Deploy a decoy SIEM that collects and displays fabricated security events and alerts. This can be used to mislead attackers, waste their time, or gather information about their attempts to tamper with or evade security monitoring systems.
Tag: EAC0015
Hidden Memory Region with Decoy Data
Allocate a hidden memory region within a process’s address space and populate it with fabricated data that mimics sensitive information or critical code. Monitor access attempts to this region to identify attackers attempting to extract data or inject malicious code.
Honeycomb Registry Hive
Create a decoy registry hive containing fabricated registry keys and values that mimic legitimate system configurations but contain misleading or deceptive information. Monitor access to this hive to identify attackers attempting to gather system information or modify registry settings.
Phantom Threads
Create decoy threads within legitimate processes that exhibit unusual or suspicious behavior, such as accessing sensitive registry keys or making unexpected API calls. This can be used to lure attackers into investigating these threads, wasting their time and potentially revealing their tools and techniques.
Fake WMI Provider with Deceptive Data
Create a decoy WMI provider that responds to attacker queries with fabricated or misleading information. This can be used to confuse attackers, disrupt their reconnaissance efforts, or gather information about their WMI-based tools and techniques.
Deceptive API Call Hooking with Modified Return Values
Intercept specific API calls made by applications and return modified or fabricated data to mislead attackers or disrupt their tools. This can be used to conceal sensitive information, trigger errors in attacker utilities, or gather intelligence on their techniques.
Fake SSH Server with Interactive Honeytrap
Deploy a fake SSH server that mimics a legitimate one but presents an interactive shell environment with fabricated system information and files. This can be used to engage attackers, gather information about their skills and intentions, and waste their time.
Deceptive Web Application with Fake Login Form
Create a decoy web application that mimics a legitimate login page but captures attacker credentials and redirects them to a controlled environment. This can be used to identify attackers, gather information about their targets, and prevent them from accessing real systems.
Fake API Gateway
Deploy a decoy API gateway that mimics a legitimate one but intercepts requests and returns fabricated or manipulated responses. This can be used to mislead attackers, disrupt their tools, or gather information about their intentions.
Google Cloud Functions Honeypot
Deploy a decoy Google Cloud Function that appears to perform a sensitive operation (e.g., accessing a database, processing payment information) but, in reality, only logs invocation attempts and attacker-supplied data.