Tag: EAC0002

Deceptive Email with Hidden Links

Goal: To identify attackers actively monitoring email traffic or who have compromised an employee’s account.

Approach: Monitoring interaction with the deceptive email and analyzing attacker behavior. This element involves sending a deceptive email to employees that appears to be legitimate but contains hidden links that are only visible when the email is viewed in a specific way, such as using a particular email client or viewing the email’s source code.

Attackers who attempt to view the hidden links will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to phish employees.

Read more...

Deceptive Kerberos Authentication

Goal: Detect attackers attempting to exploit Kerberos for privilege escalation or lateral movement.

Approach: Creating deceptive Kerberos services or accounts to lure attackers and monitor their activities.

Deploy fake Kerberos services or configure deceptive service principal names (SPNs) that appear to grant access to sensitive resources or systems. Monitor these for unauthorized access attempts or suspicious Kerberos ticket requests.

Read more...

C2 Honeyclients

Goal: Identify compromised systems by deploying decoy clients that mimic C2 communication patterns.

Approach: Monitoring network traffic for connections to C2 honeyclients.

Deploy decoy clients (“honeyclients”) that mimic the behavior of infected systems communicating with C2 servers. Monitor any attempts to connect to or control these honeyclients to identify compromised systems and attacker infrastructure.

Read more...

Deceptive Network Shares

Goal: Detect attempts to access sensitive or restricted network shares.

Approach: Creating and monitoring fake network shares.

Create fake network shares with enticing names or permissions that appear to contain valuable data. Monitor any access attempts to these shares to identify attackers and gather information about their activities.

Read more...

Deceptive Named Pipe Server

Goal: Detect attempts to communicate with known malicious named pipes.

Approach: Monitoring for connections to deceptive named pipes.

This element creates a named pipe with a name commonly used by malware. When malware attempts to connect, the deceptive server captures information about the malware and can optionally deliver a deceptive payload.

Read more...