Cyber guy. Used to be a lurker but I guess now I can be the occasional poster.
| Site | https://mattysplo.it |
| Pronouns | He/Him |
Mattysploit
@mattysploit@infosec.exchange
- 8 Followers
- 174 Following
- 24 Posts
#Infosec #CyberSecurity
Then (believe it or not) used ChatGPT to mass produce 100 different unique "cyber event" scenarios and labelled them appropriately. And - it actually, kind of works pretty well? Labelling by first - then last "Observed Tactic" more accurately captures what an analyst saw and better communicates it.
Then (believe it or not) used ChatGPT to mass produce 100 different unique "cyber event" scenarios and labelled them appropriately. And - it actually, kind of works pretty well? Labelling by first - then last "Observed Tactic" more accurately captures what an analyst saw and better communicates it.
And of course I ended up making my own - originally thinking I'd have to make stuff up, eventually I realized ATT&CK just kind of works for a taxonomy in itself if done cleanly enough. Sort of like biology, just 'Kingdom-Order-Phylum' what you see and it makes a bit more sense than what I tested.
To prove that point, I cross-walked a bunch of ATT&CK techniques against three big frameworks to show how they fail. Categories overlap, or don't apply to observed behavior. Not super scientific but demonstrates how those events can cluster and analyst has to just pick a label.
Each fake app in the dashboard points to a static HTML trap hosted on Azure Static Web Apps or Cloudflare Pages. Want a fake SharePoint? Clone the UI in 15 mins, add some fake docs. Fake VPN? No need to hang some open SSH bait out on the open, you just put the whole thing behind a tile.
No more junk telemetry from mass scans. Instead, you get signal-rich interactions from actors who made it through your fake login, picked a fake app, and thought they’d reached the crown jewels. All of this lives outside your real infra and adds that layer of initial access telemetry. Super handy.
If I threw up a free Cloudflare page with some CanaryTokens on it, nobody would take it seriously out on the internet. But behind a tile? Clearly it must be pRoDuCtIoN /s. I'm curious if an attacker even checks the url bar after popping through a dashboard like this.
This lets you simulate real identity flows—credential stuffing, MFA fatigue, password sprays—without touching production. You can even add basic login automation for realism, like scheduled logins or profile updates.
An IdP allows you to impersonate your real login screen and then the user dashboard enables some pretty sweet modular design. As big/expensive or small/cheap as you like. Mix in throwaway "real" services with static HTML clones. Deploy a T-Pot and call it your VPN. The attacker just sees tiles.
Since Okta doesn't require domain verification, the big advantage here is.. just make up some fake employees.. and build an SSO dashboard full of fake internal apps. To an attacker, there's functionally no way to tell the difference between the two and once inside - it looks totally legit by design.
But frankly, why stop there? With the C2 on the farm's ISP connection and as lightweight as an ARP rebroadcast is - you could feasibly just have a bunch of these all meshed together. I'm betting this is what is happening. It scales. It's cheap. There's redundancy.
Where Sygnia doesn't speculate but I'm happy to shout at clouds about is how this might work more commonly. Putting it all together, a RasPi HID and Controller C2 via ARP is - dare I say, clever? Rebroadcast over ARP would allow command injection and C2 completely outside detection - all local LAN.
The C2 also contains references to Zoom meetings and Remote Control. I've seen this myself, where a foreign remote worker simply takes screen control within a Zoom meeting and works all day through screen share. It works.. low detection.. This code here is Linux stuff though, which isn't common.
