Register a decoy interrupt handler that intercepts specific hardware or software interrupts and responds with misleading information or triggers deceptive actions. This can be used to confuse attackers, disrupt their tools, or gather information about their techniques.
Tag: EAC0014
Phantom Threads
Create decoy threads within legitimate processes that exhibit unusual or suspicious behavior, such as accessing sensitive registry keys or making unexpected API calls. This can be used to lure attackers into investigating these threads, wasting their time and potentially revealing their tools and techniques.
Deceptive API Call Hooking with Modified Return Values
Intercept specific API calls made by applications and return modified or fabricated data to mislead attackers or disrupt their tools. This can be used to conceal sensitive information, trigger errors in attacker utilities, or gather intelligence on their techniques.
Fake Named Pipe with Delayed Response
Create a decoy named pipe that mimics a legitimate inter-process communication channel but introduces a significant delay before responding to client requests. This can be used to identify attackers attempting to exploit vulnerabilities or gather information through named pipes, as well as to disrupt their activities.
Fake Network Service with Unexpected Protocol Behavior
Deploy a network service that mimics a legitimate one but responds to requests with unexpected or non-compliant protocol behavior. This can be used to confuse attackers, trigger vulnerabilities in their tools, or gather information about their scanning techniques.
Deceptive Exception Handling
Goal: To identify attackers attempting to exploit vulnerabilities or gain information through exception handling mechanisms.
Approach: Monitoring exception handling routines and providing deceptive responses. This element involves modifying exception handling routines to provide misleading information or redirect execution flow.
By manipulating exception handling, this element can disrupt attacker tools, gather information about their activities, or conceal sensitive data.
Fake System Call Table
Goal: To identify and mislead attackers attempting to hijack system calls for malicious purposes.
Approach: Monitoring system call activity and providing deceptive responses. This element involves manipulating the System Call Table to redirect specific calls to deceptive functions.
By redirecting system calls, this element can disrupt attacker tools, gather information about their activities, or lead them to controlled environments.
Deceptive API Call Responses
Goal: To identify and mislead attackers attempting to manipulate system behavior through API hooking.
Approach: Monitoring API calls and providing deceptive responses. This element involves intercepting specific API calls and returning misleading or unexpected data to attackers.
By manipulating API call responses, this element can confuse attackers, disrupt their tools, or lead them down false paths.
Deceptive Access Tokens
Goal: Disrupt attackers’ attempts to leverage stolen or forged access tokens for unauthorized access.
Approach: Introducing deceptive access tokens that lead to decoy resources or trigger alerts.
Inject fake access tokens into processes or memory that appear to grant access to sensitive data or critical systems. These tokens can be designed to mislead attackers, cause their tools to malfunction, or trigger alerts upon usage.
Deceptive C2 Protocols
Goal: Disrupt attacker communications by manipulating C2 protocols or introducing unexpected behavior.
Approach: Modifying C2 protocols or introducing anomalies to confuse attackers.
Modify existing C2 protocols or introduce subtle anomalies in communication patterns to confuse attackers, disrupt their tools, or trigger alerts. This can involve changing data formats, introducing delays, or injecting unexpected commands.