MITRE ATT&CK technique T1005
Tactic: Collection
Platform: Windows, Linux, Mac
- Create fake directories and files (i.e. honeyfiles) and monitor access to them using go-audit, auditd, File Integrity Monitoring (FIM) tool, or the OS file/folder auditing.
- Create decoy files or documents (beacons) that phone home when opened.
- Create files containing deceptive content and breadcrumbs to lure the attacker toward your honeypots.
- Configuration, backup and connection files such as RDP, VPN, and AWS credentials file
- honeybits - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries.
- go-audit - An alternative to the auditd daemon, with json output.
- honeyλ - Serverless application designed to create and monitor URL honeytokens (i.e. fake HTTP endpoints) automatically
- canarytokens
- Catching attackers with go-audit and a logging pipeline
- Using Windows File Auditing to Detect Honeyfile Access
- Automating the Generation of Enticing Text Content for High-Interaction Honeyfiles
- Canary Files: generating fake files to detect critical data loss from complex computer networks
- Design requirements for generating deceptive content to protect document repositories