Shulou(Shulou.com)06/03 Report--

This article introduces the knowledge of "what is the function of a simple PC honeypot". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Honeypot action

Generally, it is directly put into malicious programs and clicked to run, so PC honeypots need to play a role:

1. Check the actions of the attacker, such as whether to upload some scanning tools, vulnerability exploitation tools, to portray the attacker.

two。 Obtain the attacker's basic attack facilities, such as domain name and remote control IP, and then use the existing capabilities to check whether other hosts have been compromised.

3. Try to induce attackers to download and run malicious programs with backdoors installed for the most direct phishing countermeasures.

4. Induce the attacker to attack the server honeypot.

5. The honeypot itself needs to be safe enough not to be a breakthrough.

Preliminary assumption

Generally speaking, what actions will the red team do after they go fishing and get the nodes of the office network?

1. Post-infiltrate information collection to obtain sensitive information on PC, such as:

IT Asset Information

Address book (mailbox)

Credential information (code, browser, WiFi, and other applications Navicat, SSH, RDP, etc.)

Historical command

Routing information, network topology diagram, domain information

two。 Use PC as a springboard to move horizontally.

Private network proxy, port forwarding

Maintain access, implant back door

Domain infiltration, empowerment, etc.

Since it is for the purpose of counteraction, then we can do what it likes and prepare some forged things.

Take the move in development as an example:

Browsing history: forge a browsing record.

Chat tools: Wechat, QQ, you can buy a useless test number.

Operation and maintenance tools: Navicat, Xshell, in which there are some fake connection records.

Office software: cloud disk, Office, PDF, Google browser, IDEA

Of course, you can put some installation packages with backdoors (VPN, installation packages) as bait to trick attackers into clicking and making it easier to counteract.

For example, an executable program with a backdoor or an installation package (such as VPN can also be accompanied by installation instructions to make it more real):

VPN client. MSI, the backdoor program itself is free from killing, take tools such as broken tires for dll injection, and use NSIS to package into setup.exe.

Batch operation and maintenance tool .exe, package a malicious program.

0day vulnerability checking tool .exe, ditto

Password Manager .exe, or packaged into a msi program using MSI wrapper.

Fortress machine installation package. MSI, ditto.

Or a little more:

So-and-so leader embezzlement evidence. Zip (contains financial flow records. Xlsx. A bunch of spaces. Exe)

IT operation and maintenance table .rar, same as above

HW training. Rar, if you have office 0day/1day, you can use some.

A set of so-and-so system code, put the back door. If an attacker downloads and runs debugging locally in the past, he will have a chance to implant.

There are also some fake SSH, RDP, FTP, WEB account passwords to trick attackers and can be linked with WEB honeypots.

Of course, in addition to these, we also need to know what actions the attacker will do when he actually gets the privileges of this server.

The open source HIDS,wazuh + sysmon is used here for basic behavior monitoring.

Actual construction

Prepare:

A remote control server (domain front + nginx + cs + robot online reminder)

A Ubuntu virtual machine, mainly with wazuh installed, to monitor the behavior of the Win virtual machine.

A Win virtual machine, mainly used as a honeypot, install sysmon + wazuh agent.

Install the package:

Sysmon

Wazuh agent

Wazuh server

The specific installation steps will not be written down. Here are a few points for attention encountered in the actual deployment:

1. The virtual machine directly displays host information

In order not to let the attacker notice that this is a virtual machine as much as possible, the following changes are simply made to the host information:

Add a line of configuration SMBIOS.reflectHost = "TRUE" to the * .vmx file so that the host information displays the information of the physical machine.

two。 Modify the virtual machine network segment, you can change it to 10.x.x.x, and turn off the sharing service.

3. If a "error getting the evt dll (wevtapi.dll)" error occurs when sysmon installation fails, consider whether it is caused by the lack of installation system patches.

4. When wazuh is deployed with docker, it is best to change the password before deployment to avoid the hassle of changing the kibana password later.

5. Wazuh + sysmon linkage, refer to https://www.jianshu.com/p/9e07f638dbd9, but it should be noted that the matching rules of each version of wazuh are a little different.

Sysmon_event1

\. +

Sysmon-Event 1: Process creation $(win.eventdata.image)

Sysmon_event3

\. +

Sysmon-Event 3: Network connection $(win.eventdata.image)

6. If the Ubuntu server enables ufw to restrict port access during deployment, the default configuration of ufw needs to be modified due to problems with ufw and docker mechanisms.

7. Don't connect the honeypot to the company network, so it's okay to be escaped.

Implement screenshot

Screenshot of honeypot construction:

Screenshot of HIDS alarm message:

If the attacker gets hit, Cobalt Strike goes online, and relevant screenshots are taken:

This is the end of the content of "what is the function of simple PC honeypot". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.