By using real servers as decoys, MazeRunner can be used to create an environment to detonate malware and observe how that malware behaves under realistic conditions. This environment consists of more than one machine; it’s an entire network of deception allowing attackers to do lateral movement in this controlled environment. When built in a convincing way, this environment allows organizations to gather second-stage IoCs or detect malware otherwise not detected by sandboxing solutions.
Real world example – When investigating Patchwork, Cymmetria used this detonation technique to capture the attacker’s second stage malware (persistence) and observe the attackers’ pivoting behavior in the network (lateral movement). We created a realistic environment to hunt the threat actor, built to fit the specific profile of the active target. MazeRunner captured all forensic data associated with the threat and allowed us to see network traffic, operating system changes, and lateral movement the threat actor performed.