What is the goal of this operation: To lure attackers into interacting with a deceptive SMB share, exposing their presence and gathering intelligence on their tools, techniques, and procedures (TTPs).
Whats the approach of this operation or element? This element focuses on collecting information about attackers who interact with the deceptive share, detecting their presence and activities, and analyzing the gathered data to understand their TTPs and motivations.
Description of Element:
This active defense element involves setting up a deceptive SMB share on a dedicated Windows host within the network. The share is configured to appear as a legitimate network backup or file share, containing enticing files and documents (pocket litter) like “password.txt” or “confidential_reports.xlsx”. However, these files contain false information or are instrumented to trigger alerts upon access.