This section provides information on deployable Low-Interactive-Active-Defense-Services (LIADS) Services with configurable options and logging:

SSH

Emulates SSH (Secure-Shell) running service on the server. By default, the service is configured to run on 'TCP/22', any connection attempts made with the service are logged and eventually alerted.

• Log data captured include "Source-IP, Destination-IP, Remote-SSH-Version, Username/Password used during login attempt".

• SSH service options "Port, Version/Banner" can be configured and adjusted as per the deployed environment, allowing to make changes to how the SSH service is visible on the network.

Telnet

Emulates Telnet service running on the server. By default, the service is configured to run on 'TCP/23', any connection attempts made with the service are logged and alerted.

• Log data captured include "Source-IP, Destination-IP, Username/Password used during login attempt".

• Telnet service options "Port, Version/Banner" can be configured and adjusted as per the deployed environment, allowing to make changes to how the Telnet service is visible on the network.

FTP (File Transfer Protocol)

Emulates File Transfer Protocol (FTP) service running on the server. By default, the service is configured to run on 'TCP/21', any connection attempts made with the service are logged and alerted.

• Log data captured include "Source-IP, Destination-IP, Username/Password used during login attempt".

• FTP service options "Port, Display Banner" can be configured and adjusted as per the deployed environment, allowing to make changes to how the FTP service is visible on the network.

SMB (Server Message Block)

Emulates SMB service (with network-share enabled) running on the server. By default, the service is configured to run on 'TCP/445' network-share is enabled with default configuration, and any access attempts made on files served via configured network share are logged and alerted.

• Log data captured include "Source-IP, Destination-IP, User (who accessed the share), Hostname, Filename Accessed, Network-Share Name, SMB-Version, Activity", SOC team can use this information during their analysis.

• Service options that can be configured and adjusted:

  • SMB Share-Name, Workgroup, Netbios Name, Server-Version

Manual Configuration

Depending on the environment, this service would require additional manual configuration that includes:

• Before deploying the SMB service, create fake files and folders with juicy names, and place them on the sensor inside the "/opt/ADS/etc/config/smb/files/" directory.

• Deceptive/Fake files placed inside "/opt/ADS/etc/config/smb/files/" will be served via configured SMB network share.

Note: A default set of fake files and folders will be used if not provided.

RDP (Remote Desktop Protocol)

Emulates Remote-Desktop-Protocol (RDP) service running on the server. By default, the service is configured to run on 'TCP/3389', any connection attempts made with the service are logged and alerted.

• Depending on how the user has interacted with the service, log data may include "Domain, Username, Password used during login attempt" along with "Source-IP, Destination-IP", SOC team can use this information for further analysis and take appropriate action.

• RDP service does not require additional configuration, service port can be reconfigured as needed.

Elastic-Search

Emulates an instance of Elastic-Search Node running on the server. Service is configured to run on 'TCP/9200' with default configuration, any connection attempts made with the service are logged and alerted. Captured log data includes "Source-IP, Destination-IP, URI, User-Agent, Request Type".

• Elastic-Search node options "Port, Instance Name" and instance responses can be configured and adjusted as needed.

GIT Protocol

Emulates GIT protocol service running on the server. Service is configured to run on 'TCP/9418' with default configuration, any interaction made with the GIT service is logged and alerted.

• Captured log data includes "Source-IP, Destination-IP, Git-Host, Repository attempted to clone". Though the service does not require additional configuration, the service port can be reconfigured as needed.

VNC

Emulates a VNC service running on the server. By default, the service is configured to run on 'TCP/5900', any connection attempts made to the service are logged and alerted.

• Log data includes "Source-IP, Destination-IP, Password used during a login attempt, Client-Response, Server-Response". This service does not require additional configuration, the service port can be reconfigured as needed.

SIP

Emulates a non-interactive Session-Initiation-Protocol (SIP) running on the server that does not respond to any requests made to the service but captures the received request information and alerts accordingly. By default, this service is configured to run on 'UDP/5060'.

• Log data includes "Source-IP, Destination-IP, SIP Headers (call-id, contact, from, to, user-agent)". This service does not require additional configuration, the service port can be reconfigured as needed.

SNMP

Emulates a non-interactive Simple Network Management Protocol (SNMP) protocol running on the server that does not respond to any requests made to the service but captures the received request information and alerts accordingly. By default, the service is configured to run on 'UDP/161'.

• Log data includes "Source-IP, Destination-IP, Request Object ID (to uniquely identify managed devices), Community-String (something like User-ID) attempted to enumerate)". This service does not require additional configuration, the service port can be reconfigured as needed.

TFTP

Emulates a non-interactive Trivial File Transfer Protocol (TFTP) protocol running on the server that does not respond to any requests made to the service but captures the received request information and alerts accordingly. By default, the service is configured to run on 'UDP/69'.

• Log data includes "Source-IP, Destination-IP, Transfer Mode, Operation Code (that Specifies the message type), Filename attempted to enumerate)". This service does not require additional configuration, the service port can be reconfigured as needed.