EAC0018 – Page 5 – D E C E I V E R . I O

Fake Windows System Files

Goal: To identify attackers attempting to access or modify sensitive system files.

Approach: Monitoring access to the fake system files and analyzing attacker behavior.

This element involves creating fake system files that mimic legitimate files but contain misleading or deceptive information.

Attackers who attempt to access or modify the fake system files will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to gather information about the system or modify its configuration.

Deceptive Windows API Calls

Goal: To identify attackers attempting to make unauthorized API calls.

Approach: Monitoring API calls and analyzing attacker behavior.

This element involves creating deceptive API calls that mimic legitimate calls but return misleading or deceptive information.

Attackers who attempt to make the deceptive API calls will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to interact with the system.

Deceptive Windows Registry Keys

Goal: To identify attackers attempting to enumerate or modify sensitive registry keys.

Approach: Monitoring access to the deceptive registry keys and analyzing attacker behavior.

This element involves creating deceptive registry keys that mimic legitimate keys but contain misleading or deceptive information.

Attackers who attempt to access or modify the deceptive registry keys will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to gather information about the system or modify its configuration.

Deceptive SAML IdP

Goal: To gather information about attackers attempting to exploit SAML vulnerabilities and detect their presence.

Approach: Monitoring access to the deceptive SAML IdP and analyzing attacker behavior.

Attackers who attempt to use the fake SAML IdP for authentication or authorization will be misled, and their actions will be logged.

Fake OAuth 2.0 Server

Goal: To gather information about attackers attempting to exploit OAuth 2.0 vulnerabilities and detect their presence.

Approach: Monitoring access to the fake OAuth 2.0 server and analyzing attacker behavior.

Attackers who attempt to use the fake OAuth 2.0 server for authentication or authorization will be misled, and their actions will be logged.

Deceptive Kerberos Server

Goal: To gather information about attackers attempting to exploit Kerberos vulnerabilities and detect their presence.

Approach: Monitoring access to the deceptive Kerberos server and analyzing attacker behavior.

Attackers who attempt to use the fake Kerberos server for authentication or ticket manipulation will be misled, and their actions will be logged.

Deceptive Password Reset Mechanisms

Goal: Thwart attackers’ attempts to reset passwords or gain unauthorized access through password recovery mechanisms.

Approach: Introducing deceptive password reset flows that delay attackers or lead them to decoy systems.

Implement fake password reset pages or email flows that appear to process password reset requests but instead capture attacker information, delay their progress, or redirect them to controlled environments.

Deceptive Identity-as-a-Service (IDaaS)

Goal: Identify attackers attempting to leverage compromised accounts for lateral movement or unauthorized access to cloud resources.

Approach: Deploying fake IDaaS endpoints that mimic legitimate services but capture attacker interactions.

Create decoy IDaaS endpoints that appear to provide access to cloud resources or sensitive data. These endpoints can be designed to capture attacker requests, log their activities, or redirect them to controlled environments.

Deceptive Identity APIs

Goal: Gather information about attackers’ activities and tools by deploying deceptive identity APIs.

Approach: Creating fake identity APIs that mimic legitimate services but capture attacker interactions.

Deploy fake APIs that mimic identity management services, such as user provisioning, authentication, or authorization. These APIs can be designed to capture attacker requests, log their activities, or return misleading information.

Deceptive User Permissions

Goal: Thwart attackers’ attempts to exploit user permissions for lateral movement or unauthorized access.

Approach: Implementing misleading access control lists (ACLs) or fake permissions to misdirect attackers.

Configure deceptive permissions on files, folders, or other resources that suggest access to sensitive data or critical systems. These permissions can lead attackers toward decoy assets or trigger alerts upon unauthorized access attempts.

Tag: EAC0018

Fake Windows System Files

Deceptive Windows API Calls

Deceptive Windows Registry Keys

Deceptive SAML IdP

Fake OAuth 2.0 Server

Deceptive Kerberos Server

Deceptive Password Reset Mechanisms

Deceptive Identity-as-a-Service (IDaaS)

Deceptive Identity APIs

Deceptive User Permissions

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense