MITRE ATT&CK technique T1046
Tactic: Discovery
Platform: Windows, Linux, Mac
- Set up fake network services
- Create breadcrumbs or honeytokens to lure the attackers toward the fake network services (i.e. honeypots)
- Fake entries in ARP cache, hosts file, etc.
- Documents/files with deceptive contents
- Glutton - All eating honeypot
- Dionaea - A low-interaction honeypot to trap malware exploiting vulnerabilities exposed by services offerd to a network. Dionaea emulates several protocols such as smb, sip, ftp, tftp, mssql, mysql, http, and uses libemu to detect shellcodes.
- Conpot - ICS/SCADA honeypot
- Snare & Tanner - Successors to Glastopf web application honeypot.
- Cowrie - A medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.
- Amun - A low-interaction honeypot, following the concepts of Nepenthes but extending it with more sophisticated emulation and easier maintenance.
- honeybits - A tool designed to enhance the effectiveness of honeypots by spreading breadcrumbs & honeytokens across the system. Currently supports creating honeyfiles and several breadcrumbs including fake bash_history entries.
- MazeRunner community edition