Jump to content
CyberKid

File Decoys for Endpoints

Recommended Posts

CyberKid

In a typical scenario, threat actors try to gather as much information as possible (such as sensitive documents like credit card numbers, SSN details, and passwords stored in unprotected text files, etc.) about their targets after a successful exfiltration.

It is possible to detect such malicious attempts by deploying file decoys or baits on endpoints or emails. If an attacker tries to access such a decoy, an alert is triggered and logged into a centralized system.

In this document, we will be getting our hands dirty on creating the decoys using readily available tools at our disposal (PS: no macros). This document will cover the following:

  1. How the decoys work
  2. Creating image beacons for decoys using Python
  3. Creating file decoys and setting up unique identifiers
  4. Monitoring malicious attempts

Perquisites: Python 2.x, Apache server, MS Office Suite

Let’s get started!

1. File Decoys – Understanding the Background

So, to understand the working of file decoys, first, we need to understand how HTTP works.

Below is a basic HTTP request and response model:

033018_1407_FileDecoysf1.png

Below is the workflow describing how the decoys work.

033018_1407_FileDecoysf2.png

In case of an HTTP request/response mode, a web-browser initiates a request for certain content. The web server locates the requested content and serves it as a part of response back to the browser. The browser then interprets the content and finally renders it. Initially, when the request reaches the web server, a log entry is made in the logs (e.g., access.log) depicting the origin, user-agent, timestamp, etc.

Similarly, in case of the workflow for decoys, a similar approach is followed. A word document is embedded with a linked image which is stored on the web server. Whenever the document is accessed/opened; the document tries to load the image from the remote location (i.e., web server), this, in turn, sends an HTTP request to the server. The server looks up for the image and delivers it to be embedded into the document. A log entry is created for this inbound request as well. In a real scenario, an adversary will try to get sensitive data from a system. A decoy will be placed with a lucrative name such as password-list.docx within the directory. Once the adversary tries to open the file, a request will be fired to the web server, and a log entry will be generated depicting that someone has infiltrated the system and is trying to steal away sensitive information.

2. Creating Image Beacons Using Python

Let’s create an image beacon which will be linked in our decoys. The beacon will be 1×1 pixel by size with full transparency. Due to the miniature size of the pixel, it would not be easily spotted by the naked eye once the decoys are opened.

We will use python along with Python Image Library (PIL) module to generate a beacon:

from PIL import Image

img = Image.new(‘RGBA’, (1,1), (0,0,0,0))

img.save(‘beacon.gif’, “GIF”, transparency=0)

This will create an image file beacon.gif. Save this file in the /var/www/ directory of your Linux web server. Now on the Linux box, start the apache service (service apache2 start) and check if the default page appears in the browser (http://localhost/).

 

 

Read more…

Share this post


Link to post
Share on other sites

Δημιουργήστε ένα λογαριασμό ή συνδεθείτε προκειμένου να το δείτε

Πρέπει να είστε μέλος για να μπορέσετε να αφήσετε κάποιο σχόλιο

Δημιουργία λογαριασμού

Κάντε μια δωρεάν εγγραφή στην κοινότητά μας. Η εγγραφές μας είναι εύκολες.!

Εγγραφή τώρα

Σύνδεση

Εάν έχετε ήδη λογαριασμό σε αυτό το Forum; Συνδεθείτε εδώ.

Συνδεθείτε τώρα

  • Μηνύματα

    • dichvusocks
      Payment Instantly perfectmoney, bitcoin, wmtransfer, dash, ETH (Please click Buy Socks)
      Update Tools Client Dichvusocks.us http://dichvusocks.us/tools.php Link check socks http://check.dichvusocks.us/
      LIVE | 108.59.8.86:5072 | 0.15 | Alabama | 35080 | 99-104-135-55.lightspeed.brhmal.sbcglobal.net | United States | Blacklist: No | Checked at http://dichvusocks.us
      LIVE | 50.63.167.72:14426 | 0.23 | Arizona | 85260 | ip-192-169-140-100.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.224.196:59537 | 0.74 | Arizona | 85260 | ip-192-169-244-29.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 35.225.184.210:9863 | 0.95 | Unknow | Unknow | Quintex Alliance Consulting | Anonymous Proxy | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 103.21.163.81:6667 | 1.49 | Gujarat | 396450 | Gtpl Broadband Pvt. | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.194.120:32315 | 2.87 | Unknow | Unknow | | Unknow | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.224.196:40985 | 0.79 | Arizona | 85260 | ip-192-169-244-29.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 157.119.207.10:6667 | 2.5 | Gujarat | 395007 | Gtpl Dcpl Private Limited | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 174.138.54.241:38426 | 0.31 | California | 90014 | M247 Europe SRL | United States | Blacklist: No | Checked at http://dichvusocks.us
      LIVE | 192.169.224.196:24276 | 0.8 | Arizona | 85260 | ip-192-169-244-29.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.202.104:47958 | 3.6 | Arizona | 85260 | ip-192-169-202-104.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 50.62.35.205:36277 | 0.92 | Arizona | 85260 | ip-50-62-35-205.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.202.104:23590 | 4.91 | Arizona | 85260 | ip-192-169-202-104.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 37.59.8.29:56270 | 7.36 | Unknow | Unknow | ns3099982.ovh.net | France | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 5.230.147.147:8082 | 0.38 | Unknow | Unknow | GHOSTnet GmbH | Germany | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.202.104:41652 | 5.03 | Arizona | 85260 | ip-192-169-202-104.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 5.230.147.228:8082 | 0.37 | Unknow | Unknow | GHOSTnet GmbH | Germany | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 35.225.214.70:9585 | 1.5 | Unknow | Unknow | Digital Ocean | Anonymous Proxy | Blacklist: Yes | Checked at http://dichvusocks.us
       
    • vn5socks.net
      LIVE ~ 118.139.178.67:44551 | 0.065 | Unknown | Unknown | Unknown | Singapore | Checked at vn5socks.net
      LIVE ~ 192.169.249.149:36997 | 0.282 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 185.108.76.37:9050 | 0.202 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 107.181.174.75:55667 | 0.17 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 158.69.243.148:9999 | 0.256 | Lake Forest | CA | 92630 | United States | Checked at vn5socks.net
      LIVE ~ 138.68.59.157:1210 | 0.171 | Wilmington | DE | 19880 | United States | Checked at vn5socks.net
      LIVE ~ 163.172.166.20:4480 | 0.193 | Southend | M5 | Unknown | United Kingdom | Checked at vn5socks.net
      LIVE ~ 70.166.38.80:24822 | 0.324 | San Diego | CA | Unknown | United States | Checked at vn5socks.net
      LIVE ~ 80.211.237.106:5080 | 0.262 | Unknown | Unknown | Unknown | Denmark | Checked at vn5socks.net
      LIVE ~ 47.94.90.99:3001 | 0.065 | Ottawa | ON | k1y4h7 | Canada | Checked at vn5socks.net
      LIVE ~ 78.205.51.30:16836 | 0.377 | Unknown | Unknown | Unknown | France | Checked at vn5socks.net
      LIVE ~ 94.26.59.151:25997 | 0.326 | Unknown | Unknown | Unknown | Bulgaria | Checked at vn5socks.net
      LIVE ~ 118.25.237.21:1888 | 0.256 | Beijing | 22 | Unknown | China | Checked at vn5socks.net
      LIVE ~ 162.144.118.92:38147 | 0.186 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 105.27.204.134:42397 | 0.385 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 78.47.225.59:9050 | 0.273 | Unknown | Unknown | Unknown | Germany | Checked at vn5socks.net
      LIVE ~ 192.169.244.29:56544 | 0.406 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 95.216.55.131:1188 | 0.96 | Unknown | Unknown | Unknown | Ukraine | Checked at vn5socks.net
    • tisocks
      SOCKS Proxy List by Tisocks.net
      If you Need Socks5 , Please visit service and add fund via PM , BTC WMZ , WEX . Thanks all!!
      Add fund : https://tisocks.net/addfund
      Check socks5 Online here : https://checksocks5.com
      LIVE | 64.118.86.59:56402 | 0.053 | SOCKS5 | New Jersey | 07310 | drive9810.123servers.com | United States | Checked at https://tisocks.net
      LIVE | 107.170.42.215:7517 | 0.028 | SOCKS5 | New York | 10011 | tradisifoods.com | United States | Checked at https://tisocks.net
      LIVE | 174.138.54.241:38026 | 0.079 | SOCKS5 | Massachusetts | 02035 | pool-173-48-220-176.bstnma.fios.verizon.net | United States | Checked at https://tisocks.net
      LIVE | 174.138.54.241:34513 | 0.12 | SOCKS5 | Massachusetts | 01301 | c-73-167-110-61.hsd1.ma.comcast.net | United States | Checked at https://tisocks.net
      LIVE | 192.169.140.100:30450 | 0.239 | SOCKS5 | Arizona | 85260 | ip-192-169-140-100.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 192.169.140.51:28843 | 0.235 | SOCKS5 | Arizona | 85260 | ip-192-169-140-51.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 192.169.250.203:27381 | 0.237 | SOCKS5 | Arizona | 85260 | ip-192-169-250-203.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 132.148.13.227:15154 | 0.27 | SOCKS5 | Arizona | 85260 | ip-166-62-84-235.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 166.62.59.167:43599 | 0.239 | SOCKS5 | Arizona | 85260 | ip-166-62-42-219.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 192.169.140.100:9407 | 1.236 | SOCKS5 | Arizona | 85260 | ip-192-169-140-100.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 50.63.167.72:9689 | 0.233 | SOCKS5 | Arizona | 85260 | ip-192-169-140-100.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 50.63.167.72:61480 | 1.232 | SOCKS5 | Arizona | 85260 | ip-192-169-140-100.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 192.169.140.100:59080 | 0.237 | SOCKS5 | Arizona | 85260 | ip-192-169-140-100.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 192.169.140.100:42013 | 0.236 | SOCKS5 | Arizona | 85260 | ip-192-169-140-100.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 192.169.140.100:1870 | 0.237 | SOCKS5 | Arizona | 85260 | ip-192-169-140-100.ip.secureserver.net | United States | Checked at https://tisocks.net
       
    • shopsocks5.com
      [Shopsocks5.com] Service Socks5 Cheap
      Payment Instantly Perfectmoney, Bitcoin, Wmtransfer, BTC-E ( Please click Buy Socks )
      Check Socks Online  http://shopsocks5.com/check/






      Live | 104.197.170.237:9943 | United States | Mountain View | CA | 94043 | Checked at http://shopsocks5.com
      Live | 220.79.34.109:2018 | South Korea | Unknown | Unknown | Unknown | Checked at http://shopsocks5.com
      Live | 185.49.87.71:22700 | Iran | Unknown | Unknown | Unknown | Checked at http://shopsocks5.com
      Live | 138.68.143.47:17415 | United States | Wilmington | DE | 19880 | Checked at http://shopsocks5.com
      Live | 166.62.59.175:37954 | United States | Scottsdale | AZ | 85260 | Checked at http://shopsocks5.com
      Live | 35.193.155.198:9797 | United States | Ann Arbor | MI | 48104 | Checked at http://shopsocks5.com
      Live | 35.193.155.198:9307 | United States | Ann Arbor | MI | 48104 | Checked at http://shopsocks5.com
      Live | 54.36.198.224:8888 | United States | Woodbridge | NJ | 07095 | Checked at http://shopsocks5.com
      Live | 118.139.176.242:29736 | Singapore | Singapore | 00 | Unknown | Checked at http://shopsocks5.com
      Live | 103.209.64.19:6667 | India | Unknown | Unknown | Unknown | Checked at http://shopsocks5.com
      Live | 66.84.13.139:53238 | United States | Saint Petersburg | FL | 33701 | Checked at http://shopsocks5.com
      Live | 42.112.20.116:7200 | Vietnam | Hanoi | 44 | Unknown | Checked at http://shopsocks5.com
      Live | 35.193.155.198:9600 | United States | Ann Arbor | MI | 48104 | Checked at http://shopsocks5.com
      Live | 66.84.13.140:53238 | United States | Saint Petersburg | FL | 33701 | Checked at http://shopsocks5.com
      Live | 163.172.166.20:4480 | United Kingdom | Southend | M5 | SS2 | Checked at http://shopsocks5.com
      Live | 140.113.66.19:39019 | Taiwan | Taipei | 03 | Unknown | Checked at http://shopsocks5.com
    • Vasoula
×