collecting information about attackers who interact with the deceptive share, detecting their presence and activities, and analyzing the gathered data to understand their TTPs and motivations.

Description of Element:

This active defense element involves setting up a deceptive SMB share on a dedicated Windows host within the network. The share is configured to appear as a legitimate network backup or file share, containing enticing files and documents (pocket litter) like “password.txt” or “confidential_reports.xlsx”. However, these files contain false information or are instrumented to trigger alerts upon access.

 

Read more...

Honeyfile with Canary Token

What is the goal of this operation: To detect and track unauthorized access attempts, gather intelligence on attacker behavior, and potentially disrupt their operations.

Whats the approach of this operation or element? This element aims to deceive and lure attackers, providing an opportunity to observe their actions and collect valuable intelligence.

Description of Element: This active defense element involves creating a decoy file (honeyfile) embedded with a canary token. This token acts as a tripwire, alerting defenders when the file is accessed or interacted with. The honeyfile is strategically placed within the network or system, disguised to appear as legitimate and valuable data.

 

Read more...

Tropic Trooper – Campaign

Tropic Trooper employs a multi-stage attack flow:

  1. Initial Access: Exploiting vulnerabilities in public-facing applications (like Microsoft Exchange Server) or through spearphishing emails with malicious attachments.
  2. Persistence: Establishing persistent access using web shells (like “ByPassGodzilla”) and malware (like “Yahoyah” and “ChinaChopper”).
  3. Privilege Escalation: Utilizing DLL side-loading and exploiting system services to gain higher privileges.
  4. Lateral Movement: Moving laterally within the network using SMB shares and remote services.
  5. Data Exfiltration: Exfiltrating data to cloud storage or using other automated methods.
Read more...

Tropic Trooper – Spear Phishing Attachment

Tropic Trooper crafts spearphishing emails with malicious attachments, often disguised as legitimate documents or files, to target individuals within their desired organizations. These attachments typically contain malware, such as the “Yahoyah” downloader, which enables them to establish persistence on compromised systems.

Read more...

DarkComet RAT – Proxy

The DarkComet RAT utilizes a connection proxy, specifically SOCKS5, to obfuscate the true command and control (C2) server infrastructure. This makes it more difficult to identify and block the C2 communication, allowing the attacker to maintain persistent control over the infected system.

Read more...

Embedded Honeytokens

These are computer login accounts or banking login credentials created to entice attackers. The use of these honeytokens is monitored, and any unauthorized attempt to use them triggers an alert.

Read more...

Log Files Decoy

An Event Log decoy is a deception technique used to engage adversaries by creating fake event log files that mimic legitimate system logs. These decoy logs are strategically placed in typical log directories (such as C:WindowsSystem32LogFiles on Windows or /var/log/ on macOS) and are populated with realistic but fabricated entries that resemble normal system activities, such as user logins, system errors, or security alerts.

The purpose of the Event Log decoy is to lure attackers into interacting with these logs, either by reading, modifying, or deleting them. When an adversary engages with the decoy logs, it triggers alerts that allow defenders to detect and monitor their activities. This technique not only helps in detecting unauthorized access but also provides valuable insights into the attacker’s methods and objectives.

Event Log decoys are typically monitored using File Integrity Monitoring (FIM) and auditing tools to ensure that any interaction with the decoy logs is captured and analyzed in real-time, thereby enhancing the overall security and detection capabilities of the environment.

Read more...