Cymmetria MazeRunner COMMUNITY EDITION USER GUIDE

Transcription

1 Cymmetria MazeRunner COMMUNITY EDITION USER GUIDE January 30, 2018

2 Supported environments (all must have nested virtualization enabled follow the links below to learn more) VMware Player (7 or higher) on page 33 VMware Workstation (11 or higher) on page 33 ESXi server (5.1 or higher) on page 15 KVM hypervisor on page 33 OpenStack Not supported: VirtualBox, Microsoft Hyper-V, Xen Requirements Minimum requirements for installation: 500GB minimum storage 4GB of RAM (add 2GB for each additional nested decoy) 2 x 2 GHz (add another CPU core for each additional nested decoy) VMware hypervisor (Player 7 or higher; Workstation 11 or higher; ESXi server 5.1 or higher) or KVM hypervisor, with nested virtualization enabled Additional requirements Nested virtualization Promiscuous mode For deployment automation: o Read-only domain user for importing endpoints from Active Directory o Local admin user on endpoints OR orchestration tool able to run EXE, MSI or shell scripts Quick start 1. First choose which hypervisor you will use to run your MazeRunner virtual machine. Cymmetria suggests using a VMware Player hypervisor, as this is the most straightforward option and involves the least number of steps (it is also free). Other hypervisors are supported as well. 2. Enable nested virtualization on your hypervisor. Please refer to Installation and setup on page 9 for more information. 3. MazeRunner uses DHCP by default. For advanced networking setup or VLAN support, please refer to MazeRunner network configuration on page Use MazeRunner's Deception story wizard to create a deception campaign. Using MazeRunner on page 36 will walk you through all aspects of product usage. 5. On the Endpoints screen, you can import endpoints to MazeRunner from Active Directory or CIDR blocks, and then deploy breadcrumbs to them. See Importing endpoints on page 49 and Deploying breadcrumbs on page 56 for details on how to do this. 6. Once the breadcrumbs are deployed, your deception campaign is ready. You can review the Dashboard and the Investigation screen for alerts on attackers accessing your decoys. 7. If you encounter any difficulties while working through this guide, please refer to FAQ/Troubleshooting on page 128 for help. Cymmetria MazeRunner 2018 Community

3 CONTENTS Introduction What is MazeRunner?... 7 Legal notices... 7 How is the Community Edition different from the Enterprise Edition?... 7 Installation and setup... 9 BIOS setup... 9 DELL PowerEdge server... 9 Mac machine... 9 Lenovo ThinkPad Virtual appliance (VMware Player) Virtual appliance (VMware Workstation) Virtual appliance (VMware ESXi) Enabling nested virtualization using vcenter Enabling nested virtualization using VMware Workstation (version 11 and up) Enabling nested virtualization using SSH Powering on your virtual machine Virtual appliance (KVM) Using MazeRunner First use Creating a deception campaign Creating a deception campaign (using the Deception story wizard) Creating a basic deception campaign manually Importing endpoints Importing endpoints from Active Directory Importing endpoints from CIDR blocks Importing endpoints from a file Post-import Deploying breadcrumbs Deploying breadcrumbs from the Endpoints screen Deploying breadcrumbs from the Campaign screen Periodic breadcrumb deployment & campaign refresh Integrating with a syslog/siem Advanced usage MazeRunner network configuration Cymmetria MazeRunner 2018 Community

4 Static IP VLAN support Non-promiscuous mode SSL certificate Forensic Puller Relay Enterprise Edition only Dashboard in Relay mode Investigation screen in Relay mode Automatic Hackback Enterprise Edition only ActiveSOC Enterprise Edition only ActiveSOC and Responder Monitor activity feed SOC interfaces ActiveSOC Responder Monitor Changing alerting policy Product reference Product interface Settings General and reporting Networking Access control Alerting policy Campaign and deployment Custom services Enterprise Edition only Golden images Enterprise Edition only Active Directory Relay Enterprise Edition only SSL certificate API keys User management Diagnostics Task manager Notification center Stability alert s Cymmetria MazeRunner 2018 Community

5 Deception story wizard User menu Change password System update Send logs to Cymmetria Help features Help icon Deception element descriptions Tooltips Integrations Cuckoo sandbox IBM BigFix SCCM Tanium McAfee epo AWS Syslog ThreatConnect Phantom Chef Endpoints screen Filter & sort options Bulk actions Dashboard Campaign screen Investigation screen Attack story section Investigation table Filter & sort options Bulk actions Types of events Supported operating systems Types of decoys Types of services Types of breadcrumbs Cymmetria MazeRunner 2018 Community

6 FAQ/Troubleshooting Decoys not working Problem resolving endpoint name Nested virtualization support Deploying breadcrumbs automatically to Linux machines ArcSight CEF Service is inactive/unable to deploy breadcrumbs Creating users Users affected during breadcrumb deployment Clearing up hard drive space Running Internet-facing decoys Problems during OVA import MazeRunner storage allocation Creating a web application service Problems deploying an OVA decoy on ESXi Creating a Git service Automatic deployment to endpoints failed Error: Could not resolve hostname Error: Incorrect credentials Error: SMB TCP ports (139, 445) are unreachable Error: Deployment timeout Error: Invalid configuration for deployment Error: Deployment failed Error: No active deployment group found Error: No breadcrumbs supported on the endpoint's operating system were found in the deployment group Cymmetria MazeRunner 2018 Community

7 INTRODUCTION WHAT IS MAZERUNNER? MazeRunner is a platform for creating effective deception stories. Attackers making lateral movement will first collect information on their next targets. At that time, they will find breadcrumbs deployed by MazeRunner that point to decoys. Once the attackers connect to the decoys, they are led to believe that they have successfully gained access to a target machine. Having gained a false sense of security, attackers reveal their attack tools and methods, which defenders are then able to document and analyze. Finally, MazeRunner communicates with an organization's existing defense infrastructure, exporting threat information that allows for the creation of attack signatures. For a more detailed overview of MazeRunner, please read our product whitepaper, which can be downloaded for free from our website. LEGAL NOTICES Thank you for your interest in the free MazeRunner Community Edition! If you are installing MazeRunner Community Edition for your own private use in a non-commercial and non-production environment, you are not limited in the amount of decoys and endpoints you may deploy. If you are installing MazeRunner Community Edition on behalf of an Organization, you may use the product solely for internal testing and evaluation of the Software and its performance in a nonproduction environment. The software is not limited to any number of decoys and endpoints for the first 30 days, but its use is limited to 1 decoy and 10 endpoints following this 30-day period. Please consult the full text of the license for additional details, as the full terms of the license govern. For more information or to provide feedback, please contact support@cymmetria.com or visit our website. HOW IS THE COMMUNITY EDITION DIFFERENT FROM THE ENTERPRISE EDITION? Cymmetria supports the cybersecurity community it calls home and believes strongly in giving back to that community. This is why we decided to release a free Community Edition of our enterprise software platform. The MazeRunner Community Edition is publicly available for private initiatives and research endeavors at no cost or commitment to purchase. The platform is fully customizable and integrates seamlessly with existing IT and security tools, allowing users to implement deception elements across the network. It is flexible and does not burden existing organizational systems. Cymmetria MazeRunner 2018 Community

8 Community Enterprise Linux decoys Windows decoys User-provided decoy image (golden image) Linux breadcrumbs Windows breadcrumbs Mac OS X breadcrumbs Deception stories using business cases Commercial use First 30 days only* Large-scale deployment support API Remote deployment to endpoints through MazeRunner Deception campaign auto-regeneration Alerting through syslog and STIX/TAXII integration Domain integration Cuckoo sandbox integration Alerting when attacker steals credentials using Responder.py Alerting of attempts to use deceptive credentials obtained using Responder.py Forensic Puller Automatic Hackback ActiveSOC Remote Desktop session video recording Security visualization Attack stories for event investigation and reporting Relay architecture for integrating multiple instances of MazeRunner Custom service support Get MazeRunner Download machine Contact us *See Legal notices on page 7. Cymmetria MazeRunner 2018 Community

9 INSTALLATION AND SETUP This section will guide you through the installation and setup of Cymmetria's MazeRunner solution. It includes information on MazeRunner's platform and deployment. The installation and setup process includes two main steps: 1. Enable nested virtualization in the BIOS* 2. Hypervisor installation and setup *Not all machines are configured to support nested virtualization by default. Even if your hypervisor supports nested virtualization, your host machine (i.e., laptop or server) may not support it. In that case, you will need to enable nested virtualization from the BIOS. BIOS SETUP To begin, you must enable nested virtualization in the BIOS of your hardware. To do so, follow these steps: 1. Restart your computer. During startup, follow the screen prompt to enter the BIOS (this is typically achieved by pressing F1, Enter, Delete, etc.). 2. Find the virtualization feature, select it, and make sure it is enabled. 3. Save your changes and exit the BIOS. Your computer will automatically reboot. Each manufacturer has its own BIOS interface. We have included some examples below. DELL POWEREDGE SERVER To enable virtualization, follow these steps: 1. Press F2 to open the boot menu. 2. Use the up and down arrows to select "BIOS", and then press Enter. 3. Use the up and down arrows to select "Processor Settings", and then press Enter. 4. Use the up and down arrows to select "Virtualization Technology", and then use the left and right arrows to enable the feature. 5. Press Esc three times to exit the submenus, and then press Enter to confirm saving changes. MAC MACHINE Generally, Mac machines have virtualization enabled by default. If for some reason MazeRunner notifies you that nested virtualization is not supported, then you will need to install Apple updates. Cymmetria MazeRunner 2018 Community

10 LENOVO THINKPAD To enable virtualization, follow these steps: 1. Click Enter to open the boot menu, and then F1 to open the BIOS. 2. Use the left and right arrows to select the Security tab. 3. Use the up and down arrows to select "Virtualization", and then press Enter. 4. Use the up and down arrows to select "Intel (R) Virtualization Technology", and then the +/- keys to enable it. 5. Press F10 to save and exit. VIRTUAL APPLIANCE (VMWARE PLAYER) To begin, make sure you have VMware Player installed on your computer. Then, navigate to the directory in which the MazeRunner OVA file is stored and proceed according to the following instructions: 1. To import MazeRunner into VMware Player, double-click on the OVA file (if you have multiple hypervisors installed on your computer, you will need to right-click on the OVA file, select "Open with", and then select "VMware Player"). You will need to provide a name and local storage path for the new virtual machine, and then click "Import": 2. Before powering on your new virtual machine, you must enable nested virtualization support in order to run MazeRunner with nested decoys. To do this: a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings ": Cymmetria MazeRunner 2018 Community

11 b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI" and "Virtualize CPU performance counters" boxes are checked, then click "OK": c. Nested virtualization is now enabled. 3. Now you can power on your virtual machine by clicking "Play virtual machine": Cymmetria MazeRunner 2018 Community

12 4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the console: Save this IP address; you will need to use it in subsequent sections of this guide. That's it! MazeRunner is now ready for use. By default, MazeRunner obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page 63 of this guide. Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this guide, on page 36. VIRTUAL APPLIANCE (VMWARE WORKSTATION) To begin, make sure you have VMware Workstation installed on your computer. Then, navigate to the directory in which the MazeRunner OVA file is stored and proceed according to the following instructions: 1. To import MazeRunner into VMware Workstation, double-click on the OVA file. You will need to provide a name and local storage path for the new virtual machine, and then click "Import": Cymmetria MazeRunner 2018 Community

13 2. Before powering on your new virtual machine, you must enable nested virtualization support in order to run MazeRunner with nested decoys. To do this: a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings ": b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI" and "Virtualize CPU performance counters" boxes are checked, then click "OK": Cymmetria MazeRunner 2018 Community

14 c. Nested virtualization is now enabled. 3. Now you can power on your virtual machine by clicking "Power on this virtual machine": 4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the console: Cymmetria MazeRunner 2018 Community

15 Save this IP address; you will need to use it in subsequent sections of this guide. That's it! MazeRunner is now ready for use. By default, MazeRunner obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page 63 of this guide. Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this guide, on page 36. VIRTUAL APPLIANCE (VMWARE ESXI) To begin, open your vsphere Client and connect to your ESXi server by entering your username and password. From the File drop-down menu, choose "Deploy OVF Template" and open the MazeRunner OVA file supplied. Move through the stages of deploying the OVF Template: 1. Choose a name for your virtual machine (for example, "Cymmetria MazeRunner"). 2. Choose your specific datacenter as the Host / Cluster on which to run the deployed template. 3. Select a destination for storing the virtual machine files. 4. Use the default values that appear in the Disk Format section. 5. Notice that the source network is shown as "bridged". Click "Next" to review all parameters and finish the virtual machine creation: Cymmetria MazeRunner 2018 Community

16 After your virtual machine has finished being deployed (this will take some time), select your virtual machine from the sidebar on the left-hand side of the screen, then navigate to Home > Inventory > Hosts and Clusters: Now you will need to configure the network. Decoys can connect to the MazeRunner network in two ways: using promiscuous mode or without using promiscuous mode. Cymmetria recommends running MazeRunner in promiscuous mode, as it greatly simplifies decoy usage and system setup. It is possible to use MazeRunner in non-promiscuous mode, but it will take more time and effort, and more issues may arise during campaign creation. Cymmetria MazeRunner 2018 Community

17 Using MazeRunner with promiscuous mode Open the Configuration tab and choose "Networking" by clicking on the link located in the Hardware box to the left: To make the nested virtual machines accessible from the network, enable promiscuous mode for the Virtual Machine Port Group, where your virtual machine is connected (in our example, Maze ). To do this, go to Properties, select your virtual machine's port group, and then click Edit : Go to the Security tab and make sure both Promiscuous Mode and Forged Transmits are enabled ("Accept"). Click "OK": Cymmetria MazeRunner 2018 Community

18 Why do we need promiscuous mode and forged transmits? In order for the nested virtual machines to receive data packets, we need to enable these functions. If you do not enable promiscuous mode and forged transmits, you will need to use MazeRunner in non-promiscuous mode, which requires defining a network interface for each decoy. Using MazeRunner without promiscuous mode Make sure your virtual machine is turned off, then right-click on your virtual machine and select "Edit Settings ": Cymmetria MazeRunner 2018 Community

19 Each decoy needs its own interface. For each decoy you would like to set up on MazeRunner, follow these steps: 1. On the Hardware tab, click "Add ": 2. Choose "Ethernet Adapter" as the device type you would like to add to your virtual machine, then click "Next": Cymmetria MazeRunner 2018 Community

20 3. Choose your network connection from the drop-down list, then click "Next": 4. Review the options you selected and click "Finish" to add the hardware: Cymmetria MazeRunner 2018 Community

21 5. You will now see the hardware you added on the Hardware tab. Click "OK" to finish: NOTE: You will also need to enable non-promiscuous mode within MazeRunner; see Non-promiscuous mode on page 65 for more information. Now you can configure VLAN support, if you wish to do so. Later, you will also need to configure VLAN support within MazeRunner; see VLAN support on page 64 for more information. To configure VLAN support, you need to make sure that your port group is configured to accept VLAN tagging. Follow these steps: 1. In your vsphere control panel, access the Properties menu of the switch to which MazeRunner is connected by navigating to Configuration > Networking > Properties : Cymmetria MazeRunner 2018 Community

22 2. Under the Ports tab, select the appropriate switch name and click "Edit ": 3. Under the General tab, select "All (4095)" as the VLAN ID: Cymmetria MazeRunner 2018 Community

23 4. To make sure that the network adapter "sees" the VLAN network, expand the Networks list under the Status area in Configuration > Networking > Properties > Network Adapters: Now you must enable nested virtualization support, in order to run MazeRunner with nested decoys. There are three common methods used to enable nested virtualization in ESXi products: 1. using vcenter 2. using VMware Workstation 3. using SSH To find out which of these three methods you will need to use, you must look at which VMware hypervisor you are running. To do this, open vsphere Client and go to Help > About VMware vsphere: Cymmetria MazeRunner 2018 Community

24 If you see the following pop-up window, it means you are using vcenter: If you see the following pop-up window, it means you are using ESXi: If you are using vcenter, see the instructions provided in the section entitled Enabling nested virtualization using vcenter, below. If you are using ESXi, you have two options for enabling nested virtualization: via VMware Workstation or SSH (see the relevant sections on page 27 and 28 of this guide). ENABLING NESTED VIRTUALIZATION USING VCENTER The following steps will guide you through enabling nested virtualization using vcenter. 1. Open vsphere Web Client in your web browser by navigating to the IP address of your vcenter server (using HTTPS), and log in with the same credentials you used to log in to your vsphere client: Cymmetria MazeRunner 2018 Community

25 2. Make sure your virtual machine is turned off, then select "VMs and Templates" from the Home menu: 3. Right-click on your virtual machine and select "Edit Settings ": Cymmetria MazeRunner 2018 Community

26 4. Expand the CPU drop-down options, check the Hardware virtualization and Performance counters checkboxes, and click "OK": Nested virtualization is now enabled. Please continue to the Powering on your virtual machine section of this guide, on page 31. Cymmetria MazeRunner 2018 Community

27 ENABLING NESTED VIRTUALIZATION USING VMWARE WORKSTATION (VERSION 11 AND UP) The following steps will guide you through enabling nested virtualization using VMware Workstation (version 11 and up). 1. Open VMware Workstation and navigate to File > Connect to Server : 2. Enter your login details (your ESXi credentials) and navigate to your MazeRunner virtual machine. Make sure the virtual machine is turned off, and then right-click on it and select "Settings " (you may have to double-click on your virtual machine name before right-clicking): 3. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI" and "Virtualize CPU performance counters" boxes are checked, then click "OK": Cymmetria MazeRunner 2018 Community

28 Nested virtualization is now enabled. Please continue to the Powering on your virtual machine section of this guide, on page 31. ENABLING NESTED VIRTUALIZATION USING SSH The following steps will guide you through enabling nested virtualization using SSH. 1. In your vsphere client, under the Configuration tab, choose "Security Profile" from the Software box on the bottom left of the screen, and then click "Properties": 2. Enable the ESXi Shell by selecting it from the list of labels, and then clicking on Options Start OK: Cymmetria MazeRunner 2018 Community

29 3. Follow the same steps to enable the SSH service: 4. Once finished, click "OK". Cymmetria MazeRunner 2018 Community

30 5. Log in to the ESXi Shell via an SSH client (PuTTY, for example), using your ESXi root user's credentials. To do this: a. Open PuTTY. In PuTTY, click "Open" to open a new SSH console: b. In the SSH console, enter your username and password. Your shell should look like this: 6. Navigate to the MazeRunner virtual machine directory, located in /vmfs/volumes/<datastore_name>/<virtual_machine_name>/. For example: Cymmetria MazeRunner 2018 Community

31 7. Make sure your MazeRunner virtual machine is turned off. Then, use your editor of choice to edit the.vmx file (for example, "MazeRunner_release.vmx") in this directory by adding the following flags to the end of the file: vhv.enable = "TRUE" vpmc.enable = "TRUE Nested virtualization is now enabled. Please continue to the Powering on your virtual machine section of this guide, below. POWERING ON YOUR VIRTUAL MACHINE Once you have enabled nested virtualization, you can power on your new virtual machine. To do this, open vsphere Client and navigate to Home > Inventory > VMs and Templates: Use the search bar to find your virtual machine, select it, and then click "Power on the virtual machine": Cymmetria MazeRunner 2018 Community

32 Switch to the Console tab to see the virtual machine powering on. Once it finishes booting, you will see its assigned IP address displayed on the console: Save this IP address; you will need to use it in subsequent sections of this guide. That's it! MazeRunner is now ready for use. By default, MazeRunner obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page 63 of this guide. Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this guide, on page 36. Cymmetria MazeRunner 2018 Community

33 VIRTUAL APPLIANCE (KVM) To begin, open a terminal, navigate to the directory in which the MazeRunner DSK file is stored (in QCOW2 format), and proceed according to the following instructions: 1. Enable promiscuous mode Check if promiscuous mode is enabled on the network interface to which MazeRunner's virtual machine bridge will be connected (if you know that it is already enabled, you can skip to step 3 of this section now): a. Run the command 'netstat -i'. b. If the network interface to which you are going to connect the virtual machine bridge has 'P' in its flag (as shown in Figure A), promiscuous mode is already enabled and you can skip to step 3 of this section now: Figure A. netstat -i command output with promiscuous mode off/on. 2. If promiscuous mode is off, you will need to enable it according to the following instructions (depending on which OS you are using). To enable promiscuous mode: a. On Red Hat/CentOs: i. Open /etc/sysconfig/network-scripts/ifcfg-x (replace X with the name of the network interface to which MazeRunner's virtual machine bridge will be connected). ii. Add the line 'PROMISC=yes' to the end of the file. b. On Ubuntu/Debian: i. Open the "interfaces" file located in /etc/network. ii. Add the following lines under the configuration for the network interface to which MazeRunner's virtual machine bridge will be connected: up ifconfig $IFACE up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down Cymmetria MazeRunner 2018 Community

34 3. Import the MazeRunner image (DSK file) using the following command (run as root): virt-install -n <name> -r <amount_of_ram> --os-type=linux --os-variant= ubuntu disk MazeRunnerVirt.dsk,bus=virtio -w bridge=<name_of_network_bridge>,model=virtio --vnc -- noautoconsole --import --cpu=host For example: virt-install -n MazeRunner -r os-type=linux --os-variant=ubuntu disk MazeRunnerVirt.dsk,bus=virtio -w bridge=virbr0,model=virtio --vnc --noautoconsole --import -- cpu=host *NOTE: On some older virt-install versions, the os-variant argument for "ubuntu14.04" was "ubuntutrusty". You can check the available variants on your system using the command 'osinfoquery os'. Parameters Detailed: -n [an internal name for your virtual machine] -r [the amount of RAM, in MB, for your virtual machine] --os-type [the type of OS Linux or Windows] --os-variant [the distribution or version for a full list, run command 'man virtinstall'] --disk [specifies media to use as storage for the guest, with various options] -w [the network configuration] --vnc [configures the graphics card to use VNC, allowing you to use virt-viewer or virt-manager to see the desktop] --noautoconsole [configures the installer to NOT automatically try to open virtviewer to view the console in order to complete the installation this is helpful if you are working on a remote system through SSH] 4. Check that the virtual machine was created successfully (we will use Virtual Machine Manager to do this in our example): a. Open Virtual Machine Manager and find the name you gave to the MazeRunner virtual machine in step 3: Cymmetria MazeRunner 2018 Community

35 b. Click on the Open button and wait for the MazeRunner virtual machine to boot. Once it finishes booting, you will see its assigned IP address displayed on the console: c. Save this IP address; you will need to use it in subsequent sections of this guide. That's it! MazeRunner is now ready for use. By default, MazeRunner obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page 63 of this guide. Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this guide, on page 36. Cymmetria MazeRunner 2018 Community

36 USING MAZERUNNER Congratulations! You have completed the installation and setup of your MazeRunner appliance. You are now ready to start using the MazeRunner platform. Use the information in the following sections to get acquainted with, and start using, MazeRunner. FIRST USE Whether you are using a VMware Player, VMware Workstation, VMware ESXi or KVM hypervisor, your MazeRunner virtual machine was assigned an IP address at the end of the installation and setup process. Use this IP address to access the virtual machine from a web browser (make sure to use an HTTPS connection; for example, You will be taken to MazeRunner's signup screen: Proceed according to the following instructions in order to complete initial signup: 1. Enter your address and the activation key you received from Cymmetria (if you have not received an activation key, contact support@cymmetria.com): Cymmetria MazeRunner 2018 Community

37 2. Choose an admin password, and a password for usern (usern is a network configuration user that is used for accessing the Cymmetria management server; please assign usern a password that is different from your admin password): 3. System time zone is automatically set to UTC; you may change this by selecting a different time zone from the drop-down list. You can also set the HTTP proxy server (and set the credentials you would like to use for proxy authentication, if you wish to authenticate using credentials) and NTP server: 4. Be sure to read and understand Cymmetria's end-user license agreement and privacy policy; you will need to agree to the terms of both in order to continue (optional Choose to share intelligence from your MazeRunner instance back with the community; this will help us fix issues and generally improve the product. If you have any questions about this, please contact Cymmetria at support@cymmetria.com): 5. Click "Continue" to proceed to the second screen. Here, choose from one of the three configuration options available, then click "Continue": Cymmetria MazeRunner 2018 Community

38 NOTE: If you choose "Enable decoy VLAN support", you will need to select a VLAN trunk interface and then click "Add VLAN". A pop-up window will appear and you will need to create a VLAN entry. See step 4 of VLAN Support in the MazeRunner Network Configuration section of this guide (page 64) for further instructions on how to do this: 6. On the next screen you will see MazeRunner diagnostics running. If the diagnostic tests finish successfully, you will see a green check mark next to each test. You can then click the "Launch MazeRunner" button to finish setup and launch MazeRunner: Cymmetria MazeRunner 2018 Community

39 a. If a test was unsuccessful, you will see a red X and an error message with further instructions on how to proceed. After resolving the issue (if you choose to do so), click the "Run MazeRunner diagnostics" button to re-run the tests: NOTE: You can choose to ignore failed tests and launch MazeRunner by clicking the "Skip and launch MazeRunner" button. b. If at any time you would like to go back to the previous screen to change your configuration choice, simply click the "Review configuration" button at the bottom right of the screen (you will then need to run diagnostics again in order to complete the setup). Once finished, you will be redirected to MazeRunner's Configuration wizard. Please read the notice that appears on your screen, and consult the full terms of the license. You will need to click "Agree" to continue: After clicking Agree you will find yourself in the MazeRunner Configuration Wizard: Cymmetria MazeRunner 2018 Community

40 Here you can configure key features of MazeRunner (available for admin users only see Role-based access control on page 92 for more information about user roles). You can choose to configure these features now (recommended), or return to configure them at any time by navigating to Settings from the main MazeRunner UI and clicking the Configuration wizard button. If you would like to skip this initial configuration, simply click the gray X located in the top right-hand corner of the screen, and you will be redirected to the Deception story wizard. Some notes about the Configuration wizard: Settings you define and changes you make while using the Configuration wizard are only saved when you click Finish in the final stage of the wizard (even if individual forms are validated, the data is not saved and the settings do not actually change until this is done) Note that if you do not complete the Local admin credentials stage, the wizard will skip over the Endpoint Forensic Puller stage and the Periodic deployment stage (since these configurations require that local admin credentials already be configured) You will find details and instructions for each stage of the wizard along the way. For more detailed information about the key features included in MazeRunner s Configuration wizard, see the individual sections of this user guide: 1. and reporting (page 86) 2. Active Directory source (page 90) 3. Local admin credentials (page 88) 4. Endpoint Forensic Puller (page 67) 5. Periodic deployment (page 60) 6. Syslog (page 100) Once you have finished with the Configuration wizard, click Finish on the Syslog stage and you will be redirected to the Deception campaign wizard: Cymmetria MazeRunner 2018 Community

41 You are now ready to start creating deception campaigns. NOTE: For all future uses of MazeRunner, you will simply need to log in to your account using your username and password: CREATING A DECEPTION CAMPAIGN A deception campaign consists of three elements: 1. Decoys Decoys are virtual machines (servers or other devices) running Windows 1 or Linux systems. They look and act like production machines. When a decoy is accessed, there is no doubt that this is the work of an attacker. Decoys are most easily reached by following a breadcrumb found on an endpoint. 2. Services Each decoy server runs live services (e.g., SMB, SSH, OpenVPN servers, etc.). Each breadcrumb leads to a specific service on a decoy machine. 3. Breadcrumbs These are passive elements of data (e.g., browser cookies, SSH credentials, network shares, OpenVPN scripts, etc.), placed on an organization's endpoints to be found by attackers during the reconnaissance phase. Breadcrumbs are placed in a natural manner that is compatible with a user s habits, so they blend into the environment and do not raise suspicion. Breadcrumbs and decoys can be used separately or as part of an end-to-end deception story. 1 Windows decoys are only available in MazeRunner Enterprise Edition. Cymmetria MazeRunner 2018 Community

42 By dividing deception campaigns into three basic components, MazeRunner allows you to easily create a more elaborate deception network. MazeRunner allows you to create a deception campaign manually or use Cymmetria's Deception story wizard to help create your campaign. See Creating a deception campaign (using the Deception story wizard) below and Creating a deception campaign manually on page 45 for detailed instructions on both of these options. For detailed product information regarding deception campaigns, see Supported operating systems (page 122), Types of decoys (page 123), Types of services (page 123), and Types of breadcrumbs (page 126) in the Product reference section. CREATING A DECEPTION CAMPAIGN (USING THE DECEPTION STORY WIZARD) Using MazeRunner's Deception story wizard, you can build a deception campaign with the help of templates that have been prepared by Cymmetria's security team. Alternatively, you also have the choice to build your own customized deception stories without the help of the wizard. See Creating a deception campaign manually on page 45 for more information. On first use of MazeRunner, the wizard will open automatically as your home screen. During all subsequent uses of MazeRunner, you can navigate to the wizard by clicking the New story button located on the top right of the Campaign screen: In the wizard, you will see a variety of prepared deception stories (for example, "Linux backup server", "Internal website", and "VPN server"). Each story includes a short description to help you decide which one you would like to use. Enterprise Edition note: Only Linux-based stories are available in the Community Edition. Notice that there are two Windows-based stories that are grayed out; these are available in MazeRunner's Enterprise Edition. Each template already has default values defined for you (you may change some of these values if you wish, but do not have to). NOTE: If you do not wish to change any of the default values provided, you can simply click the "Next" button through all of the below story creation stages until the story is created (except where otherwise noted). Use the Back button at the bottom right of the screen within each stage of the wizard to go back and make changes to previous selections. You can also click the X icon on the top right-hand side of the screen at any time; this will delete any deception elements defined in previous stages and take you to the Campaign screen. Cymmetria MazeRunner 2018 Community

43 To use the wizard, follow these steps: 1. Choose a deception story, then click "Next": 2. Customize the details of your decoy, such as name, hostname, DNS address 2, and VM type. NOTE: You cannot change the OS type. You can also choose to manually configure network settings, including static IP, gateway, DNS server, and subnet mask. When you are ready, click "Next": 3. Now you can customize your story's services and breadcrumbs. A set of services will appear by default, as defined by the template, on the left side of the screen. Each service, when selected, will show its details, including the breadcrumbs attached to it. You cannot add or remove services from the template; however, you can edit some service fields. You can also edit breadcrumb fields if you wish (you must edit the breadcrumb fields if you are using a "Responder Monitor" or "VPN server" story). Note that for Windows network share breadcrumbs, you will need to choose whether you would like them to be non-persistent or persistent after endpoint restart. When you are ready, click "Next": 2 By default, breadcrumbs point to a decoy's IP address. You can set breadcrumbs to point to a DNS address instead. If you choose to fill out this field, be sure to create a matching DNS entry in your name server. Cymmetria MazeRunner 2018 Community

44 4. Now it is time to deploy your deception story. First, you can assign breadcrumbs to one or more deployment groups 3 (this can also be done later, from the Deployment Groups sub screen of the Campaign screen). NOTE: Later on, we will use these same deployment groups when importing endpoints and deploying breadcrumbs to them. When you are ready, click "Finish": 5. Here's an example of what your screen will look like once your campaign has been created successfully: 6. You will need to activate each of your servers by using the On/Off toggle button on the Decoys sub screen (in the Power column). 7. You can now view the details of your campaign by using the Decoys, Services, Breadcrumbs, and Deployment Groups tabs (sub screens). If you did not assign your breadcrumbs to a deployment group during story creation in the wizard, you can do so now. See Create a new deployment group on page 48 for detailed instructions on how to do so. That s it! Your deception campaign is up and running. Jump to Importing endpoints on page 49 or Deploying breadcrumbs on page 56 to continue learning about the MazeRunner platform. 3 Deployment groups are used to group several breadcrumbs together for ease of management and deployment. For example, you can decide to group together a few breadcrumbs that will be deployed to all endpoints used by a specific department in your organization. This will allow you to easily deploy these grouped breadcrumbs to this department's endpoints using one of MazeRunner's manual or automatic deployment methods (see Deploying breadcrumbs on page 56 for more information). Cymmetria recommends the use of deployment groups in all of your deployments. Cymmetria MazeRunner 2018 Community

45 CREATING A BASIC DECEPTION CAMPAIGN MANUALLY The following is a step-by-step guide for manually creating the basic elements of a deception campaign. Alternatively, you can use MazeRunner's Deception story wizard to build a deception campaign with the help of templates that have been prepared by Cymmetria's security team. See Creating a deception campaign (using the Deception story wizard) on page 42 for more information. CREATE A NEW DECOY In this stage, you will create a decoy server. 1. Go to the Campaign screen (if you are in the Deception story wizard, click the gray X icon on the top right-hand side of the screen; this will take you to the Campaign screen). On the Decoys sub screen, click the Create decoy button. 2. Fill in the required information. For example, to start an Ubuntu server, include a meaningful name such as "HR_Server", a hostname such as "hrsrvr01", and choose Nested as the VM type. If you would like to configure a static IP, click the toggle button next to "Manually configure network settings" and fill out the Static IP field. Notice that you have the option to add a DNS address Click "Save" in order to create the decoy. 4. Power on the server using the On/Off toggle button, which is located in the Power column. 5. That's it! Here is an example of what your screen will look like once the server has finished booting: Enterprise Edition note: Notice that Windows decoys are grayed out in the Operating system drop-down list. Windows decoys are only available in MazeRunner Enterprise Edition. 4 By default, breadcrumbs point to a decoy's IP address. You can set breadcrumbs to point to a DNS address instead. If you choose to fill out this field, be sure to create a matching DNS entry in your name server. Cymmetria MazeRunner 2018 Community

46 CREATE A NEW SERVICE In this stage you will add services (SMB, SSH, OpenVPN, etc.) to your decoy. For the purposes of this example, let's assume that you want to create a deception story for your HR department. 1. Go to the Campaign screen (if you are in the Deception story wizard, click the gray X icon on the top right-hand side of the screen; this will take you to the Campaign screen). On the Services sub screen, click the Create service button. 2. Select the desired service type (e.g., SMB service) and enter an appropriate name (e.g., "Personnel_Files"). 3. Add necessary data (for example, if you chose an SMB service, you will need a name for its shared folder and a ZIP file for the content). Click "Save". 4. Choose the new service and connect it to the decoy (in this case, the decoy named "HR_Server" that we created in the previous section). Do this by selecting the decoy name from the drop-down box in the Decoy column: 5. That's it! Here is an example of what your screen will look like once the connection has finished configuring (you can monitor its status on the Decoys sub screen): CREATE A NEW BREADCRUMB In this stage you will create a breadcrumb and connect it to the previously created decoy and service. 1. Go to the Campaign screen (if you are in the Deception story wizard, click the gray X icon on the top right-hand side of the screen; this will take you to the Campaign screen). On the Breadcrumbs sub screen, click "Create breadcrumb". Cymmetria MazeRunner 2018 Community

47 2. Select the breadcrumb type 5 (make sure it matches the service you have defined), and then select an appropriate name. For example, you could select a network share breadcrumb and name it "Personnel_Files_BC". You can also assign the breadcrumb to a deployment group here, but for now we will leave this blank; we will talk about deployment groups in the next section. 3. After filling in all of the fields (according to the breadcrumb type you chose), click "Save". NOTE: Some types of breadcrumbs will require you to create a user (you will need to enter a username and password). The Username field will provide a drop-down list of suggestions that you may want to use (all of the unique username/password pairs that currently exist in your MazeRunner instance). Alternatively, you can choose "Randomize credentials from a predefined pool"; MazeRunner has a list of common usernames and passwords that it uses to supply these. Note also that, for Windows breadcrumbs, you will need to choose whether you would like them to be non-persistent or persistent after endpoint restart. 4. Connect this breadcrumb to a service by selecting a service from the drop-down list in the Services column: 5. Once the connection has finished configuring (you can monitor its status on the Decoys sub screen), the breadcrumb will show as "Active": 6. Notice the Deployment groups column. Here you can assign your breadcrumb to a deployment group you have already created. See Create a new deployment group on page 48 for information on how to create groups. 5 Note that the Responder Monitor breadcrumb relates to the Responder Monitor feature (a feature used with your SOC interface). For more information on this type of breadcrumb and this feature, see the section entitled ActiveSOC on page 74. Cymmetria MazeRunner 2018 Community

48 CREATE A NEW DEPLOYMENT GROUP Deployment groups are used to group several breadcrumbs together for ease of management and deployment. For example, you can decide to group together a few breadcrumbs that will be deployed to all endpoints used by a specific department in your organization. This will allow you to easily deploy these grouped breadcrumbs to this department's endpoints using one of MazeRunner's manual or automatic deployment methods (see Deploying breadcrumbs on page 56 for more information). Cymmetria recommends the use of deployment groups in all of your deployments. NOTE: Deployment groups will be used later when importing endpoints and deploying breadcrumbs to them; see Importing endpoints on page 49 and Deploying breadcrumbs on page 56 for more information. To create a new deployment group: 1. Go to the Campaign screen (if you are in the Deception story wizard, click the gray X icon on the top right-hand side of the screen; this will take you to the Campaign screen). On the Deployment Groups sub screen, click "Create group". 2. Enter a name for your deployment group (e.g., "IT" or "all users"), and click "Save": 3. Now you can add breadcrumbs to this group. To do so, return to the Breadcrumbs sub screen of the Campaign screen and use the drop-down list in the Deployment groups column to add specific breadcrumbs to deployment groups: You can see that your breadcrumb now belongs to the IT deployment group: NOTE: You can assign a single breadcrumb to multiple deployment groups. Cymmetria MazeRunner 2018 Community

49 4. Now you are ready to deploy your deployment group. To save time and resources, you can automate breadcrumb deployment (Cymmetria recommends this option). If you prefer to deploy manually, you can do so from the Deployment Groups sub screen or from the Endpoints screen. See Deploying breadcrumbs on page 56 for detailed information on breadcrumb deployment options. That s it! Your deception campaign is up and running. Jump to Importing endpoints below to continue learning about the MazeRunner platform. IMPORTING ENDPOINTS To enable automatic breadcrumb deployment (discussed in the next section), which will simplify campaign deployment, MazeRunner allows you to import endpoints from Active Directory, from CIDR blocks, or from a file (.CSV). Note that these methods are not mutually exclusive: for example, if you import from Active Directory and then import from a CIDR block, MazeRunner will check to see if each endpoint already exists in the system; if so, the endpoint will not be imported a second time. IMPORTING ENDPOINTS FROM ACTIVE DIRECTORY In order to import endpoints from Active Directory, you will need to add an Active Directory source. Navigate to the Endpoints screen from the top navigation bar and click "Import endpoints": This will take you to the Active Directory sub screen of Import endpoints. NOTE: This screen can also be reached by navigating to Settings > Active Directory > View Active Directory. From the Active Directory sub screen of Import endpoints, click the link provided and you will be redirected to the Active Directory sub screen in Settings. To specify the Active Directory server from which you would like to import endpoints, follow these steps: 1. Click the Create source button and enter the source details (name, domain controller address, port, username, password, and base DN). 2. Test your connection by clicking "Test connection". If the test connection is successful, click "Save" to continue: Cymmetria MazeRunner 2018 Community

50 NOTE: Some Active Directories do not allow connection without SSL. If you receive an error when trying to connect, use the toggle button next to "Use SSL" to use secure LDAP on port 636: Now you need to import the Active Directory. To do this, follow these steps from the Active Directory sub screen: 1. Click the View Active Directory button. Select the domain you would like to import and click "Import from Active Directory": Cymmetria MazeRunner 2018 Community

51 While your AD groups are importing, you can exit the Import endpoints screen. You can see the import's progress in the task manager's Running tab. Once the process is complete, you will see an orange dot on the task manager icon, and the import details on the Complete tab: 2. Once your groups have finished importing, return to the Import endpoints screen by clicking "Import endpoints" from the Endpoints screen. Select the Active Directory source you just imported (from the drop-down list) and notice that the source's details appear on the screen. To the right of each organizational unit (OU), notice that there are two numbers: one labeled "Self" and one labeled "Total". The number next to "Self" indicates the number of endpoints in that particular OU; the number next to "Total" indicates the total number of endpoints under that OU, including those of other OUs: 3. Now you need to import endpoints from your Active Directory organizational units. You can choose specific endpoints to import by selecting the checkbox next to an OU's name (which selects only the endpoints in that particular OU), or select "Select all": Before importing, you must assign the endpoints you would like to import to specific deployment groups. Notice that two new functions appear on the right side of your screen when you select any OU: "Assign to group" and "Clear assignment". After you have clicked the checkbox next to an OU's name, click "Assign to group" and select the desired deployment group from the drop-down list. You can choose from an existing deployment group that you previously created, import your endpoints without assigning them to a deployment group (you will need to assign them later) or create a new deployment group to assign the endpoints to: Cymmetria MazeRunner 2018 Community

52 This will assign all endpoints on that particular OU to the selected deployment group. You will see the name of the deployment group to which an OU's endpoints have been assigned, to the right of the OU name and endpoint count. You can assign all endpoints to one deployment group, or to different deployment groups: If you would like to change to which deployment group your endpoints have been assigned, mark the checkbox next to an OU's name and re-assign to another deployment group by using the "Assign to group" function. You can use the "Clear assignment" function to clear the assignment for selected endpoints. NOTE: Only endpoints that have been assigned to a deployment group will be imported. Remember that, if you would like to import endpoints and assign them to a deployment group later, simply chose "Import without assigning" from the Assign to group drop-down options: 4. If for some reason you would like to remove the data from an Active Directory source that you have previously imported to MazeRunner, simply click "Delete retrieved data". 5. Once you are ready, click "Start importing assigned endpoints daily". NOTE: Once you click this button, your selected endpoints will continue to import (i.e., refresh) daily, at the time you originally clicked the button. For example, if you click "Start importing assigned endpoints daily" at 2:00pm, Cymmetria MazeRunner 2018 Community

53 the selected endpoints will import daily at 2:00pm 6. If you would like to stop this daily import, simply click "Stop importing assigned endpoints daily". After exiting the Import endpoints screen, you can check the status of your import in the task manager's Running tab. You will see a notification (red dot on the task manager icon) once the import is complete, at which time you can view import details on the task manager's Complete tab: IMPORTING ENDPOINTS FROM CIDR BLOCKS As an alternative to importing endpoints from Active Directory, MazeRunner allows you to import endpoints from CIDR blocks. To import endpoints from CIDR blocks, complete the following steps: 1. Navigate to MazeRunner s Endpoints screen and click "Import endpoints", and then click on the CIDR blocks tab: 2. Click on the Add button to add CIDR blocks and assign them to deployment groups. NOTE: You cannot enter overlapping CIDR blocks. 3. Enter the CIDR block from which you would like to import, then use the Deployment group dropdown to assign the endpoints in this CIDR block to a deployment group. You can import your block without assigning it to a deployment group (you will need to assign it later) or choose from an existing deployment group that you previously created: 6 If an endpoint already exists in MazeRunner and has already been assigned to a deployment group, the endpoint will be refreshed/updated, but its deployment group will not be changed. Cymmetria MazeRunner 2018 Community

54 4. Click "Save" to finish. If you would like to make changes to the information you entered, you can do so using the "Edit" and "Delete" functions, located in the Actions column. After importing multiple CIDR blocks, you can use the "On/Off" button in the Status column of each block to skip certain CIDR blocks, but import others, during your daily import. When you are ready, click "Start importing endpoints from CIDR blocks daily": NOTE: Once you click this button, your selected endpoints will continue to import (i.e., refresh) daily, at the time you originally clicked the button. For example, if you click "Start importing endpoints from CIDR blocks daily" at 2:00pm, the selected endpoints will import daily at 2:00pm 7. If you would like to stop this daily import, simply click "Stop importing endpoints from CIDR blocks daily". After exiting the Import endpoints screen, you can check the status of your import in the task manager's Running tab. You will see a notification (red dot on the task manager icon) once the import is complete, at which time you can view import details on the task manager's Complete tab: 7 If an endpoint already exists in MazeRunner and has already been assigned to a deployment group, the endpoint will be refreshed/updated, but its deployment group will not be changed. Cymmetria MazeRunner 2018 Community

55 IMPORTING ENDPOINTS FROM A FILE MazeRunner allows you to import endpoints from a CSV file. To import endpoints from a file, follow these steps: 1. Navigate to MazeRunner s Endpoints screen and click "Import endpoints", and then click on the Import from file tab: 2. Click the Choose file button and select the CSV file of endpoints you wish to upload. The file can contain the following columns (must be declared in the first row of the file): ip_address, hostname, dns, and deployment_group_name. At least one of IP address, DNS, or hostname fields must exist and be filled out for each endpoint; the Deployment group name column is only required if you choose to assign according to the uploaded file (see Step 3), otherwise it will be ignored. NOTE: The columns can appear in any order. 3. Using the drop-down list provided, choose which deployment group you would like to assign the new endpoints to (you can also import without assigning), or choose to assign the endpoints according to the uploaded file. NOTE: If you choose to assign to deployment groups according to the uploaded file and you leave a deployment group name field blank, that endpoint will be imported as "Unassigned". Furthermore, if you enter a name of a group that does not exist in MazeRunner, that endpoint will not be imported. 4. When you are ready, click Import endpoints to start your import. POST-IMPORT Navigate back to MazeRunner's Endpoints screen; all of the endpoints you imported are now shown here (you might need to click the Refresh button). Notice the endpoint status chart at the top of the screen. Right after importing endpoints for the first time, 100% of your endpoints will be "clean", since you have not yet deployed any breadcrumbs to them: Cymmetria MazeRunner 2018 Community

56 For a full explanation of the different endpoints statuses, as well as information on the various actions that can be taken on your endpoints, see the section entitled Endpoints screen on page 105. For now, let's look at how to deploy breadcrumbs to your endpoints (next section). DEPLOYING BREADCRUMBS To save time and resources, you can automate breadcrumb (deployment group) deployment using the Endpoints screen (Cymmetria recommends this option). You can also deploy deployment groups manually from the Deployment Groups sub screen of the Campaign screen. DEPLOYING BREADCRUMBS FROM THE ENDPOINTS SCREEN From the Endpoints screen, you can deploy breadcrumbs to your endpoints manually or automatically. To set up automatic breadcrumb deployment 8, complete the following steps: 1. Click "Deploy to endpoints" and choose from the deployment methods in the drop-down list: 2. Enter your local admin credentials (username, password, and endpoint IP or hostname 9 ). If the user is a domain user (versus a local user on an endpoint), you will need to fill in the optional domain 8 The MazeRunner UI currently supports automatic breadcrumb deployment to Windows endpoints only. If you would like to set up automatic deployment to Linux endpoints, you can do so using the MazeRunner API. Cymmetria MazeRunner 2018 Community

57 name. NOTE: If you have previously configured local admin credentials for endpoints in Settings > Campaign and Deployment, you will see these credentials listed here. You can change these credentials by clicking "Change". 3. Click "Test credentials" to ensure you have entered everything correctly. If something is not right, proceed according to the error message shown on your screen. 4. Using the toggle button, choose whether you would like to save these credentials for further use. NOTE: If you had previously configured credentials in Settings > Campaign and Deployment, but chose to change those credentials in step 2 above, enabling this feature will overwrite the existing credentials for all purposes. 5. Choose a Deployment mode and select the deployment groups you would like to deploy, then click "Deploy": NOTE: You will not be able to select and deploy a group if at least one of the following is applicable: There are no endpoints in the group. One or more of the breadcrumbs in the group is inactive. There are no breadcrumbs in the group. There are breadcrumb conflicts within that deployment group (for example, two breadcrumbs with the same decoy username but different passwords will conflict). If any of the above is applicable, make sure that your decoy(s) is turned on (check the Decoy sub screen of the Campaign screen), that you have assigned breadcrumbs to groups (check the Breadcrumbs sub screen of the Campaign screen), and that you have assigned endpoints to groups (check the Endpoints screen). Cymmetria recommends deploying breadcrumbs automatically. Manual deployment is useful if automatic deployment is impossible, or if you would like to use other orchestration software such as Chef, McAfee epo or Tanium. To deploy breadcrumbs manually, complete the following steps: 1. Click "Deploy to endpoints" and choose "Manual" from the Deployment method drop-down list: 9 This is the IP or hostname of an endpoint on which the credentials will be tested. It is only used for this test, and is not mandatory for the deployment. Cymmetria MazeRunner 2018 Community

58 2. Choose your preferred deployment option and download the relevant installation files by clicking on the appropriate download button. If you are deploying to a Windows OS, you have four deployment options from which to choose: 1. Deployment Package (ZIP) A ZIP file containing a folder for each breadcrumb group. Each folder contains both an install and uninstall shell script for that deployment group. 2. Deployment Package (TAR.GZ) A TAR.GZ file containing a folder for each breadcrumb group. Each folder contains both an install and uninstall shell script for that deployment group. 3. Executable A ZIP file containing a folder for each breadcrumb group. Each folder contains both an installer and uninstaller (in EXE format) for each breadcrumb group. 4. Windows Installer A ZIP file containing a folder for each breadcrumb group. Each folder contains both an install and uninstall file (in MSI format) for each breadcrumb group. If you are deploying to a Linux or Mac OS, you must choose one of the "Deployment package" options (a ZIP or TAR.GZ file containing a folder with an installation script for each group). 3. You will need to unpack the ZIP or TAR.GZ file and run the installation files contained in each group folder (as administrator or root) on the endpoint, in order to place the group's breadcrumb(s). Note that the script/executable, once executed, will delete itself and all accompanying files in order to leave no trace of which breadcrumbs have been deployed. Remember to remove the ZIP or TAR.GZ Cymmetria MazeRunner 2018 Community

59 file from the endpoint (after saving the uninstall files in a safe location for later use) once you are finished. After deploying manually, a beacon 10 will be sent from the endpoint to update MazeRunner about the status of the deployment. Now that you have deployed breadcrumbs to your endpoints, you can expand each endpoint by clicking the + icon to see details about the breadcrumbs on that endpoint: NOTE: It might take the endpoint status a few more minutes to update, due to the time it takes the breadcrumb to install, and possible network delays. If you don't see any change within a few minutes, click the Refresh button. DEPLOYING BREADCRUMBS FROM THE CAMPAIGN SCREEN You can manually deploy deployment groups from the Deployment Groups sub screen of the Campaign screen. To do so: 1. Navigate to the Campaign screen and then to the Deployment Groups sub screen. 2. In the Actions column of the deployment group you would like to deploy, click the Download icon (on hover the icon shows "Download deployment group package"). This will open the Deploy deployment group form. 10 The beacon is part of the breadcrumb installer (and uninstaller) that communicates with MazeRunner. It relays the status of the endpoint and reports on the success or failure of breadcrumb installation. For the beacon to work, the MazeRunner management server must be accessible to endpoints, meaning that endpoints should be able to connect to it over HTTPS (port 443). Cymmetria MazeRunner 2018 Community

60 3. Choose "Install" as the package type (uninstall packages are also located here), and then download the relevant installation files by clicking on the appropriate download button. For Windows, the installer is either a ZIP or TAR.GZ file containing shell scripts (PowerShell), an executable (EXE) or a Windows installer (MSI); for Linux and Mac, it is always a ZIP or TAR.GZ file containing shell scripts (Python): 4. You will need to unpack and run this installer (as administrator or root) on the endpoint, in order to place the breadcrumb(s). Note that the script/executable, once executed, will delete itself and all accompanying files in order to leave no trace of which breadcrumbs have been deployed. Remember to remove the ZIP or TAR.GZ file from the endpoint (after saving the uninstall files in a safe location for later use) once you are finished. You can now validate the deployment on the Endpoints screen (see relevant section on page 105). PERIODIC BREADCRUMB DEPLOYMENT & CAMPAIGN REFRESH You can schedule breadcrumb deployment at regular intervals by enabling MazeRunner's Periodic deployment feature. This can be done using the toggle button from the Campaign and Deployment sub screen of Settings (Settings > Campaign and Deployment): Cymmetria MazeRunner 2018 Community

61 Set the interval (in hours, days or weeks) at which you would like to automatically deploy, and choose a deployment mode. If there are new endpoints in a deployment group (new endpoints may have arrived via the Active Directory or CIDR blocks automatic importation feature, for example), the refresh feature will deploy to them. In addition to redeploying breadcrumbs at the fixed interval you set, you can also refresh the deception campaign every fixed number of automatic deployments. When a refresh frequency is set, breadcrumbs with randomized credentials will have the credentials changed to new random values in order to update the deception campaign. Set the refresh frequency value to 0 to disable campaign refreshing: You can also define your remote deployment settings. Choose a run method (executable or native script) and deployment path: Lastly, enter the local admin credentials to use in the deployment (these credentials will be saved and used for future deployments). You can test these credentials using the relevant field and the Test credentials button: Be sure to save your configuration when you are finished. NOTE: If you do not configure local admin credentials for endpoints, or if they change, you will receive an error message at the next designated deployment interval. Please make sure these credentials are configured correctly, otherwise your periodic deployment will fail. Cymmetria MazeRunner 2018 Community

62 Notice the sections labeled "Endpoint Forensic Puller" and "Automatic Hackback". See Forensic Puller on page 67 and Automatic Hackback on page 72 for more information about these features. INTEGRATING WITH A SYSLOG/SIEM Integrating with a syslog/siem can be done from the Integrations screen. See Integrations on page 98 for detailed information. Cymmetria MazeRunner 2018 Community

63 ADVANCED USAGE Now that you have a handle on basic configuration and usage, you are ready to learn about the advanced configuration options available to MazeRunner users. MAZERUNNER NETWORK CONFIGURATION This section includes information on configuring static IP, and enabling VLAN support and non-promiscuous mode. STATIC IP By default, MazeRunner automatically obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, follow these steps: 1. Open the server's console. The console can be accessed using your hypervisor UI. 2. Log in as "usern": a. Enter 'usern' as the MazeRunner login. For example: b. Enter the password 'Password1!' 11 and then enter static. For example: Enter the details relevant to your network (IP address, netmask, default gateway, nameserver IP address, DNS search domains). If you do not know your network details, contact your IT administrator. You will also need to choose the main network interface for MazeRunner management. NOTE: During automated deployment, the nameserver (DNS server) and the DNS search domains will be used to look up endpoint names. 11 You will be prompted to change this password on first use of MazeRunner. Cymmetria MazeRunner 2018 Community

64 VLAN SUPPORT VLAN support can be enabled by following the steps outlined below (make sure you have already completed the steps outlined for configuring VLAN support, on page 21 of this guide): 1. In MazeRunner, navigate to Settings > Networking, select "Enable decoy VLAN support", and then click "Save configuration". NOTE: You can change the VLAN trunk interface field before saving: 2. Next, click the Add VLAN button and enter a VLAN ID (for example, "2"). NOTE: VLAN ID must use numbers, not letters or other characters. If you are using static IP in your network, please assign the Cymmetria management server a static IP address and a subnet mask in the spaces provided. If you have a separate DNS server for this VLAN, be sure to add its address in the DNS field. To deploy breadcrumbs to endpoints in different subnets, enter CIDR blocks (separated by commas) in the Routing CIDR blocks field. A gateway must be set if you plan to route specific CIDR blocks. When you are finished, click "Save": That's it! VLAN support is now configured. NOTE: When you define a new decoy in MazeRunner (when building your deception campaign either manually or with the help of the wizard; see page 41 for details), you will need to select your VLAN ID from the drop-down list. Cymmetria MazeRunner 2018 Community

65 NON-PROMISCUOUS MODE If you did not enable promiscuous mode for MazeRunner's VM during installation and setup, you must enable non-promiscuous mode by selecting the "Run MazeRunner in non-promiscuous mode" option from the Networking tab of the Settings screen, or during MazeRunner's initial setup. NOTE: You will need to add additional network interfaces to your MazeRunner VM. Each decoy will use one interface (for example, for three decoys you would need four network interfaces overall: one for MazeRunner and one for each of the three decoys). To enable non-promiscuous mode, follow these steps: 1. Make sure you have completed the steps outlined for using MazeRunner without promiscuous mode, on page 18 of this guide. 2. Also make sure you have chosen the main network interface for MazeRunner management: NOTE: If you already configured static IP, please reference the section entitled Static IP on page In MazeRunner, navigate to Settings > Networking, select the Run MazeRunner in non-promiscuous mode option, and then click "Save configuration": That's it! You have now enabled non-promiscuous mode. NOTE: When you define a new nested decoy in MazeRunner (when building your deception campaign either manually or with the help of the wizard; see page 41 for details), you will need to select an interface from the drop-down list. You can create only one decoy for each interface. Cymmetria MazeRunner 2018 Community

66 SSL CERTIFICATE You can view MazeRunner's current server certificate and download the certification authority (CA) certificate. Additionally, you can replace the server certificate with a new certificate signed by your trusted CA. If you would like to update the details of your certificate, you can also replace the server certificate with a new certificate signed by MazeRunner. To carry out any of these actions, navigate to Settings > SSL Certificate. On the SSL Certificate tab, you will see several options. To download the current CA certificate, simply click the Download CA certificate button. To replace the current server certificate with one signed by your trusted CA, click "Generate certificate signing request" and fill in your information. Click "Download CSR" to download the certificate signing request (CSR): After downloading, sign the certificate with your trusted CA. NOTE: You will also need the CA's certificate for the next step. When available, upload the certificate signed by your trusted CA (PEM encoded certificate) and the CA's certificate (PEM encoded CA certificate) by clicking "Load signed CSR", choosing the appropriate files, and then clicking "Load and use": Cymmetria MazeRunner 2018 Community

67 If you would like to update the details of your certificate, you can replace the server certificate with a new certificate signed by MazeRunner. To do this, follow these steps: 1. Click the Generate certificate button under "Signed by MazeRunner" and fill in your information. 2. Click "Generate and use" to replace the certificate. NOTE: After submitting this form, you will need to restart your browser to use MazeRunner. All OVA and EC2 decoys will need to be recreated manually: FORENSIC PULLER Forensic Puller enriches MazeRunner alerts by pulling forensic information from the endpoint that triggered the alert. It uses remote local admin access and PsExec to pull alert data from specific endpoints, providing a more complete forensic picture. Cymmetria MazeRunner 2018 Community

68 To enable the Forensic Puller, follow these steps: 1. Navigate to Settings > Campaign and Deployment. 2. Activating the feature requires local admin credentials. Fill in your credentials under "Local admin credentials for endpoints". 3. Under Endpoint Forensic Puller, click the toggle button to the right of Enable MazeRunner to automatically collect forensic data from alerted endpoints to enable the feature. Forensic Puller will run on all events that have not been configured to be ignored in your alerting policy. For more information on the event generated by the Forensic Puller, see Forensic data under Types of events on page 119. NOTE: If MazeRunner storage is 70% full, the Forensic Puller will stop retrieving forensic data until storage usage drops below 70%. You will receive a notification (in the UI as well as by ) if this happens. RELAY ENTERPRISE EDITION ONLY Enterprise Edition note: This feature is currently available to MazeRunner Enterprise customers only. The following documentation is provided here to give Community Edition users an explanation of how the feature works. You can connect multiple MazeRunner instances to one master MazeRunner machine. This allows you to view and investigate the events and the Dashboards of all the MazeRunner instances, from the master MazeRunner machine. NOTE: Campaign and deception management is done by connecting directly to the relevant MazeRunner machine. To configure Relay, follow these steps: 1. Navigate to Settings > Relay. 2. To activate the Relay feature, use the toggle button next to "Turn on MazeRunner relay". 3. If you would like to use the current machine as the master machine, keep the toggle button next to "Run MazeRunner in slave mode" set to "Off": a. To connect MazeRunner instances to the master machine, download the relay package from the master and upload it to the instances you would like to connect: Cymmetria MazeRunner 2018 Community

69 On the master instance, you will see a table under "Connected MazeRunners" that will list all of the slaves connected to this master. Here you can see information about each slave machine, as well as edit and delete a machine using the icons in the Actions column. NOTE: Deleting a slave from the "Connected MazeRunners" table will delete all of its alerts on the master machine. If the slave is still associated with the master, the slave will reappear in the table once the data finishes pushing. To completely remove a slave instance from the master machine, you will need to disconnect the slave instance (this is done from the slave machine; see 4.b.ii. below). 4. If you would like to use the current machine as a slave machine, set the toggle button next to "Run MazeRunner in slave mode" to "On": a. To connect this slave machine to the master machine, download the relay package from the master machine and upload it to this machine: b. Once the package has finished uploading, details of the master machine will appear on the screen. i. Use the Test connection button to check whether the slave instance has access to the master machine, and if so, whether they are compatible for the Relay feature (whether both instances are running the same version of MazeRunner). ii. You can disconnect the slave instance by clicking the Disconnect button. Disconnecting will return the machine to the state it was in before a relay package was uploaded. NOTE: This will not delete any existing data about this slave instance that has already been sent to the master; this needs to be done separately (see number 3, above). c. If changes are made to your network or master MazeRunner machine, you will need to upload a new relay package to the slave machine(s). Cymmetria MazeRunner 2018 Community

70 NOTE: If you update the relay package, all the alerts that failed sending during/before the update will be resent once the master is accessible again from the slave. Alternatively, if you disconnect a slave instance from the master, all the alerts that appeared in the slave before disconnecting and failed sending to the master will never be resent. Additional notes about Relay: Deleting or archiving alerts in the slave Deleting or archiving alerts in the master Rule policy differences between master and slave If a user deletes or archives alerts in the slave, it does not affect the state of the alerts in the master If a user deletes or archives alerts in the master it does not affect the state of the alerts in the slave 1. Ignored events in the slave will not be sent to the master 2. Once an event from the slave is sent to the master, it is classified in the master according to the master machine's rule policy (not the slave's). This does not affect the classification of the same event in the slave (e.g., the event can be muted in the slave and set to raise an alert in the master). 3. A master instance cannot shut down decoys on a slave instance even if the rule policy requires it; such a rule must be configured on the slave instance Deleting a decoy in the slave Custom services in Relay Forensic Puller in Relay Deleting a decoy from the salve will delete all of the related alerts in the master and the slave Alerts generated in the slave due to a custom service that exists only in the slave will NOT appear in the master MazeRunner (the user would need to configure the same custom services in both MazeRunner instances) Each instance of MazeRunner will only run Forensic Puller on its own alerts/endpoints. For example, if an alert appears in the slave, the master will never run Forensic Puller (even if the Forensic Puller is enabled in the master; the master will only run Forensic Puller on its own alerts/endpoints). NOTE: Even if you try to run Forensic Puller on events manually from the Investigation screen (using the Bulk action), it will not work; Forensic Puller will only run on that machine's events and the others will fail. Cymmetria MazeRunner 2018 Community

71 Integrations in Relay RDP Session Recorded alerts in Relay Data originating from integrations connected to the slave will not be sent to the master RDP Session Recorded alerts/events will only be pushed to the master after the timeout for the recording was exceeded (i.e., the RDP recording will NOT be sent while it is still recording) DASHBOARD IN RELAY MODE The Dashboard displays content from one MazeRunner instance. You can change which MazeRunner instance is displayed using the filter at the top right of the Dashboard screen: By default, the Dashboard of the master instance is shown every time the Dashboard page is opened. When viewing the Dashboard of a slave instance from the master UI, some of the data is displayed differently from how it is usually displayed. For example, when viewing a deployment group belonging to a slave instance, events originating from an endpoint in that group will appear as alerts from unassigned endpoints. Events appear according to their status in the master instance, and you will see a reminder of this at the top of your Dashboard: INVESTIGATION SCREEN IN RELAY MODE By default, the Investigation screen will display events and alerts from all MazeRunner instances (note that attack stories will only include events from one MazeRunner instance, even if events have the same originating endpoint). Cymmetria MazeRunner 2018 Community

72 You can filter the data you see on the Investigation screen by MazeRunner instance, using the drop-down at the top left of the screen: When viewing a slave instance from the master MazeRunner: 1. In the Investigation table, a new field labeled "Originating MazeRunner name" is seen in an event's expanded view, under "Source information". "Decoy name" will display the decoy name followed by the name of the MazeRunner instance (e.g., An alert with a decoy named "Backup server 123" that runs on MazeRunner slave instance "MazeRunner AZ" will have this value: "Backup server 123 (MazeRunner AZ)": 2. Attack story and alert IDs are assigned to the entities in the master MazeRunner; they may have a different value in the originating MazeRunner instance. NOTE: In Relay mode, reports from the master MazeRunner instance will include all of the events and stories on the master (including those originating from slave instances). The reports from the master will not include campaign data about the slave MazeRunner instances. See and Reporting on page 86 for more information about reports. AUTOMATIC HACKBACK ENTERPRISE EDITION ONLY Enterprise Edition note: This feature is currently available to MazeRunner Enterprise customers only. The following documentation is provided here to give Community Edition users an explanation of how the feature works. Enterprises can do a lot of threat hunting within the law, including engaging live attackers on their own networks with direct response and active countermeasures. Automatic Hackback gives you the ability to engage in these steps legally and allows you to operate within the legal boundaries necessary to investigate and take action when interfacing with live adversaries, and compromised hosts and tools, within the confines of your network environment. This feature allows you to automatically and remotely execute a Cymmetria MazeRunner 2018 Community

73 process on an endpoint in response to events. For detailed information about the feature, see this post on Cymmetria's blog (the post includes a link to a separate, in-depth legal analysis). To enable Automatic Hackback, follow these steps: 1. Navigate to Settings > Campaign and Deployment. 2. Under Automatic Hackback, click the toggle button to the right of Enable MazeRunner to automatically deploy and execute an executable file on alerted endpoints to enable the feature. NOTE: This feature is governed by special provisions in the license agreement for MazeRunner. It is solely and exclusively your responsibility to ensure that you do not upload or use MazeRunner to deploy any scripts or executables in violation of any applicable laws, regulations or industry standards, or which might result in such violation, and you assume all liability and risks associated with this feature. You must read and agree to the special provisions governing the use of this feature in order to enable it. Please be sure you fully understand the potential consequences of the use of this feature before continuing; this might include consulting with your own legal counsel to determine policies and procedures: Once the feature has been activated, you will need to upload an executable package for the feature to use. Click the Choose file button and select a ZIP package to be deployed to the endpoint (the package must include a 'run.exe' file in its root): The feature will start working only after MazeRunner validates the package. If the package validation fails, the feature will be deactivated and you will receive a notification. Cymmetria MazeRunner 2018 Community

74 ACTIVESOC ENTERPRISE EDITION ONLY Enterprise Edition note: ActiveSOC and all related features, with the exception of the Responder Monitor deployment feature, is currently available to MazeRunner Enterprise customers only. The following documentation is provided here to give Community Edition users an explanation of how ActiveSOC and its related features work. ActiveSOC allows you to automate incident response. Through integration with the SIEM, ActiveSOC allows you to deploy deception elements to your network, based on rules you define and corresponding events observed by the SOC. The Responder Monitor, which can be configured as part of the ActiveSOC feature, monitors the SOC for use of credentials stolen using the Responder.py tool. ACTIVESOC AND RESPONDER MONITOR ACTIVITY FEED Here you can monitor all ActiveSOC and Responder Monitor activity and export the information to CSV: You can filter and search your activity feed using the funnel icons. To do so, click on a funnel icon to the right of a column title, choose your filter criteria from the available options, and then click "Apply Filter": NOTE: If filtering by endpoint or deployment group, you will need to enter the endpoint IP address and the deployment group name, respectively. To clear your filter results, click again on the funnel icon to the right of the column title and then click "clear". To clean your feed (delete all entries), click the Clean feed button at the top of the screen. Cymmetria MazeRunner 2018 Community

75 SOC INTERFACES You can connect MazeRunner to your SOC (e.g., via MazeRunner API, ArcSight Data Platform, ArcSight ESM or Splunk), in order to use the ActiveSOC and Responder Monitor features, which are discussed in the next sections. To add a SOC interface, follow these steps: 1. Click the Add button next to SOC interfaces. 2. Select an interface type from the drop-down options: 3. Fill in the required information according to the SOC interface you chose. If you chose ArcSight or Splunk, you will need to test the connection by clicking Test connection, and then click Save to finish: You will now see the details of the SOC interface you added in the SOC interfaces table. To edit or delete an interface, use the links located in the Actions column on the right-hand side of the screen. NOTE: It may take some time for a SOC interface to fully load. You can see the progress of this task in the task manager. Autocomplete for SOC field names will only be partial until the SOC interface is fully loaded. Cymmetria MazeRunner 2018 Community

76 ACTIVESOC The ActiveSOC feature allows MazeRunner to deploy breadcrumbs to endpoints in your organization based on events observed by your SOC. Using ActiveSOC, you can set up specific rules that, when verified, will cause MazeRunner to assign an endpoint to a deployment group (as defined by your rule) and deploy that group s breadcrumbs to the endpoint. MazeRunner achieves this through integration with your SIEM or through the MazeRunner API. By automatically deploying deception tailored to specific suspicious behavior (e.g., privilege escalation or abnormal traffic), ActiveSOC is able to create new intelligence out of below-thethreshold events, and also validate events that might otherwise be ignored by analysts. Before turning on the ActiveSOC feature, you will need to add a SOC interface. See the section entitled SOC Interfaces on page 75 for information on how to do this. Once you have added a SOC interface, use the toggle button next to ActiveSOC to turn on the feature: NOTE: This feature requires local admin credentials for endpoints, which can be configured in Settings > Campaign and Deployment. Rules Add rules to define the response to specific SOC events 12. The rules will define how to identify the relevant endpoint, how to filter the specific event, and to which deployment group to assign it and for how long. To add a rule, follow these steps: 1. Click the Add button next to Rules. Enter a name for your rule and choose the SOC interface to which you would like it to apply (each rule will be defined for a specific SOC interface): 12 Events could include, for example: A user logging in from an unusual location A privilege escalation alert (someone logged in as admin) A computer connecting to an IP that doesn t exist and then reaching a decoy Someone attempting to access a web page/app that doesn t exist Cymmetria MazeRunner 2018 Community

77 2. Define how to identify the endpoint in this type of event. Select the field from where your SIEM s target data is extracted (IP address or Hostname), fill in a field name, and if you would like, fill in a DNS suffix (for example, hostname "myhost" and DNS suffix "mydomain.local" will become "myhost.mydomain.local") or an IP range (CIDR): 3. For ArcSight ESM, each rule must have a query. The query is the name (ArcSight ESM QueryViewer) predefined on your ArcSight ESM, from which MazeRunner will receive the events. All other rule conditions will apply to the events received from that query. It's important to note that the frequency of retrieval is dependent on the frequency of the query as defined in ArcSight ESM and not controlled from within MazeRunner: 4. Add conditions for your event (field name and value). Be as specific as you can (there is no limit to the number of conditions you can add per event): 5. Choose the deployment group to which you would like to deploy when this rule is verified, and the deployment duration (how long to keep the breadcrumbs on the endpoint). For example, if you enter 4 here, the breadcrumbs will be deleted from the endpoint after 4 hours. When you are finished, click "Save": Cymmetria MazeRunner 2018 Community

78 You will now see the details of the rule you added in the Rules table. In the Rank column of the Rules table, note that there are two arrows; these are used to set priority for a rule. Clicking the up/down arrows will move the location of rules in the table, thereby changing their rank (a rule with a rank of 0 has the highest priority). Notice the On/Off button in the Actions columns on the right-hand of the screen. Use this button to activate and deactivate specific rules at certain times. You can also delete and edit your rules from this column. That s it! From now on, if a rule you set is verified, MazeRunner will assign the endpoint to a deployment group (as defined by your rule) and deploy that group s breadcrumbs to the endpoint. When this happens, a new record will be created in the Activity Feed and a new endpoint will appear on the Endpoints screen. The breadcrumbs that were deployed will be removed from the endpoint after the period of time you defined in your rule. For more information about the ActiveSOC activity feed, see the ActiveSOC and Responder Monitor activity feed section on page 74. RESPONDER MONITOR MazeRunner s Responder Monitor (Pass-the-Hash) feature allows MazeRunner to periodically broadcast deceptive credentials from endpoints and decoys. Attackers listening in on the network using the Responder.py tool (or a similar tool) will capture these broadcasts and will potentially use these deceptive credentials. The Responder Monitor feature gives you more deception options, as its alerting is based on detected NBNS poisoning and stolen hashed credentials, and the use of these credentials on the network. To use the Responder Monitor feature, you have two options: 1. Activate monitoring from a decoy via a Responder Monitor service. Allows monitoring for use of Responder.py tool on the network subnet of the decoy. Place the decoy in the same network subnet that you wish to defend. Allows you to choose a hostname for MazeRunner to query. NOTE: If this hostname actually exists in the network, make sure to also configure its IP in order to prevent false positives. 2. Activate monitoring from a specific endpoint via the Responder Monitor deployment feature. Allows monitoring for use of Responder.py tool on the network subnet of endpoints. Cymmetria MazeRunner 2018 Community

79 By choosing endpoints from each network subnet, you can effectively monitor your entire network for the use of Responder.py tool. Cymmetria recommends creating a separate deployment group for each Responder Monitor breadcrumb, and assigning a single endpoint from each network subnet to one of these groups. MazeRunner will query the hostname of the decoy to which the Responder Monitor breadcrumb is connected. To start working with the Responder Monitor feature, you first need to create a Responder Monitor breadcrumb and connect it to a Responder Monitor service (and then connect to an active decoy). You can do this easily using the Deception story wizard: 1. Navigate to the wizard (click "New story" from the Campaign screen) and select the Responder Monitor story: 2. In step 3 ("Set up breadcrumbs"), you must enter a domain name, username, and password (the domain name is the name of the domain that you want to monitor for Pass-the-Hash attacks): Cymmetria MazeRunner 2018 Community

80 3. You must assign Responder Monitor breadcrumbs to a deployment group. In the 4th and final step ("Deploy"), use the Assign to group drop-down to assign your breadcrumb to a deployment group before clicking "Next" to finish. Responder Monitor deployment This feature allows deploying Responder Monitor breadcrumbs automatically and periodically. When deployed, the breadcrumb identifies and alerts on NBNS spoofing and the use of Responder.py tool on the endpoint's subnet. The username, domain, and password will be fed to the attacker from the endpoint. To use the Responder Monitor deployment feature, navigate to ActiveSOC > Responder Monitor and use the toggle button to the right of Responder Monitor deployment to activate the feature: NOTE: This feature requires local admin credentials for endpoints, which can be configured in Settings > Campaign and Deployment. MazeRunner will begin to deploy to endpoints in the deployment group you configured in the final step of the Responder Monitor story creation in the wizard. NOTE: Responder Monitor alerting only works when the Responder Monitor breadcrumb is deployed via the Responder Monitor deployment feature described above. Every time MazeRunner deploys on an endpoint, the Responder Monitor breadcrumb tries to detect NBNS poisoning of the connected decoy hostname; if it detects this, it broadcasts the deceptive credentials and reports if Responder.py tool was used to steal these credentials. MazeRunner aims to maximize the likelihood of an attacker intercepting deceptive credentials. In order to do this, the Responder Monitor breadcrumb will broadcast (each time from a different endpoint) every X minutes (where X is the detection interval you defined during breadcrumb creation, or a random interval between 1-10 minutes that is regenerated for each endpoint deployment). Responder Monitor SOC integration To use the Responder Monitor SOC integration (allows detection of Pass-the-Hash attacks), first make sure that: 1. You have added a SOC interface (see the section entitled SOC Interfaces on page 75 for instructions on how to do so). NOTE: Make sure that the assets you want to monitor send their Windows event logs to the SOC interface you configured, and that their audit policy for login attempts is enabled for failed login attempts. Cymmetria MazeRunner 2018 Community

81 2. Once you have added a SOC interface, enable the Responder Monitor SOC integration using the toggle button to the right of "Responder Monitor SOC integration". Next, you might need to map custom Responder Monitor fields mapping 13. MazeRunner will query the SOC interfaces you configured to find evidence of someone using the Responder Monitor breadcrumbs that were deployed by MazeRunner. When MazeRunner is querying your SOC interface, it uses the following default field names in the query (according to your interface type): Field name Splunk ArcSight Data Platform Username Account_Name destinationusername Domain Account_Domain destinationntdomain Event_code EventCode externalid Endpoint_hostname Workstation_Name destinationhostname Endpoint_ip Source_Network_Address destinationaddress NOTE: ArcSight ESM is not supported for use with the Responder Monitor feature. If any of these fields is serialized differently in your SOC interface, you will need to add custom mapping for these fields. To do this, follow these steps: 1. Click the Add button next to Map Responder Monitor fields : 2. From the drop-down list, choose the SOC interface you would like to map (you can have more than one mapping for each SOC interface). Then, fill out the remaining mandatory fields and click Save : 13 If you would like to use an API SOC interface with the Responder Monitor feature, you must map the interface's fields. Cymmetria MazeRunner 2018 Community

82 Validating Responder Monitor configuration In order to check that the Responder Monitor deployment and alerting are working properly, complete the following steps: 1. To check that the deployment worked, navigate to ActiveSOC > Activity Feed. In the Event column, check that there is at least one entry with the status "Deployment successful". If after approximately 10 minutes you do not see an entry, please make sure that the Responder Monitor deployment feature is turned on and that it is configured correctly. If you see an entry with a "Deployment failed" status, please refer to this FAQ (page 134). 2. There are three types of events ("NBNS poisoning", "Credentials stolen by attacker", and "Credentials used by attacker"). To verify that you have configured the Responder Monitor SOC integration feature correctly, there are two tests you can carry out: 1. Select a server in your domain (the domain being monitored in the SOC interface you configured earlier) that has a network share, and run the following net use command from a different machine (e.g., your Windows laptop): net use \\<server_address> /user:<breadcrumb_domain>\<breadcrumb_username> <breadcrumb_password> Within approximately 10 minutes, you should see a Network Credential Interaction alert on MazeRunner s Investigation screen. If you do not see an alert, please check your SOC configuration (the SOC interface you added as well as the Responder Monitor fields mapping you set up). Now, whenever MazeRunner deploys the Responder Monitor breadcrumb to one of your endpoints, if there is an attacker in your network who is using Responder.py (or a similar tool), the attacker will record the Responder Monitor breadcrumb credentials. If the attacker Cymmetria MazeRunner 2018 Community

83 then uses these credentials on a machine in one of your monitored domains, MazeRunner will raise an alert and you will see the details on the Investigation screen. 2. Run Responder.py on one of your network segments and make sure it poisons the hostname of the decoy on which the Responder Monitor service is running. Import an endpoint from that network segment to MazeRunner (you can do this by using MazeRunner's "Import by CIDR blocks" feature) and make sure that this endpoint is the only endpoint in the Responder Monitor's deployment group. Wait for the deployment to finish on the endpoint (you will see this status in your activity feed). Notice that the Responder.py tool captured the hash credentials of the Responder Monitor breadcrumb and that you see "NBNS poisoning" and "Credentials stolen by attacker" alerts on MazeRunner's Investigation screen. For more information about the activity feed, see the ActiveSOC and Responder Monitor activity feed section on page 74. CHANGING ALERTING POLICY Changing your alerting policy can be done from the Alerting Policy sub screen in Settings. Navigate to Settings > Alerting Policy: Here you can define the system-wide policy for handling events. For each event, you can define whether it will be ignored, recorded in MazeRunner, or recorded in MazeRunner AND sent to the syslog server. You do this by setting system-wide rules to be performed for specific types of events. You can also define user rules that override any system rules. System-wide rules: These are the built-in rules that define which action should be taken for each event type. You can choose from "Ignore", "Mute" (default setting), and "Alert": Ignore The event is not seen anywhere. Mute The event is only seen on the Investigation screen; however, you can choose to "Send muted events" via syslog or Cuckoo, using the toggle button on the Syslog and Cuckoo sub screens of MazeRunner's Integrations screen. Alert The event is seen on both the Investigation screen and the Dashboard, and an alert is sent via syslog and . Cymmetria MazeRunner 2018 Community

84 User rules: Here you can define rules that will override the system rules. To do this, follow these steps: 1. Click "Add rule" to open the rule creation form: 2. To which type of event should this rule apply? Choose one from the drop-down list. NOTE: You will need to create a separate rule for each type of alert, or a single rule that will match all alert types. 3. To which decoy(s) and service(s) would you like this rule to apply? Make your selections from the drop-down lists. 4. You can choose to set a rule for actions originating from a specific IP address. To do this, fill in the IP address in the field provided. Please note that IP addresses are matched exactly. 5. You can also choose to set a rule for a specific file located on a decoy (e.g., "/bin/netcat" or "myshare/important.txt"). To do this, fill in the relevant filename in the field provided. The filename specified will apply to SMB alerts, code execution alerts, and unsigned code execution alerts. Please note that the filename is matched exactly (SMB alerts will contain the share name, there is a distinction between / and \, and names are case sensitive). 6. What would you like to happen? Choose an action ("Ignore", "Mute", "Alert" or "Shut down decoy") from the drop-down list. If you choose "Shut down decoy", any decoy(s) related to that event will be automatically shut down when the event is processed. IMPORTANT: Shutting down the decoy is independent of the action you set for each event type ("Ignore", "Mute", "Alert"); an event may be ignored by another rule and still shut down the decoy. 7. Once you have finished defining your new rule, click "Save". Cymmetria MazeRunner 2018 Community

85 PRODUCT REFERENCE The following sections provide an overview of the MazeRunner platform, including its user interface and additional functionalities. PRODUCT INTERFACE MazeRunner has a user-friendly interface. You can use the top navigation bar to move between the main parts of the product: Dashboard Your deception battle map, where you control and review your campaigns. Campaign screen Here you create the different components of your deception campaign. Endpoints screen From this screen you can view and manage your endpoints, as well as deploy breadcrumbs. Investigation screen Used for viewing your campaign's events and alerts. Here you can see every move an attacker has made. ActiveSOC Connect MazeRunner to your SOC in order to use MazeRunner's ActiveSOC and Responder Monitor features 14. Integrations Here you can configure integrations with security tools and software (e.g., syslog, ThreatConnect, AWS). Alternatively, you may manage the platform using the MazeRunner API. Almost everything that can be done using the MazeRunner interface can also be achieved by using the API. For details, see our online API documentation. SETTINGS Configure MazeRunner, run diagnostics, manage users and API keys, view your access log, and more. The Settings screen, which can be reached by clicking the gear icon on the top right navigation bar, contains twelve sub screens for configuring MazeRunner. GENERAL Here you can enter a virus database URL, choose to share intelligence back with the community, automatically download updates, set the time zone, enable endpoints tracking (send beacon 15 ), view/change 14 ActiveSOC and all related features, with the exception of the Responder Monitor deployment feature, is currently available to MazeRunner Enterprise customers only. 15 The beacon is part of the breadcrumb installer (and uninstaller) that communicates with MazeRunner. It relays the status of the endpoint and reports on the success or failure of breadcrumb installation. For the beacon to work, the Cymmetria MazeRunner 2018 Community

86 the NTP server domain address, set the number of hours of inactivity before logout, and restore the default configuration for General and and Reporting. You can also allow MazeRunner to access the web through a proxy server that requires authentication with a username and password. To do so, enter an HTTP proxy server URL (e.g., and activate the Authenticate using credentials feature by clicking the toggle button and entering a username and password. Lastly, you can restart or shut down MazeRunner using the power option buttons located at the bottom of this screen. NOTE: If you shut down MazeRunner from here, it will shut down the entire system; you will need physical access to the server (if you are using a physical appliance) or access to the ESXi (if you are using a virtual appliance on the ESXi) in order to turn MazeRunner on again. AND REPORTING Here you can define settings for and reporting: MazeRunner provides three reports: 1. MazeRunner status report Generate a report about the current state of MazeRunner. Includes general statistics about investigation, a list of unresolved attack stories, deception campaign state (list of decoys), and deployment state (endpoint screen statistics and a list of deployment groups). 2. Time range report Generate a report about events and alerts within a given time range. Includes event summary and statistics, an attack story summary, a list of all attack stories, and an annex (accessed ports, mentioned hosts, and usernames used). 3. Attack story report Generate a report for a single attack story. MazeRunner management server must be accessible to endpoints, meaning that endpoints should be able to connect to it over HTTPS (port 443). Cymmetria MazeRunner 2018 Community

87 The first two reports are accessible from Settings > and reporting, as well as at the top right-hand side of the Investigation screen. Simply click the corresponding buttons on either of these screens, select a time range if necessary, and download the desired reports (PDF format). The attack story report can be downloaded from individual expanded attack stories, in the attack story section on the Investigation screen. Simply click the download icon, choose a date range, and click "Download": NETWORKING Here you can add a decoy MAC address prefix and set MazeRunner's networking configuration. You can choose to use the default configuration, run MazeRunner in non-promiscuous mode or enable VLAN support for decoys and view/change the VLAN trunk interface: ACCESS CONTROL Here you can enable access control to MazeRunner's management interface by limiting access to specific IP addresses. To add an IP address to your access control whitelist, click "Add rule", enter the IP address, and then click "Save": Cymmetria MazeRunner 2018 Community

88 CAUTION! If this is not done properly, you risk losing your own access to MazeRunner. Please ensure the validity of the information you enter here. If something goes wrong, please contact Cymmetria support. ALERTING POLICY Here you can define the system-wide policy for handling events. See Changing alerting policy on page 83 for more details. CAMPAIGN AND DEPLOYMENT Here you can enable periodic breadcrumb deployment, MazeRunner's endpoint Forensic Puller, and Automatic Hackback 16, as well as define your campaign refresh frequency, remote deployment settings, and local admin credentials for endpoints (and test those credentials). See Periodic breadcrumb deployment & campaign refresh on page 60, Forensic Puller on page 67, and Automatic Hackback on page 72 for detailed instructions. CUSTOM SERVICES ENTERPRISE EDITION ONLY Enterprise Edition note: This feature is currently available to MazeRunner Enterprise customers only. The following documentation is provided here to give Community Edition users an explanation of how the feature works. Custom services are services that are not part of MazeRunner by default. You can upload a custom service that you have created or received from another source. Once uploaded, you will be able to add the service to your deception campaign. 16 This feature is currently available to MazeRunner Enterprise customers only. Cymmetria MazeRunner 2018 Community

89 To add a new custom service, navigate to Settings > Custom services, click "Add custom service", and upload a ZIP file containing your custom service. NOTE: Each custom service file that is uploaded to MazeRunner must contain a name and description. The custom service's label and description can be edited from the custom services table, using the edit icon in the Actions column. To delete a custom service, use the delete icon in the same column of the table. Note that when you delete a custom service, all related events as well as all instances of the service in your deception campaign will be deleted. GOLDEN IMAGES ENTERPRISE EDITION ONLY Enterprise Edition note: This feature is currently available to MazeRunner Enterprise customers only. The following documentation is provided here to give Community Edition users an explanation of how the feature works. MazeRunner allows you to add new base images for decoys, in order to keep decoys consistent with your organization's production machines. You can configure these images in Settings > Golden image. To add an image, follow these steps: 1. Click "Add golden image", fill in a name, and click "Next". 2. Upload your image. You can stop an upload by clicking "Stop upload": 3. Once your image has finished uploading, click "Done" to finish. You will now see your image and its details listed on the main screen (your image's status may show as "Onboarding" for several hours): Now, when you manually create a decoy from the Campaign screen, you can select your new image from the Operating system drop-down: Cymmetria MazeRunner 2018 Community

90 A few notes on support for golden images: Supported image type: VMware OVA images only Supported OS types: Windows 7 and above Code Execution alerts are not supported ACTIVE DIRECTORY Here you can import domains from an Active Directory for use when managing your endpoints and automating breadcrumb deployment. You can also view information on Active Directory sources and CIDR blocks you have added. Please see Importing endpoints from Active Directory on page 49 for more information. RELAY ENTERPRISE EDITION ONLY Here you can configure MazeRunner's Relay feature, which allows connecting multiple MazeRunner instances and monitoring them from one MazeRunner machine. See Relay on page 68 for more information. SSL CERTIFICATE Here you can view the current server certificate and download the CA certificate. You can also replace the certificate with a new certificate signed by MazeRunner or signed by a certification authority (CA). See SSL Certificate on page 66 for more information. API KEYS Almost everything that can be done using the MazeRunner interface can also be achieved by using the API. Some examples include: Inspecting and managing alerts Creating and editing deception campaigns Cymmetria MazeRunner 2018 Community

91 Implementing new breadcrumb deployment mechanisms Integrating MazeRunner with 3rd party systems On the API Keys sub screen, you can add API keys to allow users to access the MazeRunner API. To do so, follow these steps: 1. Click "Add API key", enter a description (this is an internal description), and click "Save": 2. Your new API key details (description, key ID, and secret key) will appear on the screen. NOTE: Be sure to record the secret key, as this is the only time you will see it. Click "Done" to finish. 3. API keys can be removed at any time by clicking the trash icon in the Actions column on the righthand side of the screen. In order to ensure you are communicating with MazeRunner, click "Download CA certificate" and add this to your API script. For more details on the MazeRunner API, see our online API documentation. USER MANAGEMENT User management allows admins to create and delete users and assign them user roles, as well as view MazeRunner's access log, which records the date and time each user accesses MazeRunner, and from which IP address. To create a new user and assign that user a role, navigate to Settings > User Management and follow these steps: 1. Click "Add user". Define a unique username and password, assign the user a role (see Role-based access control, below), then click "Save": 2. Users can be edited at any time by clicking the pencil icon in the Actions column on the right-hand side of the screen. Cymmetria MazeRunner 2018 Community

92 ROLE-BASED ACCESS CONTROL MazeRunner allows you to assign different levels of access to individual users. Certain features and/or screens within MazeRunner will be disabled for users with insufficient permissions to view or edit those features/screens. MazeRunner offers the following levels of access: Administrator (only an administrator user can create, edit or delete other users), Deception Manager, Incident Response Analyst, and Read-only. The following table details some specific actions each level of access can take within MazeRunner: Administrator Deception Manager Incident Response Analyst Read-only Create, edit or delete other users Create an API key View the User Management page Change the deception campaign Change endpoints Change settings partial Change integrations Acknowledge or stop background tasks and notifications Edit/archive events and alerts Change password, send logs to Cymmetria, view active tasks and notifications, view the About screen, send feedback View most MazeRunner screens and features (unless otherwise indicated) Additional notes about user roles: When upgrading to MazeRunner version or above from an older version of MazeRunner (1.8.0 and below) that has multiple users, all users will become admin users (one time only). If you wish to assign lower access to some users, you will need to do so after upgrading. For all future upgrades, user roles will persist. For each role, the limits of what the user can do are defined on a screen-by-screen basis. If a user does not have the necessary permissions to edit an object, for example, control buttons (such as Save or Delete ) will be disabled, and a tooltip stating "Insufficient permissions" will appear. In other instances, a banner will appear near the page title stating that some settings are disabled for non-admin users. Cymmetria MazeRunner 2018 Community

93 DIAGNOSTICS MazeRunner diagnostics allows you to run diagnostics to review the current configuration of MazeRunner. Simply click "Run MazeRunner diagnostics": If a test was unsuccessful, you will see a red X and an error message with further instructions on how to proceed. TASK MANAGER The task manager, accessed from the check mark icon that is located on the top right navigation bar, displays MazeRunner tasks and their statuses. By clicking the icon, you can view the status of tasks that are currently running (on the Running tab), and see a list of completed tasks (on the Complete tab). NOTE: Stopped and failed tasks can be seen on the Complete tab alongside successful tasks. If you would like to stop a task that has already been started, you can do so from the Running tab. To stop a task that is currently in progress, click the Stop icon to the right of the task's name: Once you do this, the task will move to the Complete tab and its status will appear as "Stopped": Cymmetria MazeRunner 2018 Community

94 NOTE: If you stop a task (for example, a breadcrumb deployment) before it has completed, you will need to navigate to the Endpoints screen, filter out all the endpoints with a Deployment Failed status, and clean the endpoints on which breadcrumbs have already managed to deploy before you stopped the deployment. For more information on how to do this, see Filter & sort options and Bulk actions in the Endpoints screen section on page 105. If a task fails, you will see this detailed in the task's status bar on the Complete tab: To check failed deployments, you will need to go to the Endpoints screen, filter out all the endpoints with a Deployment Failed status, and expand the endpoint rows to check why they failed. For more information on how to do this, see Filter & sort options on page 106. NOTIFICATION CENTER The notification center, accessed from the globe icon on the top right navigation bar, displays alerts and notifications regarding your MazeRunner activity. This includes campaign import status, any issues that need your attention, and more. STABILITY ALERT S To make sure you do not miss important notifications, MazeRunner will send an alert for some types of notifications in addition to displaying them in the notification center. settings can be configured by navigating to Settings > and Reporting. Cymmetria MazeRunner 2018 Community

95 DECEPTION STORY WIZARD This tool, accessed from the New story button on the Campaign screen, assists you in building your deception campaign. The wizard allows you to choose from templates that have been prepared by Cymmetria's security team. Alternatively, you can build your own customized deception stories without the help of the wizard. For more information on how to build deception stories using the wizard, see the section entitled Creating a deception campaign (using the Deception story wizard) on page 42. USER MENU This menu, accessed from the user menu icon on the top right navigation bar, allows you to change your password, update the system, access MazeRunner's user manual, send logs to Cymmetria, and open a support ticket (or send feedback). CHANGE PASSWORD If you would like to change your password, you can do so here. Simply enter your old password and your desired new password, and then click "Update": SYSTEM UPDATE Use the System Update wizard to check for MazeRunner updates or upload and install an update file you received from Cymmetria. When you select "Update" from the System Menu, the System update window will open and display the current system status (either that MazeRunner is up-to-date, or prompting you to check for updates). To check for updates, click "Check online for updates": Cymmetria MazeRunner 2018 Community

96 If an update is available, you will be prompted to download and install it. The system will reboot after installation is complete. To upload and install an update file you received from Cymmetria, click "Upload and install an update file". Once you click this button, the update file will upload and then automatically begin to install. NOTE: During installation, you will not be able to use MazeRunner; the system will reboot after installation is complete: If your update fails, please contact Cymmetria support and we will be happy to help you. IMPORTANT: If your MazeRunner server is connected to the Internet, it will automatically check for version updates once a week and will prompt you with a notification if there is a new version to download. Also, when a new version of MazeRunner is released, Cymmetria will notify you by . This way, if your MazeRunner is not connected to the Internet, you can manually update the system by using the MazeRunner Update wizard to upload an update file. SEND LOGS TO CYMMETRIA Sending logs to Cymmetria will allow us to better investigate issues related to your specific MazeRunner instance. You can send logs automatically by entering your address in the field provided and then clicking "Send logs": Cymmetria MazeRunner 2018 Community

97 HELP FEATURES The MazeRunner UI includes several types of help features to guide you in your use of the product. HELP ICON A help icon? is located at the top right of the services and breadcrumbs forms (click Create service or Create breadcrumb from the Services or Breadcrumbs sub screens of the Campaign screen). Clicking the help icon will provide a description of all available services, or a description of available breadcrumbs and how they affect endpoints. When in help mode, the help icon will change to a back icon < that, when clicked, will take you back to the creation form: DECEPTION ELEMENT DESCRIPTIONS A short description is located at the top of the services and breadcrumbs creation forms, to provide a general description of what these elements are: Cymmetria MazeRunner 2018 Community

98 TOOLTIPS Tooltips are located throughout MazeRunner in various places, such as on hover over certain icons and buttons. When you hover your mouse cursor/pointer over a relevant item, a tooltip will appear in order to provide further information about the item: INTEGRATIONS MazeRunner has bi-directional integrations, meaning it either uses other security tools to trigger deception in MazeRunner (e.g., playbooks) or it sends threat intelligence data from MazeRunner to other solutions, such as ThreatConnect. You can also integrate MazeRunner's intelligence feed with your SIEM (e.g., Splunk, ArcSight), or with your sandbox to send files gathered by MazeRunner for sandbox analysis. CUCKOO SANDBOX You can send malware samples to Cuckoo and have the results sent back to and displayed in MazeRunner. You will be able to download the results (a ZIP file) from the alert details on MazeRunner's Investigation screen. This integration can be used for Code Execution and Unsigned Code Execution alerts. To configure a Cuckoo sandbox in MazeRunner, follow these steps: 1. Navigate to Integrations > Cuckoo sandbox and click "Add instance". 2. Give your instance a name (internal), and enter the internet address (either IP or full DNS address) of your Cuckoo instance, as well as its API and display ports. Enable using HTTPS if you wish to do so. 3. Choose a status for your integration; there are three options: 1. Active Automatic Relevant events will automatically be fed to the integration. 2. Active Manual You will need to manually send relevant events to the integration, by choosing to do so from the expanded alert view on MazeRunner's Investigation screen: 3. Turned off Integration is currently inactive. Cymmetria MazeRunner 2018 Community

99 4. If you would like, enable "Send muted events" (send data from events set to "Mute" in the alerting policy) using the toggle button. 5. Test your connection using the Test connection button, and then click "Save changes". You can add additional instances by clicking the "Add instance" button at the top right-hand side of the screen. To delete an instance, click the trash can icon for that particular instance. NOTE: You can use the Resend event data button to resend event data that previously failed to send. IBM BIGFIX You can deploy breadcrumbs to endpoints in your organization using IBM BigFix. See the IBM BigFix sub screen of Integrations in the MazeRunner UI for more information. SCCM You can deploy breadcrumbs to endpoints in your organization using SCCM. See the SCCM sub screen of Integrations in the MazeRunner UI for more information. TANIUM You can deploy breadcrumbs to endpoints in your organization using Tanium. See the Tanium sub screen of Integrations in the MazeRunner UI for more information. MCAFEE EPO You can deploy breadcrumbs to endpoints in your organization using McAfee epo. See the McAfee epo sub screen of Integrations in the MazeRunner UI for more information. AWS You can deploy MazeRunner in AWS. To do so, please contact Cymmetria to receive a version of MazeRunner that is configured to work in AWS. Cymmetria MazeRunner 2018 Community

100 SYSLOG MazeRunner supports several integrations for reporting alerts through syslog (Splunk, ArcSight, Elasticsearch, and more). Here you can define settings for syslog (UDP/TCP port and address, output format, and encryption). Click "Add instance", name your instance, choose which protocol you would like to use (UDP or TCP), and fill in the UDP/TCP address and port. Use the toggle buttons on this screen to enable using ArcSight CEF, encrypting the TCP syslog with SSL, and sending muted events, and then click "Save changes": You can add additional instances by clicking the "Add instance" button at the top right-hand side of the screen. To delete an instance, click the trash can icon for that particular instance. NOTE: You can use the Resend event data button to resend event data that previously failed to send. THREATCONNECT This section will show you how to set up ThreatConnect for use with MazeRunner. To set up ThreatConnect integration, follow these steps: 1. Open ThreatConnect. In ThreatConnect, navigate to the Dashboard and select the TAXII feed you would like to connect to MazeRunner (you can connect any valid TAXII feed; if you are unsure of which feed to connect, please check with your ThreatConnect contact). In this example, our feed is called "Cymmetria TAXII Source": Cymmetria MazeRunner 2018 Community

101 2. The Dashboard screen will refresh and you will see that a new section, called "Source", has appeared on your screen. Click on the gear icon to go to your TAXII feed's Source Config: 3. In Source Config, go to the Data tab: Cymmetria MazeRunner 2018 Community

102 4. Click "+ NEW INBOUND" to create a new inbound TAXII Exchange: 5. You will now need to configure the new inbound TAXII exchange. Notice that a configuration window has popped up on your screen: Enter a name for the new inbound TAXII exchange. For the URL, you will need to enter the TAXII server URL found in MazeRunner's Integrations settings. To do this: a) Open MazeRunner in your browser by navigating to your virtual machine's IP address (using HTTPS). In the MazeRunner UI, navigate to the Integrations screen and select ThreatConnect from the left-hand side of the screen: Cymmetria MazeRunner 2018 Community

103 b) There you will find "TAXII settings". Use the toggle button next to "Enable TAXII server" to enable the server, click the Submit button, and then copy the link found in the "TAXII server URL" field. c) Go back into ThreatConnect and paste this URL into the space provided, then click "Next". 6. On the Login tab, click on "TEST CONNECTION" and the Available Services section will expand. Click on the POLL service that appears, and you will see that the MazeRunner URL you entered in step 5 will appear at the top of the screen. Enter "Guest" as both the Username and Password (you will not need to use these credentials again; they are only required by ThreatConnect in order to proceed to the next step), then click "Next": 7. On the Feed tab, click "Check for available feeds" and select the feed that is shown (called "alerts_feed"), then click "Next": Cymmetria MazeRunner 2018 Community

104 8. Click "Next" until you reach the Confirm tab, and then click "SAVE". PHANTOM You can use Phantom to deploy breadcrumbs to endpoints in your organization. See the Phantom sub screen of Integrations in the MazeRunner UI for more information. For help, please contact Cymmetria. CHEF You can deploy breadcrumbs to endpoints in your organization using Chef. See the Chef sub screen of Integrations in the MazeRunner UI for more information. Cymmetria MazeRunner 2018 Community

105 ENDPOINTS SCREEN This screen shows you endpoints and the breadcrumbs they contain, along with their status, details, and possible actions that can be taken: Notice the endpoint status chart at the top of the screen. An endpoint's status is defined as follows: Clean The endpoint contains no breadcrumbs (usually when the endpoint has recently been imported and no action has been taken on it) Deployment Failed Breadcrumb deployment to the endpoint was unsuccessful (a detailed error message will be shown when you expand the endpoint row) Inactive The endpoint contains breadcrumbs, but a subset of those breadcrumbs are inactive Active Breadcrumbs have been deployed to the endpoint successfully, and are active NOTE: You can redeploy breadcrumbs to endpoints that had issues by choosing the relevant Deployment mode in the Deploy to endpoints form (see Deploying breadcrumbs on page 56 for more information): After you have deployed breadcrumbs to your endpoints, you will be able to expand each endpoint by clicking the + icon to see details about the breadcrumbs on that endpoint. You have already learned how to import endpoints from Active Directory and from CIDR blocks (page 49 and 53), and how to deploy breadcrumbs to those endpoints (page 56); now let's look at what else you can do with your endpoints from the Endpoints screen. Cymmetria MazeRunner 2018 Community

106 FILTER & SORT OPTIONS There are several filter and sort options available on the Endpoints screen. You can use the search bar, and/or the funnel icon to the right of certain column titles (Endpoint ID, Status, Status updated on, Deployment groups, Origin, and Last connection attempt), and/or the arrow icon to the right of some column titles (Endpoint hostname, Endpoint IP, Status updated on, and Last connection attempt). To filter using the search bar: 1. Type your search criteria into the search bar and then click the magnifying glass icon or hit "Enter" on your keyboard. You can search using letters and numbers pertaining to an endpoint's hostname, IP address or operating system (e.g., searching '2016' would return a result showing all endpoints running a Windows Server 2016 Standard operating system): 2. To clear your filter results and return to the main screen (where all endpoints are visible), simply delete the criteria you entered into the search bar, then click the magnifying glass icon or hit "Enter" on your keyboard. To filter using the funnel icon to the right of column titles: 1. Click on the funnel icon to the right of a column title, choose your filter criteria from the available options, then click "Apply filter": 2. To clear your filter results and return to the main screen (where all endpoints are visible), click again on the funnel icon to the right of the column title and then click "Clear". Use the arrow icons next to column titles to sort data numerically or alphabetically. Refresh the page by using the Refresh button at the top left-hand side of the screen (this page does not dynamically refresh). Cymmetria MazeRunner 2018 Community

107 BULK ACTIONS Using the checkboxes next to each endpoint, you can take bulk actions on selected endpoints. You can delete endpoints, clean breadcrumbs from endpoints, deploy breadcrumbs to select endpoints, re-assign endpoints to a different deployment group, and run Forensic Puller on endpoints. To delete an endpoint and its related breadcrumbs (remove from database completely): 1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the left of the endpoint hostname. This will cause the bulk actions drop-down to appear: 2. Click "Delete endpoints"; when prompted to confirm the action, click "Delete". 3. Once the action has been completed successfully, you will see a green confirmation message appear next to the notification center at the top right-hand corner of your screen. To clean breadcrumbs from an endpoint (connect remotely and remove breadcrumbs on that endpoint): 1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the left of the endpoint hostname. This will cause the bulk actions drop-down to appear: 2. Click "Clean breadcrumbs" and choose your preferred deployment method (executable or native script). If you have previously configured local admin credentials for endpoints in Settings > Campaign and Deployment, you will see these credentials here. You can change these credentials by clicking "Change". If you choose to change the credentials, you can save the new credentials for further use by using the toggle button that appears. NOTE: Saving the new credentials will overwrite the existing (previously configured) credentials for all purposes: 3. When you are ready, click "Clean". 4. Once the action has been completed successfully, you will see a green confirmation message appear next to the notification center at the top right-hand corner of your screen. Cymmetria MazeRunner 2018 Community

108 To deploy breadcrumbs to select endpoints: 1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the left of the endpoint hostname. This will cause the bulk actions drop-down to appear: 2. Click "Deploy breadcrumbs" and choose your preferred deployment method (executable or native script). If you have previously configured local admin credentials for endpoints in Settings > Campaign and Deployment, you will see these credentials here. You can change these credentials by clicking "Change". If you choose to change the credentials, you can save the new credentials for further use by using the toggle button that appears. NOTE: Saving the new credentials will overwrite the existing (previously configured) credentials for all purposes: 3. When you are ready, click Deploy. NOTE: Unassigned endpoints will be skipped. To re-assign an endpoint to a different deployment group: 1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the left of the endpoint hostname. This will cause the bulk actions drop-down to appear: 2. Click "Assign to deployment group". From the drop-down list that appears, choose the deployment group to which you would like to assign the selected endpoint, then click "Assign": Cymmetria MazeRunner 2018 Community

109 3. Once the action has been completed successfully, you will see a green confirmation message appear next to the notification center at the top right-hand corner of your screen. NOTE: An endpoint and its breadcrumbs must belong to the same deployment group. Therefore, if the endpoint you reassigned contains breadcrumbs from a different deployment group, your endpoint will become inactive and you will see an error message when you expand the endpoint row. You will need to clean the endpoint and redeploy its breadcrumbs either manually or automatically to resolve this. To run Forensic Puller on the selected endpoints: 1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the left of the endpoint hostname. This will cause the bulk actions drop-down to appear: 2. Click "Run Forensic Puller", and when prompted, click Run. DASHBOARD The Dashboard provides a visualization of all active deception elements (i.e., an active map of your deception campaign). Here you can see a visualization of your deception story and deployment to endpoints, and can filter based on date range, alert type, and event status. The Dashboard gives you a bird's-eye view of how MazeRunner is deployed on your network. To see all events and alerts in the system you can go to the Investigation screen. The map displays decoys (as boxes), deployment groups (as circles), and the connections (services, breadcrumbs, endpoints) between them. Clicking on a decoy will focus the map around it and will show metadata about that specific decoy (name, IP address, OS, decoy status, a list of the types of services running Cymmetria MazeRunner 2018 Community

110 on the decoy, and shortcuts to other MazeRunner screens where you can view more detailed information related to that decoy). You can deselect a decoy by clicking anywhere outside of it. Clicking on a deployment group will focus the map around it and will show metadata about that specific deployment group (name, distribution of endpoints in the group by their status Active, Inactive, Deployment failed, and Clean, and shortcuts to other MazeRunner screens where you can view more detailed information related to that deployment group). You can deselect a group by clicking anywhere outside of it. Many icons and numbers have tooltips for clarification; simply move your mouse cursor or pointer over an icon to learn more: The Dashboard's legend, which provides an explanation of individual features, can be accessed by clicking the? icon located beside the search bar on the top right-hand side of the Dashboard. Cymmetria MazeRunner 2018 Community

111 CAMPAIGN SCREEN The Campaign screen is where you can view your deception campaign and its details. Using the Decoys, Services, Breadcrumbs, and Deployment Groups sub screens, you can manually create and manage your campaign's deception elements. For more information on how to do this, see Creating a basic deception campaign manually on page 45. Once you have added deception elements to your campaign, you will see them visualized on the top part of the screen: Each decoy displays its name and operating system. On hover over the information icon (the i on the right side of the decoy), status and IP info will also be displayed. Clicking the information icon will show detailed information about that particular decoy, on the Decoys sub screen. Each service displays its name and type. On hover over the information icon, the service's status will also be displayed. Clicking the information icon will show detailed information about that particular service, on the Services sub screen. Each breadcrumb displays its name and type. On hover over the information icon, the breadcrumb's status will also be displayed. Clicking the information icon will show detailed information about that particular breadcrumb, on the Breadcrumbs sub screen. Each deployment group displays its name and the number of active endpoints out of the total number of endpoints assigned to that group. Notice that the deployment groups shown in the above screenshot sit Cymmetria MazeRunner 2018 Community

112 below the rest of the deception elements; this is because no breadcrumbs have been assigned to them yet. Once a breadcrumb is assigned to a deployment group, you will see the connection visualized along with the other deception elements: Color-coded lines show the various connections between deception elements. Note that each service can only connect to one decoy, and each breadcrumb can be connected to one decoy (via multiple services). In addition to the visualization on the top part of the screen, your deception elements will also appear on the relevant sub screens on the bottom part of the screen. Here you can view additional details about each deception element (status, details, connections to other deception elements, etc.) and edit each element: The Decoys, Services, and Breadcrumbs sub screens can also be filtered to show only active or inactive elements, using the "Showing" drop-down list located at the top left of the sub screens: Additional information about each sub screen is explained in Creating a basic deception campaign manually on page 45. INVESTIGATION SCREEN The Investigation screen is split into two sections: on the right-hand side of the screen is the Investigation table, which shows deception campaign events (including alerts); on the left-hand side of the screen is the attack story section, which contains a list of attack stories: Cymmetria MazeRunner 2018 Community

113 Each time an attacker carries out an action on a decoy machine, an event is created. Not every event warrants an alert; for example, events such as port scans and protocol connections are documented without raising alerts. The following are examples of common types of events documented by MazeRunner (for a full list of event types and their descriptions, see Types of events on page 119): 1. Port access An indication that an attacker has probed a decoy. 2. Interaction event An attacker might try to interact with one of the services on a decoy; this type of event will notify the user of such attempts. For example, an SSH Interaction event would indicate that an attacker tried to log into SSH. 3. Code execution An indication that an attacker has executed a program on a decoy. 4. Unsigned code execution An indication that an attacker has added and executed a program on a decoy. This is different than a regular code execution, where the program is already located on the decoy. DON'T FORGET: You can configure which action you would like to be taken for different events on the Alerting Policy sub screen of Settings (see page 83). ATTACK STORY SECTION This section is expanded by default; it can be collapsed to the left (and expanded again) using the arrow button on the top left side of the section: Attack stories provide detailed information (what actually happened, where, and in which order) about events that are related to one another, in order to help you contain and remediate attacks faster and more accurately. Cymmetria MazeRunner 2018 Community

114 An attack story contains a list of events sharing common data; it contains general data and statistics derived from the events. Each attack story is automatically assigned an ID by MazeRunner, and each event that appears in the Investigation table (on the right-hand side of the Investigation screen) shows the ID of the story it appears in. There are two types of attack stories: 1. "Endpoint accessed a decoy" The events that happened from a specific endpoint to a specific decoy 2. "Credentials theft detected" All of the events regarding credential theft and usage from a specific endpoint NOTE: An event cannot be assigned to more than one attack story. By default, attack stories appear collapsed in the attack stories section. The collapsed view shows Story ID, Story type, Number of alerts and events, Most recent event, First event, Attacker IP, Attacker hostname, and (only for "Endpoint accessed decoy" stories) Decoy name: Clicking the Investigate button on the top right of the story will expand the story to show full details: When an attack story is expanded, notice that the Investigation table on the right-hand side of the Investigation screen automatically filters itself according to that story: Cymmetria MazeRunner 2018 Community

115 Clicking the X on the left side of the blue bar will cancel the filter and will collapse the expanded story on the left-hand side of the Investigation screen. When an attack story is expanded, you can download a detailed report about that attack story to further investigate events (including alerts). Simply click the download icon, select a date range, and click "Download". See and reporting on page 86 for more information. INVESTIGATION TABLE The Investigation table shows information about events. By clicking the + icon (or clicking anywhere on the row), you can expand each entry in the Investigation table to see more information about the event: If you have configured custom integrations (e.g., Cuckoo) with a status of "Active Automatic", you will see information for relevant events in that event's expanded entry data: Cymmetria MazeRunner 2018 Community

116 If you have configured custom integrations (e.g., Cuckoo) with a status of "Active Manual", you can choose to manually send that data to the integration by selecting the instance from the Send to drop-down: While in an expanded entry, you can click Create user rule to create a rule that will apply to alerts that are similar to the one you are currently viewing: The Create user rule form that opens will auto-populate its fields based on information from the alert you are viewing; if you wish to edit any of these fields, you can do so before clicking Save. Cymmetria MazeRunner 2018 Community

117 NOTE: The Investigation table does not refresh automatically so as not to disturb users who may be browsing the table s content. If new events occur while a user is viewing the Investigation screen, an animated bell icon and message will appear, next to the Refresh button at the top of the table. Clicking the message or icon (or the Refresh button) will refresh the table: FILTER & SORT OPTIONS There are several filter and sort options available on the Investigation screen, for both attack stories and events (Investigation table). Events are classified as "Unresolved" when they first appear on the Investigation screen. You can change them to "Resolved" after you have reviewed them and have taken all necessary actions. Resolved events can be seen as archived; they will not appear by default unless you specifically choose to filter the Investigation screen to show them (only unresolved content is displayed by default). You can change your Investigation screen's filter using the drop-down list at the top of the screen, and then click "Refresh": This filter affects both the Investigation table as well as attack stories. An attack story with all of its events resolved will be considered resolved; otherwise the story is unresolved. NOTE: When upgrading from a version of MazeRunner that does not support the resolved/unresolved event state, all of the existing events will be marked as unresolved. Attack stories section You can use the search bar and/or filter by date range. To filter using the search bar (will search on all story fields, not events within stories; matched strings within a story will be highlighted): 1. Type your search criteria into the search bar and then click the magnifying glass icon or hit "Enter" on your keyboard. You can search using letters and numbers. 2. To clear your filter results and return to the main screen (where all attack stories are visible), simply delete the criteria you entered into the search bar, then click the magnifying glass icon or hit "Enter" on your keyboard. Cymmetria MazeRunner 2018 Community

118 To filter by date range (stories that have events within the range will be displayed): 1. Click on the Date Range field, choose your "from" and "to" dates, then click "Save": 2. To clear your filter results and return to the main screen (where all attack stories are visible), return the date to the current date. NOTE: The counters and fields in the attack stories change according to the filter (e.g., If the filter for date range is tighter, the number of total alerts will probably be lower). Investigation table Using the drop-down at the top of the table, you can choose to view muted events and alerts, or alerts only. By default, you will see muted events and alerts only. You can also use the search bar, and/or the funnel icon to the right of certain column titles (ID, Time, Type, Decoy name, Username, Source), and/or the arrow icon to the right of some column titles (Time). To filter using the search bar: 1. Type your search criteria into the search bar and then click the magnifying glass icon or hit "Enter" on your keyboard. You can search using letters and numbers pertaining to an event or alert. 2. To clear your filter results and return to the main screen (where all events are visible), simply delete the criteria you entered into the search bar, then click the magnifying glass icon or hit "Enter" on your keyboard. To filter using the funnel icon to the right of column titles: 1. Click on the funnel icon to the right of a column title, choose your filter criteria from the available options, then click "Apply Filter": Cymmetria MazeRunner 2018 Community

119 2. To clear your filter results and return to the main screen (where all endpoints are visible), click again on the funnel icon to the right of the column title and then click "clear". Use the arrow icons next to column titles to sort data numerically or alphabetically. Refresh the page by using the Refresh button at the top left-hand side of the screen (this page does not dynamically refresh). BULK ACTIONS By selecting the checkbox to the right of the + icon, you can take bulk actions on selected events. You can delete an event, mark an event as Resolved or Unresolved, or run Forensic Puller on an event, using the Action on selected alerts drop-down that appears after you select one or more checkboxes. NOTE: Events marked as resolved will appear in the table as slightly faded, in comparison to unresolved events. If you configured it as such on the Syslog sub screen of the Integrations screen, all alerts will go to a syslog server that may be monitored by your SIEM (e.g., Splunk). Likewise, if you configured a different, relevant integration (such as Cuckoo), your alerts will be sent there for processing. To export event information in CSV format, click "Export to CSV" on the bottom left side of the screen. That's it! You now know how to use MazeRunner's platform to create and monitor a basic deception campaign. We're here to help. If you have any questions, please contact us at support@cymmetria.com. TYPES OF EVENTS MazeRunner provides the following types of events. Some events are configured to Mute by default; others are configured to Alert. The alerting policy can be customized from Settings > Alerting policy. Code execution An indication that an attacker has executed a program on a decoy. Unsigned code execution An indication that an attacker has added and executed a program on a decoy. This is different than a regular code execution, where the program is already located on the decoy. Currently supported on Linux decoys. Cymmetria MazeRunner 2018 Community

120 NBNS poisoning detected An attacker poisoned an NBNS hostname query that MazeRunner issued, either from a decoy or an endpoint. HoneyDoc A HoneyDoc deployed to an endpoint was opened. IMPORTANT: This alert may be triggered even if the HoneyDoc file is taken from the endpoint and opened in a different location. GitLab interaction A Git operation was carried out on a decoy running an active Git service. Network credential interaction Specific network credentials were used on a decoy. Credentials stolen by attacker MazeRunner detected use of Responder.py tool and fed the attacker deceptive credentials. OpenVPN interaction An OpenVPN operation was carried out on a decoy running an active OpenVPN service. SSH interaction Someone connected or tried to connect to a decoy running an SSH service. Other interactions, such as failed logins, etc., might also be recorded. HTTP request An HTTP request was made to a decoy running a web application service. MySQL request A MySQL operation was carried out on a decoy running an active MySQL service. Cymmetria MazeRunner 2018 Community

121 Port access An indication that an attacker has probed a decoy. The alert will contain additional information about the protocol (TCP/UDP) and the specific port access (e.g., 389). Please note that some ports are ignored by default in order to minimize false positive alerts; you can change this policy in Settings > Alerting Policy (see Changing alerting policy on page 83 for more information). Share access A file on an SMB share was accessed on a decoy running the SMB service. Busybox Telnet authentication An attacker connected to the Telnet port. Busybox Telnet command execution An attacker executed a command. Mirai worm detected The Mirai Worm Monitor service fingerprinted an attacker using Mirai. Intel AMT authentication attempt An attacker attempted to authenticate against the AMT service. Intel AMT exploited An attacker exploited a known AMT vulnerability to gain access to a decoy. SMTP interaction An attacker sent SMTP traffic to the SMTP service. FTP interaction There are multiple types of FTP interaction alerts: Client connected An attacker connected to the service Client disconnected An attacker disconnected from the service User logged in An attacker logged in to the service User failed to log in An attacker failed to log in to the service User logged out An attacker logged out from the service Cymmetria MazeRunner 2018 Community

122 User uploaded a file An attacker uploaded a file User downloaded a file An attacker downloaded a file User deleted a file An attacker deleted a file User listed directory content An attacker listed directory content User navigated to directory An attacker changed working directory User created a directory An attacker created a directory User deleted a directory An attacker deleted a directory Enterprise Edition note: In addition to the above-listed event types, MazeRunner Enterprise Edition includes the following types of events: Unrecognized machine, RDP session recorded, RDP interaction, and Stolen credentials used by attacker. SUPPORTED OPERATING SYSTEMS MazeRunner Community Edition decoys and breadcrumbs currently support the following operating systems: Decoys Linux (Ubuntu 14.04) Breadcrumbs Windows: Windows 7 up to and including Windows 10 (including Windows Server 2008 R2 and up to Server 2016) Linux: o o Ubuntu and above CentOS, Redhat, and Debian Mac: OS X Yosemite and up Enterprise Edition note: In addition to the above-listed operating systems, MazeRunner Enterprise Edition decoys support Windows (7, Server 2008, Server 2012). Enterprise Edition also allows the use of golden images: MazeRunner allows you to upload and set up your own Windows images as decoys (Windows 7 and above). Cymmetria MazeRunner 2018 Community

123 TYPES OF DECOYS You can choose from the following two virtual machine types when manually creating a decoy in MazeRunner: Nested (KVM) Cymmetria recommends using nested virtualization for your decoys (when possible), as it makes decoy management easier and more centralized. If you choose to use nested decoys, no additional actions are required to create or manage a decoy simply select Nested from the VM type drop-down list when creating a new decoy. NOTE: If you change MazeRunner s IP address, you will need to recreate the decoy. See this FAQ (page 128) for instructions on how to do so. For information on how to create a decoy, see Creating a basic deception campaign manually on page 45. Standalone (OVA) If you decide to create a standalone decoy (instead of a decoy that uses nested virtualization), you will need to download the decoy's OVA file. Do this by clicking the download icon in the Actions column on the Decoys sub screen of the Campaign screen. After downloading the decoy's OVA file, upload it to your chosen hypervisor. Once the file has been uploaded to your hypervisor, make sure that you configure the virtual machine to have network access to MazeRunner. NOTE: If you change MazeRunner s IP address, you will need to manually recreate the decoy. To do this, you will need to delete the decoy and create a new one. For information on how to create a decoy, see Creating a basic deception campaign manually on page 45. TYPES OF SERVICES The following is a list of services and the breadcrumb types they support: Git Description: Source-code management. Supported breadcrumb type(s): Git credentials Supported decoy type(s): Linux Cymmetria MazeRunner 2018 Community

124 HoneyDoc Description: Monitors the use of HoneyDoc breadcrumbs. A shared folder will be created on the decoy for this purpose. Supported breadcrumb type(s): HoneyDoc Supported decoy type(s): Windows and Linux Intel AMT Low Interaction Description: Mimics Intel AMT interface to catch attackers that are interacting with it. Supported breadcrumb type(s): N/A Supported decoy type(s): Windows and Linux Mirai Worm Monitor Description: Monitors for attackers who use the Mirai open source botnet in order to attack open telnet systems. Supported breadcrumb type(s): N/A Supported decoy type(s): Linux MySQL Description: Database service. Supported breadcrumb type(s): MySQL Supported decoy type(s): Linux OpenVPN Description: Virtual private network (VPN) service. Supported breadcrumb type(s): OpenVPN Supported decoy type(s): Linux SMB Description: Creates a shared folder on the decoy. Supported breadcrumb type(s): Credentials, Network share Supported decoy type(s): Windows and Linux Cymmetria MazeRunner 2018 Community

125 Responder Monitor Description: This service can, in addition to connecting to the Responder Monitor breadcrumb, monitor for attackers performing NBNS spoofing and using Responder.py tool directly from the decoy. The username, domain, and password will be fed to the attacker from the decoy. Activating MazeRunner's Responder Monitor (ActiveSOC > Responder Monitor) allows raising alerts when stolen credentials are used in the network. Supported breadcrumb type(s): Responder Monitor Supported decoy type(s): Windows and Linux SMTP Low Interaction Description: A low-interaction SMTP server. Supported breadcrumb type(s): N/A Supported decoy type(s): Windows and Linux SSH Description: Remote shell service. Supported breadcrumb type(s): SSH with private key, SSH with password Supported decoy type(s): Linux Web Application Description: HTTP server with a pre-set web application such as MediaWiki, SugarCRM or phpmyadmin, or a custom, user-controlled website. Supported breadcrumb type(s): Cookie (only when phpmyadmin is enabled) Supported decoy type(s): Linux FTP Server Description: An empty FTP server. Supported breadcrumb type(s): N/A Supported decoy type(s): Windows and Linux Enterprise Edition note: In addition to the above-listed services, MazeRunner Enterprise Edition includes an RDP service (a remote desktop service for Windows decoys that supports RDP and Credentials breadcrumbs) and a Network Monitor service (supports two types of alerting mechanisms: one for unrecognized machines; one for detecting ARP poisoning around the decoy). Cymmetria MazeRunner 2018 Community

126 TYPES OF BREADCRUMBS The following is a list of breadcrumbs and the endpoints on which they are supported: Cookie Description: A Chrome browser cookie that leads to a web application service. Supported on: Windows endpoints Credentials Description: Credentials are stored in the Credential Manager. These credentials can be used for authentication with any Windows application that uses the Credential Manager. Supported on: Windows endpoints Git Credentials Description: Credentials to the Git service. Supported on: Windows, Linux, and Mac endpoints HoneyDoc Description: A DOCX file to be deployed on an endpoint. Opening the file will raise an alert. Supported on: Windows endpoints MySQL Description: A MySQL service connection command. Supported on: Linux and Mac endpoints Network Share Description: Connects the shared folder to Windows and Linux endpoints. Supported on: Windows, Linux, and Mac endpoints OpenVPN Description: OpenVPN configuration files in commonly used locations. Supported on: Windows endpoints Cymmetria MazeRunner 2018 Community

127 Responder Monitor Description: This breadcrumb is deployed automatically and periodically. When deployed, it identifies NBNS spoofing and the use of Responder.py tool on the endpoint's subnet. The username, domain, and password will be fed to the attacker from the endpoint. Activating MazeRunner's Responder Monitor (ActiveSOC > Responder Monitor) allows raising alerts when stolen credentials are used in the network. Supported on: Windows endpoints SSH with password Description: SSH connection details are stored in the Registry. Supported on: Windows endpoints SSH with private key Description: An SSH connection command to the decoy is stored in the Bash history or as a command alias. Supported on: Linux and Mac endpoints Enterprise Edition note: In addition to the above-listed breadcrumb types, MazeRunner Enterprise Edition includes an RDP breadcrumb that is supported on Windows endpoints. Cymmetria MazeRunner 2018 Community

128 FAQ/TROUBLESHOOTING This section contains known issues that customers have encountered during MazeRunner installation, setup, and use. DECOYS NOT WORKING Q: My decoys aren't working. What's wrong? A: Decoys sometimes get stuck in booting or configuring status. This can be caused by various issues (e.g., your MazeRunner IP address has been changed). To rectify this issue, go to the Decoys sub screen of the Campaign screen and click the Recreate icon (located in the Actions column on the right-hand side of the screen): This will delete your decoy and recreate it, exactly as it was (i.e., you will not lose any current connections to services and breadcrumbs). If this does not solve the problem, please verify that your virtual appliance meets the minimum requirements for running MazeRunner (check requirements on page 2). Pay particular attention to the amount of RAM required per decoy. If you have already tried recreating your decoys and are sure that your virtual appliance meets the minimum requirements for running MazeRunner, yet the problem persists, please contact Cymmetria support so that we can investigate the issue. PROBLEM RESOLVING ENDPOINT NAME Q: When testing the connection to an endpoint prior to automated deployment, I received the message "Could not resolve endpoint name". A: Follow these two steps: 1. Please verify that you are providing the full hostname of the endpoint, including the domain. For example, "myendpoint.mydomain.local" vs. "myendpoint". 2. Please verify that the endpoint hostname you are providing is listed in your DNS server, or alternatively that you correctly configured the DNS server during MazeRunner network configuration (see page 63 for more information). Cymmetria MazeRunner 2018 Community

129 NESTED VIRTUALIZATION SUPPORT Q: Why do I see a "Nested Virtualization not supported" message under "Status" on the Decoys tab of the Campaign screen? A: This message indicates that you did not enable support of virtualization (this support is not always turned on by default in a VMware environment). See environment-specific instructions for enabling nested virtualization on VMware Player (page 33), VMware Workstation (page 33), VMware ESXi (page 15) or KVM (page 33). DEPLOYING BREADCRUMBS AUTOMATICALLY TO LINUX MACHINES Q: How do I deploy breadcrumbs automatically to Linux machines? A: You can use the MazeRunner API. Cymmetria's Python SDK also has a fully functional sample script that deploys remotely to Linux machines, which you can use as is or extend to fit your purposes. Additionally, in various cloud environments, some users prefer to install breadcrumbs on the base image that will be cloned by the load-balancer. ARCSIGHT CEF Q: Do you support ArcSight CEF syslog format? A: Yes, MazeRunner supports the use of Common Event Format (CEF) for syslog. This can be enabled on the Integrations screen. See Syslog on page 100 for more details. SERVICE IS INACTIVE/UNABLE TO DEPLOY BREADCRUMBS Q: My service is showing as "Inactive"/I am not able to click on my breadcrumb's "Deploy" link. A: You need to connect your service to a decoy, and make sure that the decoy is powered on. You will then be able to deploy breadcrumbs. See Creating a basic deception campaign manually on page 45 for instructions on adding, connecting, and activating breadcrumbs, services, and decoys. Cymmetria MazeRunner 2018 Community

130 CREATING USERS Q: How do I add a user to a service when creating my campaign? A: Users are added during breadcrumb creation. Depending on the type of service you created, you will need to enter a username and password when creating the corresponding breadcrumb (you can also choose to randomize credentials from Cymmetria's breadcrumb pool): You then need to ensure that the breadcrumb is connected to a service that is connected to an active decoy. See Creating a basic deception campaign manually on page 45 for instructions on adding, connecting, and activating breadcrumbs, services, and decoys. USERS AFFECTED DURING BREADCRUMB DEPLOYMENT Q: When deploying breadcrumbs to an endpoint, which users are affected? A: Some breadcrumbs allow you to explicitly control which users are affected; however, most Windows endpoint breadcrumbs will install to the users that are logged in when the breadcrumbs were deployed. A notable exception is the persistent network share breadcrumb, which is installed for all Windows users. CLEARING UP HARD DRIVE SPACE Q: What happens when I delete an event from MazeRunner? A: Deleting an event will remove all of the event's associated data. This is particularly important to consider for events that have large attachments, such as "Code execution" events. Cymmetria MazeRunner 2018 Community

131 RUNNING INTERNET-FACING DECOYS Q: I'm receiving a lot of alerts. Can I run Internet-facing decoys? A: Yes, you can run Internet-facing decoys; however, these decoys will be scanned often and will generate a large amount of alerts (that are generally not high-interest alerts). The best way to use MazeRunner is to run decoys inside of your organizational network. If however, you decide to run Internet-facing decoys, we recommend you change your alerting policy to generate alerts only on critical events (such as code execution), and to "ignore" others. To set your alerting policy to ignore less-critical alerts, navigate to Settings > Alerting Policy and you will see a "System-wide rules" section. In the Action on event column, select "Ignore" from the drop-down options: PROBLEMS DURING OVA IMPORT Q: I received a warning during OVA import saying that the OVA file did not pass OVF specification conformance or virtual hardware compliance checks. A: We are aware of this warning, and it is safe to click "Retry" and import the OVA file as is. MAZERUNNER STORAGE ALLOCATION Q: How much storage space is used for MazeRunner operation? A: Only half of the storage allocated for the MazeRunner VM is made available for MazeRunner operation (the other half is used for updating MazeRunner). Cymmetria MazeRunner 2018 Community

132 CREATING A WEB APPLICATION SERVICE Q: Can I create a service using my own web application? A: Yes. When adding a service to your campaign, MazeRunner allows you to use your own customized web application. Currently, MazeRunner supports MediaWiki, SugarCRM, and phpmyadmin. To add a web application, follow these steps: 1. Create a ZIP file of your web application. 2. Navigate to the Services tab on MazeRunner's Campaign screen, and click "Create service". 3. Choose "Web application" from the Service type drop-down list. 4. Upload your own ZIP file by clicking "Choose File", then click "Save". You have now created a new service using your own web application. For information on how to connect this service to a decoy, and how to add breadcrumbs, see Creating a basic deception campaign manually on page 45. PROBLEMS DEPLOYING AN OVA DECOY ON ESXI Q: I receive an error message when trying to deploy an OVA decoy on ESXi. A: You may be using an older version of ESXi. MazeRunner OVA decoys are compatible with ESXi version 5.1 and higher, so if you are using an older version, you will need to update your ESXi. CREATING A GIT SERVICE Q: Can I create a Git repository service? A: Yes. You can create a Git source code repository with GitLab web UI. This can be done by adding a Git service to your campaign. To add a Git service, follow these steps: 1. Create a ZIP file to house your repository files. MazeRunner will accept a ZIP file for your Git service in one of two formats: a. ZIP file all the files in the ZIP folder will be committed as an initial commit and load to the remote Git service. b. ZIP file with a Git folder the folder will load as a repository, including commit history, to the Git service. NOTE: The Git folder must be on the root ZIP hierarchy. Cymmetria MazeRunner 2018 Community