MITRE ATT&CK technique T1025
Tactic: Collection
Platform: Windows, Linux, Mac
- Create decoy files or documents (beacons) that phone home when opened.
- Create emulated or virtual USB devices and monitor access to them (e.g. using Windows Removable Storage Auditing)
- Create files containing deceptive content and breadcrumbs to lure the attacker toward your honeypots.
- Ghost USB Honeypot - It emulates a USB storage device to detect malwares that use such devices for propagation. Ghost supports Windows XP 32 bit and Windows 7 32 bit.
- honeyλ - Serverless application designed to create and monitor URL honeytokens (i.e. fake HTTP endpoints) automatically
- canarytokens