A Honeypot is a network-attached system that lures cyberattackers in order to study their hacking attempts.[^1] They can be used to warn victims in real-time, and proactively manage networks.[^1] If you provide a fake argument to identify a specific “Localhost” for the reverse bind shell to connect back to you could build a list of C2 servers that may not be known.[^1] You can collect the WAN IP address of every request and the lhost IP address to determine the IP address of an attacker.[^1] You can seed plausible contacts, documents, and mailbox content in honeypot email accounts that can case an adversary to reveal their tooling, extraction paths, or C2 endpoints.[^2]
[[Unit 29155]] – because they use CVE exploits from GitHub repos, it may be possible to create fake exploits that expose information from the people that try to use them
[[PoC Honeypot]]
Backlinks
[[Cyber Threat Hunting]]
IP Addresses
Sources
[1] C. Brazzell, “Hoeysploit: Exploiting the Exploiters,” Hoeysploit: Exploiting the Exploiters. [Online]. Available: https://curtbraz.medium.com/exploiting-the-exploiters-46fd0d620fd8
[2] “Threat Intelligence Report: APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets.” [Online]. Available: https://dti.domaintools.com/threat-intelligence-report-apt35-internal-leak-of-hacking-campaigns-against-lebanon-kuwait-turkey-saudi-arabia-korea-and-domestic-iranian-targets/