EAC0001 – D E C E I V E R . I O

Deceptive Email with Hidden Links

Goal: To identify attackers actively monitoring email traffic or who have compromised an employee’s account.

Approach: Monitoring interaction with the deceptive email and analyzing attacker behavior. This element involves sending a deceptive email to employees that appears to be legitimate but contains hidden links that are only visible when the email is viewed in a specific way, such as using a particular email client or viewing the email’s source code.

Attackers who attempt to view the hidden links will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to phish employees.

API Hooking for Credential Theft Detection

Goal: Detect attempts to steal credentials by hooking API calls related to credential management.

Approach: Monitoring API calls for suspicious activity.

This element hooks API calls related to credential management, such as CredEnumerate or LogonUser. When a suspicious call is detected, the element can log the event, alert security personnel, or even inject a deceptive credential.

Process-Specific API Call Manipulation

Goal: Disrupt malware operation by manipulating API calls made by specific processes.

Approach: Intercepting and altering API calls to disrupt malicious activity.

This element involves monitoring API calls made by specific processes and selectively manipulating their responses to disrupt malware operation.

Tag: EAC0001

Deceptive Email with Hidden Links

API Hooking for Credential Theft Detection

Process-Specific API Call Manipulation

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense