├── images ├── DaD_matrix.png └── deception_story.png ├── Deception_stories ├── Deception_techniques.md └── DS0001.md ├── Techniques ├── Lateral_movement │ ├── Taint_shared_content.md │ ├── Replication_through_removable_media.md │ ├── Pass_the_ticket.md │ ├── Remote_desktop_protocol.md │ ├── Pass_the_hash.md │ ├── Remote_file_copy.md │ ├── Exploitation_of_vulnerability.md │ └── Remote_services.md ├── Discovery │ ├── Query_registry.md │ ├── System_network_connections_discovery.md │ ├── Account_discovery.md │ ├── Network_share_discovery.md │ ├── Peripheral_device_discovery.md │ ├── System_network_configuration_discovery.md │ ├── File_and_directory_discovery.md │ ├── Network_service_scanning.md │ └── Remote_system_discovery.md ├── Credential_access │ ├── Network_sniffing.md │ ├── Keychain.md │ ├── Input_capture.md │ ├── Brute_force.md │ ├── Bash_history.md │ ├── Credentials_in_files.md │ ├── Private_keys.md │ ├── Exploitation_of_vulnerability.md │ └── Credential_dumping.md ├── Collection │ ├── Data_from_network_shared_drive.md │ ├── Data_from_removable_media.md │ ├── Email_collection.md │ ├── Input_capture.md │ ├── Automated_collection.md │ └── Data_from_local_system.md ├── Command_and_control │ ├── Commonly_used_port.md │ └── Remote_file_copy.md ├── Defense_evasion │ └── Exploitation_of_vulnerability.md └── Privilege_escalation │ └── Exploitation_of_vulnerability.md ├── README.md ├── LICENSE ├── Useful_resources.md ├── Linux-matrix.md ├── Mac-matrix.md └── Windows-matrix.md /images/DaD_matrix.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0x4D31/deception-as-detection/HEAD/images/DaD_matrix.png -------------------------------------------------------------------------------- /images/deception_story.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0x4D31/deception-as-detection/HEAD/images/deception_story.png -------------------------------------------------------------------------------- /Deception_stories/Deception_techniques.md: -------------------------------------------------------------------------------- 1 | # Deception Techniques 2 | 3 | | Technique | Decoy | 4 | |-----------|-------| 5 | | T1-Fake Database | Simulated or real honey database | 6 | | T2-Fake Database Tables | Enticing table names with fake records | 7 | | T3-Fake Database Records | Fake records in real databases | 8 | | T4-Log Manipulation | Fake URL, address, account, and other honeytokens | 9 | | TBC | TBC | 10 | -------------------------------------------------------------------------------- /Techniques/Lateral_movement/Taint_shared_content.md: -------------------------------------------------------------------------------- 1 | # Taint Shared Content 2 | 3 | MITRE ATT&CK technique [T1080](https://attack.mitre.org/wiki/Technique/T1080) 4 | 5 | Tactic: Lateral Movement 6 | 7 | Platform: Windows 8 | 9 | ### Deception Techniques 10 | * Create fake network shares, or create fake directories/files (i.e. honeyfiles) in real network shares, and monitor access to them using the OS file/folder auditing or FIM tools. -------------------------------------------------------------------------------- /Techniques/Discovery/Query_registry.md: -------------------------------------------------------------------------------- 1 | # Query Registry 2 | 3 | MITRE ATT&CK technique [T1012](https://attack.mitre.org/wiki/Technique/T1012) 4 | 5 | Tactic: Discovery 6 | 7 | Platform: Windows 8 | 9 | ### Deception Techniques 10 | * Create fake registry objects and monitor access to them using Windows Registry Auditing. 11 | * Create registry objects containing breadcrumbs or honeytokens. 12 | 13 | ### Useful Resources 14 | * [Audit Registry](https://docs.microsoft.com/en-us/windows/device-security/auditing/audit-registry) - Audit Registry allows you to audit attempts to access registry objects 15 | -------------------------------------------------------------------------------- /Techniques/Discovery/System_network_connections_discovery.md: -------------------------------------------------------------------------------- 1 | # System Network Connections Discovery 2 | 3 | MITRE ATT&CK technique [T1049](https://attack.mitre.org/wiki/Technique/T1049) 4 | 5 | Tactic: Discovery 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Open network connections to fake systems or network services (i.e. honeypots) 11 | 12 | ### Useful Tools 13 | * [Beeswarm](https://github.com/honeynet/beeswarm) - It intentionally leaks credentials in the network traffic and then looks for the unexpected reuse of these honey credentials. Beeswarm operates by deploying fake end-user systems (clients) and services (honeypots). -------------------------------------------------------------------------------- /Techniques/Lateral_movement/Replication_through_removable_media.md: -------------------------------------------------------------------------------- 1 | # Replication Through Removable Media 2 | 3 | MITRE ATT&CK technique [T1091](https://attack.mitre.org/wiki/Technique/T1091) 4 | 5 | Tactic: Lateral Movement 6 | 7 | Platform: Windows 8 | 9 | ### Deception Techniques 10 | * Create emulated or virtual USB devices and monitor access to them (e.g. using Windows Removable Storage Auditing) 11 | 12 | ### Useful Tools 13 | * [Ghost USB Honeypot](https://github.com/honeynet/ghost-usb-honeypot) - It emulates a USB storage device to detect malwares that use such devices for propagation. Ghost supports Windows XP 32 bit and Windows 7 32 bit. 14 | * [USB/IP](http://usbip.sourceforge.net/) project -------------------------------------------------------------------------------- /Techniques/Discovery/Account_discovery.md: -------------------------------------------------------------------------------- 1 | # Account Discovery 2 | 3 | MITRE ATT&CK technique [T1087](https://attack.mitre.org/wiki/Technique/T1087) 4 | 5 | Tactic: Discovery 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Create fake local or domain accounts 11 | * Create Kerberoast Service Account honeytoken 12 | 13 | ### Useful Tools 14 | None 15 | 16 | ### Useful Resources 17 | * [Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot](https://adsecurity.org/?p=3513) 18 | * [Busting the Honeypot – Is there really a way for attackers to detect deception](https://www.topspinsec.com/blog/busting-honeypot-really-way-attackers-detect-deception/) -------------------------------------------------------------------------------- /Techniques/Credential_access/Network_sniffing.md: -------------------------------------------------------------------------------- 1 | # Network Sniffing 2 | 3 | MITRE ATT&CK technique [T1040](https://attack.mitre.org/wiki/Technique/T1040) 4 | 5 | Tactic: Credential Access 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Inject honeytokens such as fake URLs and credentials into the network traffic 11 | * Open network connections to fake systems or network services (i.e. honeypots) 12 | 13 | ### Useful Tools 14 | * [Beeswarm](https://github.com/honeynet/beeswarm) - It intentionally leaks credentials in the network traffic and then looks for the unexpected reuse of these honey credentials. Beeswarm operates by deploying fake end-user systems (clients) and services (honeypots). -------------------------------------------------------------------------------- /Techniques/Discovery/Network_share_discovery.md: -------------------------------------------------------------------------------- 1 | # Network Share Discovery 2 | 3 | MITRE ATT&CK technique [T1135](https://attack.mitre.org/wiki/Technique/T1135) 4 | 5 | Tactic: Discovery 6 | 7 | Platform: Windows, Mac 8 | 9 | ### Deception Techniques 10 | * Create fake network shares, or create fake directories/files (i.e. honeyfiles) in real network shares, and monitor access to them using the OS file/folder auditing or FIM tools. 11 | * Create decoy files or documents (beacons) that phone home when opened. 12 | 13 | ### Useful Tools 14 | * [honeyλ](https://github.com/0x4D31/honeyLambda) - Serverless application designed to create and monitor URL honeytokens (i.e. fake HTTP endpoints) automatically 15 | * [canarytokens](http://canarytokens.org) 16 | -------------------------------------------------------------------------------- /Techniques/Discovery/Peripheral_device_discovery.md: -------------------------------------------------------------------------------- 1 | # Peripheral Device Discovery 2 | 3 | MITRE ATT&CK technique [T1120](https://attack.mitre.org/wiki/Technique/T1120) 4 | 5 | Tactic: Discovery 6 | 7 | Platform: Windows 8 | 9 | ### Deception Techniques 10 | * Create emulated or virtual USB devices and monitor access to them (e.g. using Windows Removable Storage Auditing) 11 | 12 | ### Useful Tools 13 | * [Ghost USB Honeypot](https://github.com/honeynet/ghost-usb-honeypot) - It emulates a USB storage device to detect malwares that use such devices for propagation. Ghost supports Windows XP 32 bit and Windows 7 32 bit. 14 | * [USB/IP](http://usbip.sourceforge.net/) project 15 | * [Honeyprint](https://github.com/glaslos/honeyprint) - Printer honeypot PoC -------------------------------------------------------------------------------- /Techniques/Lateral_movement/Pass_the_ticket.md: -------------------------------------------------------------------------------- 1 | # Pass the Ticket 2 | 3 | MITRE ATT&CK technique [T1097](https://attack.mitre.org/wiki/Technique/T1097) 4 | 5 | Tactic: Lateral Movement 6 | 7 | Platform: Windows 8 | 9 | ### Deception Techniques 10 | * Fake Kerberos ticket 11 | 12 | ### Useful Resources 13 | * [Systems and methods for the detection of advanced attackers using client side honeytokens (Patent)](https://encrypted.google.com/patents/WO2017120076A1) 14 | * [Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot](https://adsecurity.org/?p=3513) 15 | * [Busting the Honeypot – Is there really a way for attackers to detect deception](https://www.topspinsec.com/blog/busting-honeypot-really-way-attackers-detect-deception/) 16 | -------------------------------------------------------------------------------- /Techniques/Collection/Data_from_network_shared_drive.md: -------------------------------------------------------------------------------- 1 | # Data from Network Shared Drive 2 | 3 | MITRE ATT&CK technique [T1039](https://attack.mitre.org/wiki/Technique/T1039) 4 | 5 | Tactic: Collection 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Create fake network shares, or create fake directories/files (i.e. honeyfiles) in real network shares, and monitor access to them using the OS file/folder auditing or FIM tools. 11 | * Create decoy files or documents (beacons) that phone home when opened. 12 | 13 | ### Useful Tools 14 | * [honeyλ](https://github.com/0x4D31/honeyLambda) - Serverless application designed to create and monitor URL honeytokens (i.e. fake HTTP endpoints) automatically 15 | * [canarytokens](http://canarytokens.org) 16 | -------------------------------------------------------------------------------- /Techniques/Discovery/System_network_configuration_discovery.md: -------------------------------------------------------------------------------- 1 | # System Network Configuration Discovery 2 | 3 | MITRE ATT&CK technique [T1016](https://attack.mitre.org/wiki/Technique/T1016) 4 | 5 | Tactic: Discovery 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Create breadcrumbs or honeytokens to lure the attackers toward the fake systems or network services (i.e. honeypots) 11 | * Fake entries in DNS, NetBIOS, ARP cache or hosts file 12 | * Documents/files with deceptive contents 13 | 14 | ### Useful Tools 15 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history and hosts entries. -------------------------------------------------------------------------------- /Techniques/Credential_access/Keychain.md: -------------------------------------------------------------------------------- 1 | # Keychain 2 | 3 | MITRE ATT&CK technique [T1142](https://attack.mitre.org/wiki/Technique/T1142) 4 | 5 | Tactic: Credential Access 6 | 7 | Platform: Mac 8 | 9 | ### Deception Techniques 10 | * Add URL honeytokens and fake credentials (i.e. honey accounts) to the Keychain 11 | 12 | ### Useful Tools 13 | * [Go Keychain](https://github.com/keybase/go-keychain) - A library for accessing the Keychain in Go 14 | * [Keyring](https://github.com/jaraco/keyring) - Python keyring lib provides an easy way to access the system keyring service from python. It supports several keyring backends including Mac's Keychain. 15 | * [honeyλ](https://github.com/0x4D31/honeyLambda) - Serverless application designed to create and monitor URL honeytokens (i.e. fake HTTP endpoints) automatically 16 | * [canarytokens](http://canarytokens.org) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Deception-as-Detection 2 | Deception based detection techniques mapped to the MITRE’s Adversarial Tactics, Techniques, and Common Knowledge ([ATT&CK™](https://attack.mitre.org)): 3 | 4 | * ### [Windows Technique Matrix](Windows-matrix.md) 5 | * ### [Linux Technique Matrix](Linux-matrix.md) 6 | * ### [Mac Technique Matrix](Mac-matrix.md) 7 | 8 | DaD matrix 9 | 10 | ## :notebook_with_decorative_cover: Deception Stories 11 | A [sample deception story](Deception_stories/DS0001.md) is created as a reference. More deception stories will be added soon. Stay tuned! 12 | 13 | deception story 14 | 15 | ## :honey_pot: A [Useful List](Useful_resources.md) of Honey{*} Resources 16 | 17 | ## TODO 18 | - [ ] Complete other techniques 19 | - [ ] Add more deception stories 20 | - [ ] Add Cloud based deception stories 21 | -------------------------------------------------------------------------------- /Techniques/Collection/Data_from_removable_media.md: -------------------------------------------------------------------------------- 1 | # Data from Removable Media 2 | 3 | MITRE ATT&CK technique [T1025](https://attack.mitre.org/wiki/Technique/T1025) 4 | 5 | Tactic: Collection 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Create decoy files or documents (beacons) that phone home when opened. 11 | * Create emulated or virtual USB devices and monitor access to them (e.g. using Windows Removable Storage Auditing) 12 | * Create files containing deceptive content and breadcrumbs to lure the attacker toward your honeypots. 13 | 14 | ### Useful Tools 15 | * [Ghost USB Honeypot](https://github.com/honeynet/ghost-usb-honeypot) - It emulates a USB storage device to detect malwares that use such devices for propagation. Ghost supports Windows XP 32 bit and Windows 7 32 bit. 16 | * [honeyλ](https://github.com/0x4D31/honeyLambda) - Serverless application designed to create and monitor URL honeytokens (i.e. fake HTTP endpoints) automatically 17 | * [canarytokens](http://canarytokens.org) -------------------------------------------------------------------------------- /Techniques/Collection/Email_collection.md: -------------------------------------------------------------------------------- 1 | # Email Collection 2 | 3 | MITRE ATT&CK technique [T1114](https://attack.mitre.org/wiki/Technique/T1114) 4 | 5 | Tactic: Collection 6 | 7 | Platform: Windows 8 | 9 | ### Deception Techniques 10 | * Create fake Outlook storage or cache files .pst and .ost 11 | * Fake emails containing deceptive content and breadcrumbs to lure the attacker toward your honeypots. 12 | * Fake emails containing decoy documents or URL honeytokens (beacons) that phone home when opened/clicked. 13 | 14 | 15 | ### Useful Tools 16 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries. 17 | * [honeyλ](https://github.com/0x4D31/honeyLambda) - Serverless application designed to create and monitor URL honeytokens (i.e. fake HTTP endpoints) automatically 18 | * [canarytokens](http://canarytokens.org) -------------------------------------------------------------------------------- /Techniques/Collection/Input_capture.md: -------------------------------------------------------------------------------- 1 | # Input Capture 2 | 3 | MITRE ATT&CK technique [T1056](https://attack.mitre.org/wiki/Technique/T1056) 4 | 5 | Tactic: Collection, Credential Access 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Inject fake keystrokes containing honey accounts or any other type of honeytokens, such as URL tokens. 11 | 12 | ### Useful Tools 13 | * [xdotool](http://www.semicomplete.com/projects/xdotool/) - Fake keyboard/mouse input, window management, and more. 14 | * [Python-uinput](https://github.com/tuomasjjrasanen/python-uinput) - A python interface to Linux uinput kernel module which allows attaching userspace device drivers into kernel. 15 | * [PyUserInput](https://github.com/PyUserInput/PyUserInput) - A module for cross-platform control of the mouse and keyboard in python. 16 | * [AutoHotkey](https://autohotkey.com/), Automator/AppleScript, etc. 17 | 18 | ### Useful Resources 19 | * [How to inject fake keystrokes](http://www.thinkwiki.org/wiki/How_to_inject_fake_keystrokes) -------------------------------------------------------------------------------- /Techniques/Credential_access/Input_capture.md: -------------------------------------------------------------------------------- 1 | # Input Capture 2 | 3 | MITRE ATT&CK technique [T1056](https://attack.mitre.org/wiki/Technique/T1056) 4 | 5 | Tactic: Collection, Credential Access 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Inject fake keystrokes containing honey accounts or any other type of honeytokens, such as URL tokens. 11 | 12 | ### Useful Tools 13 | * [xdotool](http://www.semicomplete.com/projects/xdotool/) - Fake keyboard/mouse input, window management, and more. 14 | * [Python-uinput](https://github.com/tuomasjjrasanen/python-uinput) - A python interface to Linux uinput kernel module which allows attaching userspace device drivers into kernel. 15 | * [PyUserInput](https://github.com/PyUserInput/PyUserInput) - A module for cross-platform control of the mouse and keyboard in python. 16 | * [AutoHotkey](https://autohotkey.com/), Automator/AppleScript, etc. 17 | 18 | ### Useful Resources 19 | * [How to inject fake keystrokes](http://www.thinkwiki.org/wiki/How_to_inject_fake_keystrokes) -------------------------------------------------------------------------------- /Techniques/Credential_access/Brute_force.md: -------------------------------------------------------------------------------- 1 | # Brute Force 2 | 3 | MITRE ATT&CK technique [T1110](https://attack.mitre.org/wiki/Technique/T1110) 4 | 5 | Tactic: Credential Access 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Set up fake network services and accounts 11 | 12 | ### Useful Tools 13 | * [Glutton](https://github.com/mushorg/glutton) - All eating honeypot 14 | * [Heralding](https://github.com/johnnykv/heralding) - Credentials catching honeypot, Supported protocols: ftp, telnet, ssh, pop3, pop3s, imap, imaps, smtp, postgresql, http and https. 15 | * [Cowrie](https://github.com/micheloosterhof/cowrie) - A medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. 16 | * [Dionaea](https://github.com/DinoTools/dionaea) - Nepenthes successor, Supported protocols: smb, sip, ftp, tftp, mssql, mysql, http, and some other protocols. 17 | 18 | ### Useful Resources: 19 | * [Honeywords](http://people.csail.mit.edu/rivest/honeywords/): Making Password-Cracking Detectable -------------------------------------------------------------------------------- /Techniques/Credential_access/Bash_history.md: -------------------------------------------------------------------------------- 1 | # Bash History 2 | 3 | MITRE ATT&CK technique [T1139](https://attack.mitre.org/wiki/Technique/T1139) 4 | 5 | Tactic: Credential Access 6 | 7 | Platform: Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Manipulate bash_history with fake entries (honeytokens and breadcrumbs) 11 | 12 | ``` 13 | sshpass -p '123456' ssh -p 2222 root@192.168.1.66 14 | ftp ftp://backup:b123@192.168.1.66:2121 15 | mysql -h 192.168.1.66 -P 3306 -u dbadmin -p12345 -e "show databases" 16 | scp -P 2222 root@192.168.1.66:/var/db/backup.tar.gz /tmp/backup.tar.gz 17 | ``` 18 | 19 | ### Useful Tools 20 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries. 21 | * [honeyλ](https://github.com/0x4D31/honeyLambda) - Serverless application designed to create and monitor URL honeytokens (i.e. fake HTTP endpoints) automatically 22 | * [canarytokens](http://canarytokens.org) 23 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Adel "0x4D31" Karimi 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Techniques/Credential_access/Credentials_in_files.md: -------------------------------------------------------------------------------- 1 | # Credentials in Files 2 | 3 | MITRE ATT&CK technique [T1081](https://attack.mitre.org/wiki/Technique/T1081) 4 | 5 | Tactic: Credential Access 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Create documents and files containing fake credentials (i.e. honey accounts) 11 | * Configuration, backup and connection files such as RDP, VPN, and AWS credentials file 12 | * Fake credentials in browser password manager 13 | * bash_history entries containing fake credentials, e.g.: 14 | ``` 15 | mysql -h 192.168.1.66 -P 3306 -u dbadmin -p12345 -e "show databases" 16 | ftp ftp://backup:b123@192.168.1.66:2121 17 | sshpass -p '123456' ssh -p 2222 root@192.168.1.66 18 | export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE 19 | export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 20 | ``` 21 | 22 | 23 | ### Useful Tools 24 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries. -------------------------------------------------------------------------------- /Techniques/Lateral_movement/Remote_desktop_protocol.md: -------------------------------------------------------------------------------- 1 | # Remote Desktop Protocol 2 | 3 | MITRE ATT&CK technique [T1076](https://attack.mitre.org/wiki/Technique/T1076) 4 | 5 | Tactic: Lateral Movement 6 | 7 | Platform: Windows 8 | 9 | ### Deception Techniques 10 | * Set up fake RDP services 11 | * Create fake RDP connection files 12 | * Create files or documents containing deceptive contents and breadcrumbs to lure the attacker toward your RDP honeypot (emulated or real) 13 | 14 | ### Useful Tools 15 | * [RDPY](https://github.com/citronneur/rdpy) - A pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client and server side). 16 | * [xrdp](https://github.com/neutrinolabs/xrdp) - An open source RDP server 17 | * [Tom's Honeypot](http://labs.inguardians.com/tomshoneypot.html) - A very simple honeypot with RDP support 18 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries. 19 | 20 | ## Useful Resources 21 | * [RDP Honeypot on Amazon EC2 Virtual Server](https://samsclass.info/123/proj10/rdp-honeypot.htm) -------------------------------------------------------------------------------- /Techniques/Credential_access/Private_keys.md: -------------------------------------------------------------------------------- 1 | # Private Keys 2 | 3 | MITRE ATT&CK technique [T1145](https://attack.mitre.org/wiki/Technique/T1145) 4 | 5 | Tactic: Credential Access 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Create fake private keys (i.e. honeyfiles) and monitor access to them using go-audit, auditd or a File Integrity Monitoring (FIM) 11 | * Create files or documents containing deceptive content and breadcrumbs (e.g. keys for connecting to SSH honeypots) to lure the attacker toward your honeypots. 12 | * Fake entries in ~/.ssh/known_hosts, e.g.: 13 | ``` 14 | 192.168.1.66 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAEXAMPLE 15 | ``` 16 | 17 | ### Useful Tools 18 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries. 19 | * [go-audit](https://github.com/slackhq/go-audit) - An alternative to the auditd daemon, with json output. 20 | 21 | ### Useful Resources 22 | * [Catching attackers with go-audit and a logging pipeline](https://summitroute.com/blog/2016/12/25/Catching_attackers_with_go-audit_and_a_logging_pipeline/) -------------------------------------------------------------------------------- /Techniques/Command_and_control/Commonly_used_port.md: -------------------------------------------------------------------------------- 1 | # Commonly Used Port 2 | 3 | MITRE ATT&CK technique [T1043](https://attack.mitre.org/wiki/Technique/T1043) 4 | 5 | Tactic: Command and Control 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Set up network sinkholes (fake network services or protocols such as HTTP, HTTPS, FTP, SMTP and DNS). 11 | * Using internal DNS servers you would be able to redirect all known malicious domains to the internal network sinkhole. This would allow for the detection of internal infected machines as well as preventing the infected machines from communicating with the C&C server. 12 | 13 | ### Useful Tools 14 | * [HoneySink](http://www.honeynet.org/node/773) - A network sinkhole for DNS, HTTP, FTP and IRC protocols 15 | * [netsarlacc](https://github.com/ciscocsirt/netsarlacc) - A high performance enterprise HTTP (and SMTP) sinkhole designed to be used by corporate SOC or IR teams. netsarlacc is meant to work in conjunction with existing blocking / captive portal / quarantining / redirecting technologies like DNS RPZ. 16 | * [UDPot](https://github.com/jekil/UDPot) 17 | * [ApateDNS](https://www.fireeye.com/services/freeware/apatedns.html) - As a phony DNS server, ApateDNS spoofs DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine. 18 | * [INetSim](http://www.inetsim.org/downloads.html) - A tool for simulating common internet services including HTTP(S), FTP(S), POP3(S), SMTP(S), DNS, TFTP, IRC and etc. 19 | * [FakeNet-NG](https://github.com/fireeye/flare-fakenet-ng) 20 | -------------------------------------------------------------------------------- /Deception_stories/DS0001.md: -------------------------------------------------------------------------------- 1 | # DS0001 - Sample Deception Story 2 | 3 | Deception story: The attacker overcomes security controls and reaches log files 4 | 5 | Associated [deception techniques](Deception_techniques.md): T1-Fake Database, T4-Log Manipulation 6 | 7 | Associated MITRE ATT&CK techniques: [T1139](https://attack.mitre.org/wiki/Technique/T1139) 8 | 9 | ### Deception story in Given-When-Then (GWT) format 10 | 11 | ``` 12 | Given the system has some vulnerability 13 | And an attacker gains access to the file system 14 | And the attacker reaches the log files location 15 | And the attacker touches the log file 16 | And the attacker inspects the records 17 | And the attacker finds URL/User of database 18 | When the attacker tries to gain access to the 19 | database using bogus user accounts 20 | Then an alert is sent to management system 21 | ``` 22 | 23 | ### Deception strategy 24 | 25 | | Strategy | Description | 26 | |---------------------------|-------------| 27 | | Goal | 1) Identify attackers trying to gain access to the server, 2) Divert attackers with bogus data pointing to multiple directions | 28 | | Attackers’ biases | Availability heuristic (Overestimate the importance of sensitive data inside the log file) | 29 | | Monitoring channels | Depends on the implementation; Authentication function, Honeypot logs | 30 | | Risks and countermeasures | Attacker identifies data as fake | 31 | 32 | ### Reference 33 | * C. De Faveri and A. Moreira, "Designing Adaptive Deception Strategies," 2016 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C), Vienna, 2016, pp. 77-84. 34 | -------------------------------------------------------------------------------- /Techniques/Lateral_movement/Pass_the_hash.md: -------------------------------------------------------------------------------- 1 | # Pass the Hash 2 | 3 | MITRE ATT&CK technique [T1075](https://attack.mitre.org/wiki/Technique/T1075) 4 | 5 | Tactic: Lateral Movement 6 | 7 | Platform: Windows 8 | 9 | ### Deception Techniques 10 | * Inject fake credentials into LSASS (i.e. honey hashes) 11 | 12 | ### Useful Tools 13 | * [New-HoneyHash.ps1](https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/New-HoneyHash.ps1) - Inject artificial credentials into LSASS. New-HoneyHash is a simple wrapper for advapi32!CreateProcessWithLogonW that specifies the LOGON_NETCREDENTIALS_ONLY flag. 14 | * [DCEPT](https://github.com/secureworks/dcept) (Domain Controller Enticing Password Tripwire) - A tool for deploying and detecting use of Active Directory honeytokens 15 | * [MimikatzHoneyToken](https://github.com/SMAPPER/MimikatzHoneyToken) - A logon script used to detect the theft of credentials by tools such as Mimikatz. This script is an AutoIT logon script that launches cmd.exe as a fake user account. It is intended to be ran as a logon script on windows systems. 16 | 17 | ### Useful Resources 18 | * [Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot](https://adsecurity.org/?p=3513) 19 | * [Detecting Mimikatz Use On Your Network](https://isc.sans.edu/forums/diary/Detecting+Mimikatz+Use+On+Your+Network/19311/) 20 | * [DCEPT](https://www.secureworks.com/blog/dcept): An Open-Source Honeytoken Tripwire 21 | * [Dealing with credential theft](https://dfirblog.wordpress.com/2015/11/24/protecting-windows-networks-dealing-with-credential-theft/) 22 | * [Busting the Honeypot – Is there really a way for attackers to detect deception](https://www.topspinsec.com/blog/busting-honeypot-really-way-attackers-detect-deception/) -------------------------------------------------------------------------------- /Techniques/Command_and_control/Remote_file_copy.md: -------------------------------------------------------------------------------- 1 | # Remote File Copy 2 | 3 | MITRE ATT&CK technique [T1105](https://attack.mitre.org/wiki/Technique/T1105) 4 | 5 | Tactic: Lateral Movement, Command and Control 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Set up fake network services or protocols such as FTP, SFTP and SCP 11 | * Create breadcrumbs or honeytokens to lure the attackers toward the fake network services (i.e. honeypots) 12 | * Documents/files with deceptive contents and breadcrumbs 13 | * Manipulate bash_history with fake entries, e.g.: 14 | ``` 15 | ftp ftp://backup:b123@192.168.1.66:2121 16 | scp -P 2222 root@192.168.1.66:/var/db/backup.tar.gz /tmp/backup.tar.gz 17 | ``` 18 | * Using internal DNS servers you would be able to redirect all known malicious domains to the internal network sinkhole. This would allow for the detection of internal infected machines as well as preventing the infected machines from communicating with the C&C server. 19 | 20 | ### Useful Tools 21 | * [Cowrie](https://github.com/micheloosterhof/cowrie) - A medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker, with SFTP and SCP support. 22 | * [Dionaea](https://github.com/DinoTools/dionaea) - A low-interaction honeypot to trap malware exploiting vulnerabilities exposed by services offerd to a network. Dionaea emulates several protocols such as smb, sip, ftp, tftp, mssql, mysql, http, and uses libemu to detect shellcodes. 23 | * [HoneySink](http://www.honeynet.org/node/773) - A network sinkhole for DNS, HTTP, FTP and IRC protocols 24 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries. 25 | -------------------------------------------------------------------------------- /Techniques/Lateral_movement/Remote_file_copy.md: -------------------------------------------------------------------------------- 1 | # Remote File Copy 2 | 3 | MITRE ATT&CK technique [T1105](https://attack.mitre.org/wiki/Technique/T1105) 4 | 5 | Tactic: Lateral Movement, Command and Control 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Set up fake network services or protocols such as FTP, SFTP and SCP 11 | * Create breadcrumbs or honeytokens to lure the attackers toward the fake network services (i.e. honeypots) 12 | * Documents/files with deceptive contents and breadcrumbs 13 | * Manipulate bash_history with fake entries, e.g.: 14 | ``` 15 | ftp ftp://backup:b123@192.168.1.66:2121 16 | scp -P 2222 root@192.168.1.66:/var/db/backup.tar.gz /tmp/backup.tar.gz 17 | ``` 18 | * Using internal DNS servers you would be able to redirect all known malicious domains to the internal network sinkhole. This would allow for the detection of internal infected machines as well as preventing the infected machines from communicating with the C&C server. 19 | 20 | ### Useful Tools 21 | * [Cowrie](https://github.com/micheloosterhof/cowrie) - A medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker, with SFTP and SCP support. 22 | * [Dionaea](https://github.com/DinoTools/dionaea) - A low-interaction honeypot to trap malware exploiting vulnerabilities exposed by services offerd to a network. Dionaea emulates several protocols such as smb, sip, ftp, tftp, mssql, mysql, http, and uses libemu to detect shellcodes. 23 | * [HoneySink](http://www.honeynet.org/node/773) - A network sinkhole for DNS, HTTP, FTP and IRC protocols 24 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries. 25 | -------------------------------------------------------------------------------- /Techniques/Credential_access/Exploitation_of_vulnerability.md: -------------------------------------------------------------------------------- 1 | # Exploitation of Vulnerability 2 | 3 | MITRE ATT&CK technique [T1068](https://attack.mitre.org/wiki/Technique/T1068) 4 | 5 | Tactic: Credential Access, Defense Evasion, Lateral Movement, Privilege Escalation 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Set up fake resources using low-interation or high-interaction honeypots 11 | * Emulated or real operating systems, network protocols/services, or vulnerabilities 12 | 13 | ### Useful Tools 14 | * [Dionaea](https://github.com/DinoTools/dionaea) - A low-interaction honeypot to trap malware exploiting vulnerabilities exposed 15 | by services offerd to a network. Dionaea emulates several protocols such as smb, sip, ftp, tftp, mssql, mysql, http, and uses libemu to detect shellcodes. 16 | * [Glutton](https://github.com/mushorg/glutton) - All eating honeypot 17 | * [Amun](https://github.com/zeroq/amun) - A low-interaction honeypot, following the concepts of Nepenthes but extending it with more sophisticated emulation and easier maintenance. 18 | * [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot 19 | * Snare & Tanner - Successors to [Glastopf](https://github.com/mushorg/glastopf) web application honeypot. 20 | * [SNARE](https://github.com/mushorg/snare) - Super Next generation Advanced Reactive honEypot 21 | * [Tanner](https://github.com/mushorg/tanner) - Evaluating SNARE events 22 | * [Sysdig](https://github.com/draios/sysdig) 23 | * [MazeRunner](https://community.cymmetria.com/) community edition 24 | * More: [awesome-honeypots](https://github.com/paralax/awesome-honeypots) 25 | 26 | ### Useful Resources: 27 | * [High Interaction Honeypots with Sysdig and Falco](https://labs.mwrinfosecurity.com/blog/high-interaction-honeypots-with-sysdig-and-falco/), [Fishing for Hackers](https://sysdig.com/blog/fishing-for-hackers/): analysis of a Linux Server Attack. -------------------------------------------------------------------------------- /Techniques/Defense_evasion/Exploitation_of_vulnerability.md: -------------------------------------------------------------------------------- 1 | # Exploitation of Vulnerability 2 | 3 | MITRE ATT&CK technique [T1068](https://attack.mitre.org/wiki/Technique/T1068) 4 | 5 | Tactic: Credential Access, Defense Evasion, Lateral Movement, Privilege Escalation 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Set up fake resources using low-interation or high-interaction honeypots 11 | * Emulated or real operating systems, network protocols/services, or vulnerabilities 12 | 13 | ### Useful Tools 14 | * [Dionaea](https://github.com/DinoTools/dionaea) - A low-interaction honeypot to trap malware exploiting vulnerabilities exposed 15 | by services offerd to a network. Dionaea emulates several protocols such as smb, sip, ftp, tftp, mssql, mysql, http, and uses libemu to detect shellcodes. 16 | * [Glutton](https://github.com/mushorg/glutton) - All eating honeypot 17 | * [Amun](https://github.com/zeroq/amun) - A low-interaction honeypot, following the concepts of Nepenthes but extending it with more sophisticated emulation and easier maintenance. 18 | * [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot 19 | * Snare & Tanner - Successors to [Glastopf](https://github.com/mushorg/glastopf) web application honeypot. 20 | * [SNARE](https://github.com/mushorg/snare) - Super Next generation Advanced Reactive honEypot 21 | * [Tanner](https://github.com/mushorg/tanner) - Evaluating SNARE events 22 | * [Sysdig](https://github.com/draios/sysdig) 23 | * [MazeRunner](https://community.cymmetria.com/) community edition 24 | * More: [awesome-honeypots](https://github.com/paralax/awesome-honeypots) 25 | 26 | ### Useful Resources: 27 | * [High Interaction Honeypots with Sysdig and Falco](https://labs.mwrinfosecurity.com/blog/high-interaction-honeypots-with-sysdig-and-falco/), [Fishing for Hackers](https://sysdig.com/blog/fishing-for-hackers/): analysis of a Linux Server Attack. -------------------------------------------------------------------------------- /Techniques/Lateral_movement/Exploitation_of_vulnerability.md: -------------------------------------------------------------------------------- 1 | # Exploitation of Vulnerability 2 | 3 | MITRE ATT&CK technique [T1068](https://attack.mitre.org/wiki/Technique/T1068) 4 | 5 | Tactic: Credential Access, Defense Evasion, Lateral Movement, Privilege Escalation 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Set up fake resources using low-interation or high-interaction honeypots 11 | * Emulated or real operating systems, network protocols/services, or vulnerabilities 12 | 13 | ### Useful Tools 14 | * [Dionaea](https://github.com/DinoTools/dionaea) - A low-interaction honeypot to trap malware exploiting vulnerabilities exposed 15 | by services offerd to a network. Dionaea emulates several protocols such as smb, sip, ftp, tftp, mssql, mysql, http, and uses libemu to detect shellcodes. 16 | * [Glutton](https://github.com/mushorg/glutton) - All eating honeypot 17 | * [Amun](https://github.com/zeroq/amun) - A low-interaction honeypot, following the concepts of Nepenthes but extending it with more sophisticated emulation and easier maintenance. 18 | * [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot 19 | * Snare & Tanner - Successors to [Glastopf](https://github.com/mushorg/glastopf) web application honeypot. 20 | * [SNARE](https://github.com/mushorg/snare) - Super Next generation Advanced Reactive honEypot 21 | * [Tanner](https://github.com/mushorg/tanner) - Evaluating SNARE events 22 | * [Sysdig](https://github.com/draios/sysdig) 23 | * [MazeRunner](https://community.cymmetria.com/) community edition 24 | * More: [awesome-honeypots](https://github.com/paralax/awesome-honeypots) 25 | 26 | ### Useful Resources: 27 | * [High Interaction Honeypots with Sysdig and Falco](https://labs.mwrinfosecurity.com/blog/high-interaction-honeypots-with-sysdig-and-falco/), [Fishing for Hackers](https://sysdig.com/blog/fishing-for-hackers/): analysis of a Linux Server Attack. -------------------------------------------------------------------------------- /Techniques/Lateral_movement/Remote_services.md: -------------------------------------------------------------------------------- 1 | # Remote Services 2 | 3 | MITRE ATT&CK technique [T1021](https://attack.mitre.org/wiki/Technique/T1021) 4 | 5 | Tactic: Lateral Movement 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Set up fake network services or protocols such as Telnet, SSH and VNC 11 | * Create breadcrumbs or honeytokens to lure the attackers toward the fake network services (i.e. honeypots) 12 | * Documents/files with deceptive contents and breadcrumbs 13 | * Manipulate bash_history with fake entries, e.g.: 14 | ``` 15 | sshpass -p '123456' ssh -p 2222 root@192.168.1.66 16 | ``` 17 | 18 | ### Useful Tools 19 | * [Cowrie](https://github.com/micheloosterhof/cowrie) - A medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker, with SFTP and SCP support. 20 | * [Glutton](https://github.com/mushorg/glutton) - All eating honeypot 21 | * [HonSSH](https://github.com/tnich/honssh) - It is designed to be used in conjunction with a high-interaction honeypot. HonSSH sits between the attacker and the honeypot and creates two separate SSH conncetions. 22 | * [SSHHiPot](https://github.com/magisterquis/sshhipot) - A logging SSH proxy that can be used as an high-interaction SSH honeypot. 23 | * [Wetland](https://github.com/ohmyadd/wetland) - A docker based high-interaction SSH honeypot 24 | * [vnclowpot](https://github.com/magisterquis/vnclowpot) - Low-interaction VNC honeypot 25 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries. 26 | * [Sysdig](https://github.com/draios/sysdig) 27 | 28 | ## Useful Resources 29 | * [Bifrozt high interaction SSH honeypot](https://www.honeynet.org/node/1191) -------------------------------------------------------------------------------- /Techniques/Privilege_escalation/Exploitation_of_vulnerability.md: -------------------------------------------------------------------------------- 1 | # Exploitation of Vulnerability 2 | 3 | MITRE ATT&CK technique [T1068](https://attack.mitre.org/wiki/Technique/T1068) 4 | 5 | Tactic: Credential Access, Defense Evasion, Lateral Movement, Privilege Escalation 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Set up fake resources using low-interation or high-interaction honeypots 11 | * Emulated or real operating systems, network protocols/services, or vulnerabilities 12 | 13 | ### Useful Tools 14 | * [Dionaea](https://github.com/DinoTools/dionaea) - A low-interaction honeypot to trap malware exploiting vulnerabilities exposed 15 | by services offerd to a network. Dionaea emulates several protocols such as smb, sip, ftp, tftp, mssql, mysql, http, and uses libemu to detect shellcodes. 16 | * [Glutton](https://github.com/mushorg/glutton) - All eating honeypot 17 | * [Amun](https://github.com/zeroq/amun) - A low-interaction honeypot, following the concepts of Nepenthes but extending it with more sophisticated emulation and easier maintenance. 18 | * [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot 19 | * Snare & Tanner - Successors to [Glastopf](https://github.com/mushorg/glastopf) web application honeypot. 20 | * [SNARE](https://github.com/mushorg/snare) - Super Next generation Advanced Reactive honEypot 21 | * [Tanner](https://github.com/mushorg/tanner) - Evaluating SNARE events 22 | * [Sysdig](https://github.com/draios/sysdig) 23 | * [MazeRunner](https://community.cymmetria.com/) community edition 24 | * More: [awesome-honeypots](https://github.com/paralax/awesome-honeypots) 25 | 26 | ### Useful Resources: 27 | * [High Interaction Honeypots with Sysdig and Falco](https://labs.mwrinfosecurity.com/blog/high-interaction-honeypots-with-sysdig-and-falco/), [Fishing for Hackers](https://sysdig.com/blog/fishing-for-hackers/): analysis of a Linux Server Attack. -------------------------------------------------------------------------------- /Techniques/Discovery/File_and_directory_discovery.md: -------------------------------------------------------------------------------- 1 | # File and Directory Discovery 2 | 3 | MITRE ATT&CK technique [T1083](https://attack.mitre.org/wiki/Technique/T1083) 4 | 5 | Tactic: Discovery 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Create fake directories and files (i.e. honeyfiles) and monitor access to them using go-audit, auditd or a File Integrity Monitoring (FIM). 11 | * Create beacon files that phone home when opened. 12 | * Create files containing deceptive content and breadcrumbs to lure the attacker toward your honeypots. 13 | 14 | ### Useful Tools 15 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries. 16 | * [go-audit](https://github.com/slackhq/go-audit) - An alternative to the auditd daemon, with json output. 17 | * [honeyλ](https://github.com/0x4D31/honeyLambda) - Serverless application designed to create and monitor URL honeytokens (i.e. fake HTTP endpoints) automatically 18 | * [canarytokens](http://canarytokens.org) 19 | 20 | ### Useful Resources 21 | * [Catching attackers with go-audit and a logging pipeline](https://summitroute.com/blog/2016/12/25/Catching_attackers_with_go-audit_and_a_logging_pipeline/) 22 | * [Using Windows File Auditing to Detect Honeyfile Access](https://labs.mwrinfosecurity.com/blog/using-windows-file-auditing-to-detect-honeyfile-access/) 23 | * [Automating the Generation of Enticing Text Content for High-Interaction Honeyfiles](https://scholarspace.manoa.hawaii.edu/handle/10125/41897) 24 | * [Canary Files](http://sdiwc.net/digital-library/download.php?id=00000551.pdf): generating fake files to detect critical data loss from complex computer networks 25 | * [Design requirements for generating deceptive content to protect document repositories](http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1055&context=isw) -------------------------------------------------------------------------------- /Techniques/Collection/Automated_collection.md: -------------------------------------------------------------------------------- 1 | # Automated Collection 2 | 3 | MITRE ATT&CK technique [T1119](https://attack.mitre.org/wiki/Technique/T1119) 4 | 5 | Tactic: Collection 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Create fake directories and files (i.e. honeyfiles) and monitor access to them using go-audit, auditd, File Integrity Monitoring (FIM) tool, or the OS file/folder auditing. 11 | * Create decoy files or documents (beacons) that phone home when opened. 12 | * Create files containing deceptive content and breadcrumbs to lure the attacker toward your honeypots. 13 | 14 | ### Useful Tools 15 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries. 16 | * [go-audit](https://github.com/slackhq/go-audit) - An alternative to the auditd daemon, with json output. 17 | * [honeyλ](https://github.com/0x4D31/honeyLambda) - Serverless application designed to create and monitor URL honeytokens (i.e. fake HTTP endpoints) automatically 18 | * [canarytokens](http://canarytokens.org) 19 | 20 | ### Useful Resources 21 | * [Catching attackers with go-audit and a logging pipeline](https://summitroute.com/blog/2016/12/25/Catching_attackers_with_go-audit_and_a_logging_pipeline/) 22 | * [Using Windows File Auditing to Detect Honeyfile Access](https://labs.mwrinfosecurity.com/blog/using-windows-file-auditing-to-detect-honeyfile-access/) 23 | * [Automating the Generation of Enticing Text Content for High-Interaction Honeyfiles](https://scholarspace.manoa.hawaii.edu/handle/10125/41897) 24 | * [Canary Files](http://sdiwc.net/digital-library/download.php?id=00000551.pdf): generating fake files to detect critical data loss from complex computer networks 25 | * [Design requirements for generating deceptive content to protect document repositories](http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1055&context=isw) -------------------------------------------------------------------------------- /Techniques/Discovery/Network_service_scanning.md: -------------------------------------------------------------------------------- 1 | # Network Service Scanning 2 | 3 | MITRE ATT&CK technique [T1046](https://attack.mitre.org/wiki/Technique/T1046) 4 | 5 | Tactic: Discovery 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Set up fake network services 11 | * Create breadcrumbs or honeytokens to lure the attackers toward the fake network services (i.e. honeypots) 12 | * Fake entries in ARP cache, hosts file, etc. 13 | * Documents/files with deceptive contents 14 | 15 | ### Useful Tools 16 | * [Glutton](https://github.com/mushorg/glutton) - All eating honeypot 17 | * [Dionaea](https://github.com/DinoTools/dionaea) - A low-interaction honeypot to trap malware exploiting vulnerabilities exposed by services offerd to a network. Dionaea emulates several protocols such as smb, sip, ftp, tftp, mssql, mysql, http, and uses libemu to detect shellcodes. 18 | * [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot 19 | * Snare & Tanner - Successors to [Glastopf](https://github.com/mushorg/glastopf) web application honeypot. 20 | * [SNARE](https://github.com/mushorg/snare) - Super Next generation Advanced Reactive honEypot 21 | * [Tanner](https://github.com/mushorg/tanner) - Evaluating SNARE events 22 | * [Cowrie](https://github.com/micheloosterhof/cowrie) - A medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. 23 | * [Amun](https://github.com/zeroq/amun) - A low-interaction honeypot, following the concepts of Nepenthes but extending it with more sophisticated emulation and easier maintenance. 24 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries. 25 | * [MazeRunner](https://community.cymmetria.com/) community edition 26 | 27 | ### Useful Resources: 28 | * [awesome-honeypots](https://github.com/paralax/awesome-honeypots) -------------------------------------------------------------------------------- /Techniques/Discovery/Remote_system_discovery.md: -------------------------------------------------------------------------------- 1 | # Remote System Discovery 2 | 3 | MITRE ATT&CK technique [T1018](https://attack.mitre.org/wiki/Technique/T1018) 4 | 5 | Tactic: Discovery 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Set up fake systems and network services 11 | * Create breadcrumbs or honeytokens to lure the attackers toward the fake systems or network services (i.e. honeypots) 12 | * Fake entries in ARP cache, hosts file, etc. 13 | * Documents/files with deceptive contents 14 | 15 | ### Useful Tools 16 | * [Glutton](https://github.com/mushorg/glutton) - All eating honeypot 17 | * [Dionaea](https://github.com/DinoTools/dionaea) - A low-interaction honeypot to trap malware exploiting vulnerabilities exposed 18 | by services offerd to a network. Dionaea emulates several protocols such as smb, sip, ftp, tftp, mssql, mysql, http, and uses libemu to detect shellcodes. 19 | * [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot 20 | * Snare & Tanner - Successors to [Glastopf](https://github.com/mushorg/glastopf) web application honeypot. 21 | * [SNARE](https://github.com/mushorg/snare) - Super Next generation Advanced Reactive honEypot 22 | * [Tanner](https://github.com/mushorg/tanner) - Evaluating SNARE events 23 | * [Cowrie](https://github.com/micheloosterhof/cowrie) - A medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. 24 | * [Amun](https://github.com/zeroq/amun) - A low-interaction honeypot, following the concepts of Nepenthes but extending it with more sophisticated emulation and easier maintenance. 25 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries. 26 | * [MazeRunner](https://community.cymmetria.com/) community edition 27 | 28 | ### Useful Resources: 29 | * [awesome-honeypots](https://github.com/paralax/awesome-honeypots) -------------------------------------------------------------------------------- /Techniques/Collection/Data_from_local_system.md: -------------------------------------------------------------------------------- 1 | # Data from Local System 2 | 3 | MITRE ATT&CK technique [T1005](https://attack.mitre.org/wiki/Technique/T1005) 4 | 5 | Tactic: Collection 6 | 7 | Platform: Windows, Linux, Mac 8 | 9 | ### Deception Techniques 10 | * Create fake directories and files (i.e. honeyfiles) and monitor access to them using go-audit, auditd, File Integrity Monitoring (FIM) tool, or the OS file/folder auditing. 11 | * Create decoy files or documents (beacons) that phone home when opened. 12 | * Create files containing deceptive content and breadcrumbs to lure the attacker toward your honeypots. 13 | * Configuration, backup and connection files such as RDP, VPN, and AWS credentials file 14 | 15 | ### Useful Tools 16 | * [honeybits](https://github.com/0x4D31/honeybits) - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries. 17 | * [go-audit](https://github.com/slackhq/go-audit) - An alternative to the auditd daemon, with json output. 18 | * [honeyλ](https://github.com/0x4D31/honeyLambda) - Serverless application designed to create and monitor URL honeytokens (i.e. fake HTTP endpoints) automatically 19 | * [canarytokens](http://canarytokens.org) 20 | 21 | ### Useful Resources 22 | * [Catching attackers with go-audit and a logging pipeline](https://summitroute.com/blog/2016/12/25/Catching_attackers_with_go-audit_and_a_logging_pipeline/) 23 | * [Using Windows File Auditing to Detect Honeyfile Access](https://labs.mwrinfosecurity.com/blog/using-windows-file-auditing-to-detect-honeyfile-access/) 24 | * [Automating the Generation of Enticing Text Content for High-Interaction Honeyfiles](https://scholarspace.manoa.hawaii.edu/handle/10125/41897) 25 | * [Canary Files](http://sdiwc.net/digital-library/download.php?id=00000551.pdf): generating fake files to detect critical data loss from complex computer networks 26 | * [Design requirements for generating deceptive content to protect document repositories](http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1055&context=isw) -------------------------------------------------------------------------------- /Techniques/Credential_access/Credential_dumping.md: -------------------------------------------------------------------------------- 1 | # Credential Dumping 2 | 3 | MITRE ATT&CK technique [T1003](https://attack.mitre.org/wiki/Technique/T1003) 4 | 5 | Tactic: Credential Access 6 | 7 | Platform: Windows 8 | 9 | ### Deception Techniques 10 | * Inject fake credentials into LSASS (i.e. honey hashes) 11 | * Create Kerberoast Service Account honeytoken 12 | * Create files containing fake credentials (i.e. honey accounts) 13 | * Configuration, backup and connection files such as RDP, VPN, and AWS credentials file 14 | * Fake credentials in browser password manager 15 | 16 | ### Useful Tools 17 | * [New-HoneyHash.ps1](https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/New-HoneyHash.ps1) - Inject artificial credentials into LSASS. New-HoneyHash is a simple wrapper for advapi32!CreateProcessWithLogonW that specifies the LOGON_NETCREDENTIALS_ONLY flag. 18 | * [DCEPT](https://github.com/secureworks/dcept) (Domain Controller Enticing Password Tripwire) - A tool for deploying and detecting use of Active Directory honeytokens 19 | * [MimikatzHoneyToken](https://github.com/SMAPPER/MimikatzHoneyToken) - A logon script used to detect the theft of credentials by tools such as Mimikatz. This script is an AutoIT logon script that launches cmd.exe as a fake user account. It is intended to be ran as a logon script on windows systems. 20 | * [honeybits-win](https://github.com/0x4D31/honeybits-win) - The windows version of [honeybits](https://github.com/0x4D31/honeybits) that supports creating fake credentials in Windows Credential Manager. 21 | 22 | ### Useful Resources 23 | * [Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot](https://adsecurity.org/?p=3513) 24 | * [Detecting Mimikatz Use On Your Network](https://isc.sans.edu/forums/diary/Detecting+Mimikatz+Use+On+Your+Network/19311/) 25 | * [DCEPT](https://www.secureworks.com/blog/dcept): An Open-Source Honeytoken Tripwire 26 | * [Dealing with credential theft](https://dfirblog.wordpress.com/2015/11/24/protecting-windows-networks-dealing-with-credential-theft/) 27 | * [Busting the Honeypot – Is there really a way for attackers to detect deception](https://www.topspinsec.com/blog/busting-honeypot-really-way-attackers-detect-deception/) -------------------------------------------------------------------------------- /Useful_resources.md: -------------------------------------------------------------------------------- 1 | # A Useful List of Honey{*} Resources 2 | 3 | * [Changing the game: The art of deceiving sophisticated attackers](https://ccdcoe.org/cycon/2014/proceedings/d2r2s6_serrano.pdf) 4 | * [Applying Deception Mechanisms for Detecting Sophisticated Cyber Attacks](https://www.topspinsec.com/wp-content/uploads/2016/10/TopSpinSec-Deception-Research-Paper-OCT-05-16.pdf) 5 | * [Proactive detection of security incidents II - Honeypots](https://www.enisa.europa.eu/publications/proactive-detection-of-security-incidents-II-honeypots/at_download/fullReport) 6 | * [Designing Adaptive Deception Strategies](http://nova-lincs.di.fct.unl.pt/system/publication_files/files/000/000/645/original/DesigningAdaptiveDeceptionStrategies.pdf?1469118788) 7 | * [Goal-Driven Deception Tactics Design](http://nova-lincs.di.fct.unl.pt/system/publication_files/files/000/000/644/original/issre2016-goal-driven-deception-pre-cameraready.pdf?1469542781) 8 | * [Automating the Generation of Enticing Text Content for High-Interaction Honeyfiles](https://scholarspace.manoa.hawaii.edu/handle/10125/41897) 9 | * [Canary Files: generating fake files to detect critical data loss from complex computer networks](http://sdiwc.net/digital-library/download.php?id=00000551.pdf) 10 | * [Baiting Inside Attackers Using Decoy Documents](https://www.cs.columbia.edu/~angelos/Papers/2009/DecoyDocumentsSECCOM09.pdf) 11 | * [HoneyGen: An automated honeytokens generator](http://ieeexplore.ieee.org/document/5984063/) 12 | * [Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot](https://adsecurity.org/?p=3513) 13 | * [Enabling an Anatomic View to Investigate Honeypot Systems: A Survey](https://arxiv.org/ftp/arxiv/papers/1704/1704.05357.pdf) 14 | * [A Survey on Honeypot Software and Data Analysis](https://arxiv.org/pdf/1608.06249.pdf) 15 | * [Detecting Mimikatz Use On Your Network](https://isc.sans.edu/forums/diary/Detecting+Mimikatz+Use+On+Your+Network/19311/) 16 | * [Busting the Honeypot – Is there really a way for attackers to detect deception](https://www.topspinsec.com/blog/busting-honeypot-really-way-attackers-detect-deception/) 17 | * [High Interaction Honeypots with Sysdig and Falco](https://labs.mwrinfosecurity.com/blog/high-interaction-honeypots-with-sysdig-and-falco/) 18 | * [Catching attackers with go-audit and a logging pipeline](https://summitroute.com/blog/2016/12/25/Catching_attackers_with_go-audit_and_a_logging_pipeline/) 19 | * [Reddit/honeypot](https://www.reddit.com/r/honeypot/) 20 | * [Early Warning Detectors Using AWS Access Keys as Honeytokens](https://blog.komand.com/early-warning-detectors-using-aws-access-keys-honeytokens) 21 | * [Breach Detection At Scale With PROJECT SPACECRAB](https://developer.atlassian.com/blog/2017/10/project-spacecrab-breach-detection/) 22 | * [AWS API key Canarytoken](http://blog.thinkst.com/2017/09/canarytokens-new-member-aws-api-key.html) 23 | * [Systems and methods for the detection of advanced attackers using client side honeytokens (Patent)](https://encrypted.google.com/patents/WO2017120076A1) -------------------------------------------------------------------------------- /Linux-matrix.md: -------------------------------------------------------------------------------- 1 | ## MITRE ATT&CK - Linux Technique Matrix 2 | 3 | | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | 4 | |------------------------------|---------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|--------------------------|------------------------------------------------------------------------------------------|-----------------------------------------------|---------------------------------------------------------------------------| 5 | | .bash_profile and .bashrc | [Exploitation of Vulnerability](Techniques/Privilege_escalation/Exploitation_of_vulnerability.md) | Binary Padding | [Bash History](Techniques/Credential_access/Bash_history.md) | [Account Discovery](Techniques/Discovery/Account_discovery.md) | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | [Commonly Used Port](Techniques/Command_and_control/Commonly_used_port.md)| 6 | | Bootkit | Setuid and Setgid | Clear Command History | [Brute Force](Techniques/Credential_access/Brute_force.md) | [File and Directory Discovery](Techniques/Discovery/File_and_directory_discovery.md) | [Exploitation of Vulnerability](Techniques/Lateral_movement/Exploitation_of_vulnerability.md) | Graphical User Interface | [Automated Collection](Techniques/Collection/Automated_collection.md) | Data Compressed | Communication Through Removable Media | 7 | | Cron Job | Sudo | Disabling Security Tools | Create Account | Permission Groups Discovery | [Remote File Copy](Techniques/Lateral_movement/Remote_file_copy.md) | Scripting | Clipboard Data | Data Encrypted | Connection Proxy | 8 | | Hidden Files and Directories | Valid Accounts | [Exploitation of Vulnerability](Techniques/Defense_evasion/Exploitation_of_vulnerability.md) | [Credentials in Files](Techniques/Credential_access/Credentials_in_files.md) | Process Discovery | [Remote Services](Techniques/Lateral_movement/Remote_services.md) | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | 9 | | Rc.common | Web Shell | File Deletion | [Exploitation of Vulnerability](Techniques/Credential_access/Exploitation_of_vulnerability.md) | System Information Discovery | Third-party Software | Space after Filename | [Data from Local System](Techniques/Collection/Data_from_local_system.md) | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | 10 | | Redundant Access | | HISTCONTROL | [Input Capture](Techniques/Credential_access/Input_capture.md) | [System Network Configuration Discovery](Techniques/Discovery/System_network_configuration_discovery.md)| | Third-party Software | [Data from Network Shared Drive](Techniques/Collection/Data_from_network_shared_drive.md)| Exfiltration Over Command and Control Channel | Data Encoding | 11 | | Trap | | Hidden Files and Directories | [Network Sniffing](Techniques/Credential_access/Network_sniffing.md) | [System Network Connections Discovery](Techniques/Discovery/System_network_connections_discovery.md) | | Trap | [Data from Removable Media](Techniques/Collection/Data_from_removable_media.md) | Exfiltration Over Other Network Medium | Data Obfuscation | 12 | | Valid Accounts | | Indicator Removal from Tools | [Private Keys](Techniques/Credential_access/Private_keys.md) | System Owner/User Discovery | | | [Input Capture](Techniques/Collection/Input_capture.md) | Exfiltration Over Physical Medium | Fallback Channels | 13 | | Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | [Network Service Scanning](Techniques/Discovery/Network_service_scanning.md) | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels | 14 | | | | Install Root Certificate | | [Remote System Discovery](Techniques/Discovery/Remote_system_discovery.md) | | | | | Multiband Communication | 15 | | | | Masquerading | | | | | | | Multilayer Encryption | 16 | | | | Redundant Access | | | | | | | [Remote File Copy](Techniques/Command_and_control/Remote_file_copy.md) | 17 | | | | Scripting | | | | | | | Standard Application Layer Protocol | 18 | | | | Space after Filename | | | | | | | Standard Cryptographic Protocol | 19 | | | | Timestomp | | | | | | | Standard Non-Application Layer Protocol | 20 | | | | Valid Accounts | | | | | | | Uncommonly Used Port | 21 | | | | | | | | | | | Web Service | 22 | 23 | -------------------------------------------------------------------------------- /Mac-matrix.md: -------------------------------------------------------------------------------- 1 | ## MITRE ATT&CK - Mac Technique Matrix 2 | 3 | | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | 4 | |------------------------------|---------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|--------------------------|------------------------------------------------------------------------------------------|-----------------------------------------------|---------------------------------------------------------------------------| 5 | | .bash_profile and .bashrc | Dylib Hijacking | Binary Padding | [Bash History](Techniques/Credential_access/Bash_history.md) | [Account Discovery](Techniques/Discovery/Account_discovery.md) | AppleScript | AppleScript | [Automated Collection](Techniques/Collection/Automated_collection.md) | Automated Exfiltration | [Commonly Used Port](Techniques/Command_and_control/Commonly_used_port.md)| 6 | | Cron Job | [Exploitation of Vulnerability](Techniques/Privilege_escalation/Exploitation_of_vulnerability.md) | Clear Command History | [Brute Force](Techniques/Credential_access/Brute_force.md) | Application Window Discovery | Application Deployment Software | Command-Line Interface | Clipboard Data | Data Compressed | Communication Through Removable Media | 7 | | Dylib Hijacking | Launch Daemon | Code Signing | Create Account | [File and Directory Discovery](Techniques/Discovery/File_and_directory_discovery.md) | [Exploitation of Vulnerability](Techniques/Lateral_movement/Exploitation_of_vulnerability.md) | Graphical User Interface | Data Staged | Data Encrypted | Connection Proxy | 8 | | Hidden Files and Directories | Plist Modification | Disabling Security Tools | [Credentials in Files](Techniques/Credential_access/Credentials_in_files.md) | [Network Share Discovery](Techniques/Discovery/Network_share_discovery.md) | Logon Scripts | Launchctl | [Data from Local System](Techniques/Collection/Data_from_local_system.md) | Data Transfer Size Limits | Custom Command and Control Protocol | 9 | | LC_LOAD_DYLIB Addition | Setuid and Setgid | [Exploitation of Vulnerability](Techniques/Defense_evasion/Exploitation_of_vulnerability.md) | [Exploitation of Vulnerability](Techniques/Credential_access/Exploitation_of_vulnerability.md) | Permission Groups Discovery | [Remote File Copy](Techniques/Lateral_movement/Remote_file_copy.md) | Scripting | [Data from Network Shared Drive](Techniques/Collection/Data_from_network_shared_drive.md)| Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | 10 | | Launch Agent | Startup Items | File Deletion | [Input Capture](Techniques/Credential_access/Input_capture.md) | Process Discovery | [Remote Services](Techniques/Lateral_movement/Remote_services.md) | Source | [Data from Removable Media](Techniques/Collection/Data_from_removable_media.md) | Exfiltration Over Command and Control Channel | Data Encoding | 11 | | Launch Daemon | Sudo | Gatekeeper Bypass | Input Prompt | [Remote System Discovery](Techniques/Discovery/Remote_system_discovery.md) | Third-party Software | Space after Filename | [Input Capture](Techniques/Collection/Input_capture.md) | Exfiltration Over Other Network Medium | Data Obfuscation | 12 | | Launchctl | Valid Accounts | HISTCONTROL | [Keychain](Techniques/Credential_access/Keychain.md) | Security Software Discovery | | Third-party Software | Screen Capture | Exfiltration Over Physical Medium | Fallback Channels | 13 | | Login Item | Web Shell | Hidden Files and Directories | [Network Sniffing](Techniques/Credential_access/Network_sniffing.md) | System Information Discovery | | Trap | | Scheduled Transfer | Multi-Stage Channels | 14 | | Logon Scripts | | Hidden Users | [Private Keys](Techniques/Credential_access/Private_keys.md) | [System Network Configuration Discovery](Techniques/Discovery/System_network_configuration_discovery.md)| | | | | Multiband Communication | 15 | | Plist Modification | | Hidden Window | Securityd Memory | [System Network Connections Discovery](Techniques/Discovery/System_network_connections_discovery.md) | | | | | Multilayer Encryption | 16 | | Rc.common | | Indicator Removal from Tools | Two-Factor Authentication Interception | System Owner/User Discovery | | | | | [Remote File Copy](Techniques/Command_and_control/Remote_file_copy.md) | 17 | | Re-opened Applications | | Indicator Removal on Host | | [Network Service Scanning](Techniques/Discovery/Network_service_scanning.md) | | | | | Standard Application Layer Protocol | 18 | | Redundant Access | | LC_MAIN Hijacking | | | | | | | Standard Cryptographic Protocol | 19 | | Startup Items | | Launchctl | | | | | | | Standard Non-Application Layer Protocol | 20 | | Trap | | Masquerading | | | | | | | Uncommonly Used Port | 21 | | Valid Accounts | | Plist Modification | | | | | | | Web Service | 22 | | Web Shell | | Redundant Access | | | | | | | | 23 | | | | Scripting | | | | | | | | 24 | | | | Space after Filename | | | | | | | | 25 | | | | Valid Accounts | | | | | | | | 26 | 27 | -------------------------------------------------------------------------------- /Windows-matrix.md: -------------------------------------------------------------------------------- 1 | ## MITRE ATT&CK - Windows Technique Matrix 2 | 3 | | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | 4 | |-------------------------------------------------------|---------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------|------------------------------------|------------------------------------------------------------------------------------------|-----------------------------------------------|---------------------------------------------------------------------------| 5 | | Accessibility Features | Access Token Manipulation | Access Token Manipulation | Account Manipulation | [Account Discovery](Techniques/Discovery/Account_discovery.md) | Application Deployment Software | Application Shimming | Audio Capture | Automated Exfiltration | [Commonly Used Port](Techniques/Command_and_control/Commonly_used_port.md)| 6 | | AppInit DLLs | Accessibility Features | Binary Padding | [Brute Force](Techniques/Credential_access/Brute_force.md) | Application Window Discovery | [Exploitation of Vulnerability](Techniques/Lateral_movement/Exploitation_of_vulnerability.md) | Command-Line Interface | [Automated Collection](Techniques/Collection/Automated_collection.md) | Data Compressed | Communication Through Removable Media | 7 | | Application Shimming | AppInit DLLs | Bypass User Account Control | Create Account | [File and Directory Discovery](Techniques/Discovery/File_and_directory_discovery.md) | Logon Scripts | Execution through API | Clipboard Data | Data Encrypted | Connection Proxy | 8 | | Authentication Package | Application Shimming | Code Signing | [Credential Dumping](Techniques/Credential_access/Credential_dumping.md) | [Network Service Scanning](Techniques/Discovery/Network_service_scanning.md) | [Pass the Hash](Techniques/Lateral_movement/Pass_the_hash.md) | Execution through Module Load | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | 9 | | Bootkit | Bypass User Account Control | Component Firmware | [Credentials in Files](Techniques/Credential_access/Credentials_in_files.md) | [Network Share Discovery](Techniques/Discovery/Network_share_discovery.md) | [Pass the Ticket](Techniques/Lateral_movement/Pass_the_ticket.md) | Graphical User Interface | [Data from Local System](Techniques/Collection/Data_from_local_system.md) | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | 10 | | Change Default File Association | DLL Injection | Component Object Model Hijacking | [Exploitation of Vulnerability](Techniques/Privilege_escalation/Exploitation_of_vulnerability.md) | [Peripheral Device Discovery](Techniques/Discovery/Peripheral_device_discovery.md) | [Remote Desktop Protocol](Techniques/Lateral_movement/Remote_desktop_protocol.md) | InstallUtil | [Data from Network Shared Drive](Techniques/Collection/Data_from_network_shared_drive.md)| Exfiltration Over Command and Control Channel | Data Encoding | 11 | | Component Firmware | DLL Search Order Hijacking | DLL Injection | [Input Capture](Techniques/Credential_access/Input_capture.md) | Permission Groups Discovery | [Remote File Copy](Techniques/Lateral_movement/Remote_file_copy.md) | PowerShell | [Data from Removable Media](Techniques/Collection/Data_from_removable_media.md) | Exfiltration Over Other Network Medium | Data Obfuscation | 12 | | Component Object Model Hijacking | [Exploitation of Vulnerability](Techniques/Privilege_escalation/Exploitation_of_vulnerability.md) | DLL Search Order Hijacking | [Network Sniffing](Techniques/Credential_access/Network_sniffing.md) | Process Discovery | [Remote Services](Techniques/Lateral_movement/Remote_services.md) | Process Hollowing | [Email Collection](Techniques/Collection/Email_collection.md) | Exfiltration Over Physical Medium | Fallback Channels | 13 | | DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | [Private Keys](Techniques/Credential_access/Private_keys.md) | [Query Registry](Techniques/Discovery/Query_registry.md) | [Replication Through Removable Media](Techniques/Lateral_movement/Replication_through_removable_media.md) | Regsvcs/Regasm | [Input Capture](Techniques/Collection/Input_capture.md) | Scheduled Transfer | Multi-Stage Channels | 14 | | External Remote Services | Local Port Monitor | Deobfuscate/Decode Files or Information | Two-Factor Authentication Interception | [Remote System Discovery](Techniques/Discovery/Remote_system_discovery.md) | Shared Webroot | Regsvr32 | Screen Capture | | Multiband Communication | 15 | | File System Permissions Weakness | New Service | Disabling Security Tools | | Security Software Discovery | [Taint Shared Content](Techniques/Lateral_movement/Taint_shared_content.md) | Rundll32 | Video Capture | | Multilayer Encryption | 16 | | Hidden Files and Directories | Path Interception | [Exploitation of Vulnerability](Techniques/Privilege_escalation/Exploitation_of_vulnerability.md) | | System Information Discovery | Third-party Software | Scheduled Task | | | [Remote File Copy](Techniques/Command_and_control/Remote_file_copy.md) | 17 | | Hypervisor | Scheduled Task | File Deletion | | [System Network Configuration Discovery](Techniques/Discovery/System_network_configuration_discovery.md) | Windows Admin Shares | Scripting | | | Standard Application Layer Protocol | 18 | | Local Port Monitor | Service Registry Permissions Weakness | File System Logical Offsets | | [System Network Connections Discovery](Techniques/Discovery/System_network_connections_discovery.md) | Windows Remote Management | Service Execution | | | Standard Cryptographic Protocol | 19 | | Logon Scripts | Valid Accounts | Hidden Files and Directories | | System Owner/User Discovery | | Third-party Software | | | Standard Non-Application Layer Protocol | 20 | | Modify Existing Service | Web Shell | Indicator Blocking | | System Service Discovery | | Trusted Developer Utilities | | | Uncommonly Used Port | 21 | | New Service | | Indicator Removal on Host | | System Time Discovery | | Windows Remote Management | | | Web Service | 22 | | Netsh Helper DLL | | Indicator Removal from Tools | | | | Windows Management Instrumentation | | | | 23 | | Office Application Startup | | Install Root Certificate | | | | | | | | 24 | | Path Interception | | InstallUtil | | | | | | | | 25 | | Redundant Access | | Masquerading | | | | | | | | 26 | | Registry Run Keys / Start Folder | | Modify Registry | | | | | | | | 27 | | Scheduled Task | | NTFS Extended Attributes | | | | | | | | 28 | | Security Support Provider | | Network Share Connection Removal | | | | | | | | 29 | | Service Registry Permissions Weakness | | Obfuscated Files or Information | | | | | | | | 30 | | Shortcut Modification | | Process Hollowing | | | | | | | | 31 | | System Firmware | | Redundant Access | | | | | | | | 32 | | Valid Accounts | | Regsvcs/Regasm | | | | | | | | 33 | | Web Shell | | Regsvr32 | | | | | | | | 34 | | Windows Management Instrumentation Event Subscription | | Rootkit | | | | | | | | 35 | | Winlogon Helper DLL | | Rundll32 | | | | | | | | 36 | | | | Scripting | | | | | | | | 37 | | | | Software Packing | | | | | | | | 38 | | | | Timestomp | | | | | | | | 39 | | | | Trusted Developer Utilities | | | | | | | | 40 | | | | Valid Accounts | | | | | | | | 41 | 42 | --------------------------------------------------------------------------------