Hello and welcome to the Wednesday, January 31st, 2024 edition of the Sandsonant Storm Center's Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Today I was looking at some of the techniques that attackers are using to figure out that they are interacting

with a honeypot. In our DeShield Honeypot, we are using Cowri. Carri emulates Telnet and

ZH server. It does a pretty good job at that, emulating a partially functional shell and

the like. But of course, it's not perfect.

It's not really meant to be perfect.

And at hackers have sort of the little tricks that they're using in order to figure out whether or not the honeypot is real.

One trick in particular they're using is they check for the presence of Procself Exe.

ProxelphXE is essentially the executable that you're currently running.

If you're connected to a server via SSH, you typically get Bash or whatever you're using as a shell that would be

located at this particular file location. Well, in the Honeypot, you only have a partial file

system and this file does not exist, making it pretty easy to then figure out that they're running in a honeypot.

Of course, well, there is sort of that usual wag the mole.

We will in a future release, hopefully coming soon, add this particular file to our honeypot.

So that way attackers will have a little bit more difficult time to figure out if they're in a honeypot, so that way attackers will have a little bit more difficult time to figure out

if they're in a honeypot. There are a couple other tricks I've seen being used which LS,

which is just checking where the LS command is, and then also creating a quick password with

open SSL. The tricky part here is that, of course, the output will be different each time the command is run,

so you can't easily sort of have a static answer here,

like for the other tricks that they're using.

The way I sort of figured out these techniques

is by busy just looking looking what is the last command

...