The SSH Key Breadcrumb Trap 🦩
-
The SSH Key Breadcrumb Trap 🦩
Most honeypots have one fatal flaw: they're too clean.
Empty bash history. Pristine directories. No evidence of actual use. Attackers notice.So I plant breadcrumbs.
️ Realistic bash history. A private SSH key in .ssh/. History showing SSH connections to "other servers" using that key.
Those "other servers"? Also honeypots!
When bots hit my honeypots, they brute force and move on. Boring.
But when a HUMAN does post-compromise recon, finds that key, and tries to pivot to those other servers?Critical Wazuh alert, because only humans do this!!
Bots don't read history files. They don't hunt for lateral movement opportunities. They don't use found SSH keys.
Standard attacker tradecraft requires checking for keys and using them. If they skip it, they might miss real opportunities. If they follow it, I know I'm dealing with an actual human threat actor.
It's a catch-22. And it works beautifully. (And "@sashatheflamingo Approved")
Full writeup coming to sashatheflamingo.xyz soon!! -
R relay@relay.infosec.exchange shared this topic
-
The SSH Key Breadcrumb Trap 🦩
Most honeypots have one fatal flaw: they're too clean.
Empty bash history. Pristine directories. No evidence of actual use. Attackers notice.So I plant breadcrumbs.
️ Realistic bash history. A private SSH key in .ssh/. History showing SSH connections to "other servers" using that key.
Those "other servers"? Also honeypots!
When bots hit my honeypots, they brute force and move on. Boring.
But when a HUMAN does post-compromise recon, finds that key, and tries to pivot to those other servers?Critical Wazuh alert, because only humans do this!!
Bots don't read history files. They don't hunt for lateral movement opportunities. They don't use found SSH keys.
Standard attacker tradecraft requires checking for keys and using them. If they skip it, they might miss real opportunities. If they follow it, I know I'm dealing with an actual human threat actor.
It's a catch-22. And it works beautifully. (And "@sashatheflamingo Approved")
Full writeup coming to sashatheflamingo.xyz soon!!@rnbwkat @sashatheflamingo sounds rad super interested in the write up!
