Jump to content

Η πρόσβαση σε όλες τις κατηγορίες του forum είναι ελεύθερη πλέον, και χωρίς περιορισμούς.



File Decoys for Endpoints

Recommended Posts


In a typical scenario, threat actors try to gather as much information as possible (such as sensitive documents like credit card numbers, SSN details, and passwords stored in unprotected text files, etc.) about their targets after a successful exfiltration.

It is possible to detect such malicious attempts by deploying file decoys or baits on endpoints or emails. If an attacker tries to access such a decoy, an alert is triggered and logged into a centralized system.

In this document, we will be getting our hands dirty on creating the decoys using readily available tools at our disposal (PS: no macros). This document will cover the following:

  1. How the decoys work
  2. Creating image beacons for decoys using Python
  3. Creating file decoys and setting up unique identifiers
  4. Monitoring malicious attempts

Perquisites: Python 2.x, Apache server, MS Office Suite

Let’s get started!

1. File Decoys – Understanding the Background

So, to understand the working of file decoys, first, we need to understand how HTTP works.

Below is a basic HTTP request and response model:


Below is the workflow describing how the decoys work.


In case of an HTTP request/response mode, a web-browser initiates a request for certain content. The web server locates the requested content and serves it as a part of response back to the browser. The browser then interprets the content and finally renders it. Initially, when the request reaches the web server, a log entry is made in the logs (e.g., access.log) depicting the origin, user-agent, timestamp, etc.

Similarly, in case of the workflow for decoys, a similar approach is followed. A word document is embedded with a linked image which is stored on the web server. Whenever the document is accessed/opened; the document tries to load the image from the remote location (i.e., web server), this, in turn, sends an HTTP request to the server. The server looks up for the image and delivers it to be embedded into the document. A log entry is created for this inbound request as well. In a real scenario, an adversary will try to get sensitive data from a system. A decoy will be placed with a lucrative name such as password-list.docx within the directory. Once the adversary tries to open the file, a request will be fired to the web server, and a log entry will be generated depicting that someone has infiltrated the system and is trying to steal away sensitive information.

2. Creating Image Beacons Using Python

Let’s create an image beacon which will be linked in our decoys. The beacon will be 1×1 pixel by size with full transparency. Due to the miniature size of the pixel, it would not be easily spotted by the naked eye once the decoys are opened.

We will use python along with Python Image Library (PIL) module to generate a beacon:

from PIL import Image

img = Image.new(‘RGBA’, (1,1), (0,0,0,0))

img.save(‘beacon.gif’, “GIF”, transparency=0)

This will create an image file beacon.gif. Save this file in the /var/www/ directory of your Linux web server. Now on the Linux box, start the apache service (service apache2 start) and check if the default page appears in the browser (http://localhost/).



Read more…

Share this post

Link to post
Share on other sites

Δημιουργήστε ένα λογαριασμό ή συνδεθείτε προκειμένου να το δείτε

Πρέπει να είστε μέλος για να μπορέσετε να αφήσετε κάποιο σχόλιο

Δημιουργία λογαριασμού

Κάντε μια δωρεάν εγγραφή στην κοινότητά μας. Η εγγραφές μας είναι εύκολες.!

Εγγραφή τώρα


Εάν έχετε ήδη λογαριασμό σε αυτό το Forum; Συνδεθείτε εδώ.

Συνδεθείτε τώρα

  • Μηνύματα

    Thank you
    thank you