Craft a fake OAuth 2.0 consent screen that mimics a legitimate Google service but requests excessive or unusual permissions. Monitor interactions with this screen to identify attackers attempting to trick users into granting unauthorized access.
Tag: EAC0018
Fake Google Workspace Shared Drive with “Confidential” Documents
Create a decoy Google Workspace Shared Drive containing fabricated documents with names suggesting sensitive information (e.g., “Financial Projections,” “Customer Database”). Monitor access and download activity to identify attackers attempting to exfiltrate data.
Fake Google Cloud Service Accounts with High Permissions
Create decoy service accounts with names suggesting elevated privileges (e.g., “deployment-admin,” “database-owner”) but with restricted access. Monitor any attempts to utilize these accounts, which could indicate an attacker attempting privilege escalation or lateral movement.
Azure Storage Account with Honeyfiles
Create a decoy Azure Storage Account containing fabricated files that appear to be valuable or sensitive. Monitor access patterns and download attempts to identify attackers seeking to exfiltrate data or gain unauthorized access.
Azure Kubernetes Service (AKS) Honeypod
Deploy a decoy pod within an AKS cluster that mimics a legitimate application but contains fake data or triggers alerts upon access. Monitor network traffic and logs associated with this pod to identify attackers attempting to exploit vulnerabilities or gain access to sensitive information.
Azure Active Directory (AD) Decoy User Accounts
Create fake user accounts within Azure AD with enticing names or roles (e.g., “admin,” “backup_admin”). Monitor login attempts and activity related to these accounts to identify credential stuffing or brute-force attacks.
Azure Web Application Firewall (WAF) Honeytrap
Configure a decoy Azure WAF with intentionally permissive rules to attract attackers. Monitor traffic hitting this WAF to identify malicious patterns and gather intelligence on attack techniques.
Azure Logic App Honeypot
Deploy a non-functional Azure Logic App that mimics a critical workflow. Monitor any attempts to trigger or interact with this app to detect reconnaissance or attempts to disrupt business processes.
Azure Key Vault Honeytoken
Create a fake Azure Key Vault instance containing decoy secrets and keys. Monitor access to this vault to detect attempts to steal sensitive information.
Fake SMB Share
This element involves setting up a fake SMB server that mimics a legitimate one but triggers alerts upon access or delivers deceptive payloads.