CounterCraft Deception Director

Overview


CounterCraft Deception Solution detects advanced adversaries. Automate counterintelligence campaigns to discover targeted attacks with real-time active response. This integration was integrated and tested with version 2.5.13 of CounterCraft Deception Director

CounterCraft Deception Director Playbook


Use Cases


  • Query IOCs (objects) in your Deception Director
  • Retrieve events from your deception campaigns
  • Retrieve configuration from your Deception Director
  • Retrieve alerts (notifications) from your Deception Director
  • Create new deception campaigns
  • Create new deception hosts
  • Operate your campaigns, hosts, services and breadcrumbs

Prerequisites


You need to obtain the following Deception Director information.

  • Server URL
  • API Key
  • Secret Key

In order to obtain the API Key and the Secret Key you need to go to the user settings in the Deception Director and copy both or generate a new pair if they are not already generated.

Configure CounterCraft Deception Director on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for CounterCraft Deception Director.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Deception Director Domain or IP Address: for example, https://192.168.1.1
    • Fetch incidents: if you select this option, your notifications in the Deception Director will be created as Demisto incidents.
    • Incident type
    • API Key for Deception Director connection: paste your API Key.
    • Secret Key for Deception Director connection: paste your Secret Key.
    • Ignore SSL Warnings: in case the SSL certificate is self-signed.
    • Use system proxy settings: in case you need to connect through a proxy.
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. 1. countercraft-list-campaigns 2. countercraft-list-hosts 3. countercraft-list-services 4. countercraft-list-breadcrumbs 5. countercraft-get-object 6. countercraft-get-events 7. countercraft-create-campaign 8. countercraft-list-dsns 9. countercraft-list-providers 10. countercraft-create-host-machine 11. countercraft-list-incidents 12. countercraft-manage-campaign 13. countercraft-manage-host 14. countercraft-manage-service 15. countercraft-manage-breadcrumb

1. countercraft-list-campaigns


List all deception campaigns

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You will be able to list only the campaigns you have access to.

Base Command

countercraft-list-campaigns

Input
Argument NameDescriptionRequired
nameCampaign NameOptional
Context Output
PathTypeDescription
CounterCraft.Campaign.IDnumberCampaign ID
CounterCraft.Campaign.NamestringCampaign Name
CounterCraft.Campaign.DescriptionstringCampaign Description
CounterCraft.Campaign.StatusCodestringCampaign Status
Command Example

!countercraft-list-campaigns

Human Readable Output
IDNameDescriptionStatusCode
1AntiPhishingGather intelligence from phishersACTIVE
2External recoinassanceCollect pre-attack evidenceACTIVE
3Internal lateral movementDetect lateral movementACTIVE
4DMZDMZ activityACTIVE
5VIPVIP mobile protectionACTIVE

2. countercraft-list-hosts


Lists all deception hosts

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You will be able to list only the hosts you have access to.

Base Command

countercraft-list-hosts

Input
Argument NameDescriptionRequired
campaign_idCampaign IDOptional
Context Output
PathTypeDescription
CounterCraft.Host.IDnumberHost Id
CounterCraft.Host.NamestringHost Name
CounterCraft.Host.DescriptionstringHost Description
CounterCraft.Host.StatusCodestringHost Status
CounterCraft.Host.TypeCodestringHost Type
Command Example

!countercraft-list-hosts campaign_id=2

Human Readable Output
IDNameDescriptionStatusCodeTypeCode
1Ubuntu WebWordpressACTIVEMACHINE
2Azure Windows 2019RDP with breadcrumbsACTIVEMACHINE
3Office365 tenantOffice365 with domain nameACTIVECLOUD_ENTITY
4Apache StrutsVulnerable Apache StrutsACTIVEMACHINE
5CFOCFO personaACTIVEIDENTITY

3. countercraft-list-services


List services currently deployed on deception hosts

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You will be able to list only the services you have access to.

Base Command

countercraft-list-services

Input
Argument NameDescriptionRequired
host_idHost IdOptional
Context Output
PathTypeDescription
CounterCraft.Service.IDnumberService ID
CounterCraft.Service.NamestringService Name
CounterCraft.Service.DescriptionstringService.Description
CounterCraft.Service.StatusCodestringService Status
CounterCraft.Service.TypeCodestringService Type
Command Example

!countercraft-list-services host_id=1

Human Readable Output
IDNameDescriptionStatusCodeTypeCode
1Operating systemUser eventsACTIVESYSTEM
2WebAppWeb applicationACTIVEWEB_SERVER
8Tailored ServiceAnonymous FTPACTIVEFTP_SERVER
9Phishing SinkholeSinkholeACTIVESMTP_SERVER

4. countercraft-list-breadcrumbs


List breadcrumbs in a campaign

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You will be able to list only the breadcrumbs you have access to.

Base Command

countercraft-list-breadcrumbs

Input
Argument NameDescriptionRequired
campaign_idCampaign IDOptional
Context Output
PathTypeDescription
CounterCraft.Breadcrumb.IDnumberBreadcrumb ID
CounterCraft.Breadcrumb.NamestringBreadcrumb Name
CounterCraft.Breadcrumb.DescriptionstringBreadcrumb Description
CounterCraft.Breadcrumb.StatusCodestringBreadcrumb Status
CounterCraft.Breadcrumb.TypeCodestringBreadcrumb Type
Command Example

!countercraft-list-breadcrumbs campaign_id=1

Human Readable Output
IDNameDescriptionStatusCodeTypeCode
1Fake documentACTIVEDOCUMENT
2Mobile AppACTIVEMOBILE_APP
3SSL CertificateACTIVESSL_CERTIFICATE
4LinkedIn_personaACTIVEHONEYTOKEN

5. countercraft-get-object


Get information about an object (IoC)

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You will be able to list only the objects you have access to.

Base Command

countercraft-get-object

Input
Argument NameDescriptionRequired
valueObject valueRequired
Context Output
PathTypeDescription
CounterCraft.Object.IDnumberObject ID
CounterCraft.Object.ValuestringObject value
CounterCraft.Object.HitsnumberObject hits
CounterCraft.Object.ScorenumberObject score
CounterCraft.Object.TypeCodestringObject type
CounterCraft.Object.FirstSeendateObject first seen
CounterCraft.Object.LastSeendateObject last seen
CounterCraft.Object.EventsCountnumberObject events count
CounterCraft.Object.TagsstringObject tags
Command Example

!countercraft-get-object value=root

Human Readable Output
Id852
Valueroot
EventsCount7
TypeCodeCC_USERNAME
Score0
FirstSeenWed Jan 29 12:33:34 2020
LastSeenWed Jan 29 12:53:19 2020
Tags

6. countercraft-get-events


Get full list of Events

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You will be able to list only the objects you have access to.

Base Command

countercraft-get-events

Input
Argument NameDescriptionRequired
criteriaSearch criteriaRequired
max_resultsMaximum number of resultsRequired
Context Output
PathTypeDescription
CounterCraft.Event.IDnumberEvent id
CounterCraft.Event.CampaignNamestringCampaign name
CounterCraft.Event.CategoryCodestringCategory Code
CounterCraft.Event.EventDatedateEvent date
CounterCraft.Event.HostNamestringHost name
CounterCraft.Event.ServiceNamestringService name
CounterCraft.Event.TypeCodestringType
CounterCraft.Event.ScorenumberScore
CounterCraft.Event.TagsstringTags
CounterCraft.Events.DataunknownData
Command Example

!countercraft-get-events criteria="type_code:ValidAuth" max_results="1"

Human Readable Output
Id45
CampaignnameExternal recoinassance
HostnameAzure
ServicenameOS Logs (Azure
EventdateThu Jan 30 08:11:01 2020
Score100
TypecodeValidAuth
Dataevent: ValidAuth subject: A session was reconnected to a Window Station event_id: 4778 ...
Tagsattack.T1078

7. countercraft-create-campaign


Create a new deception campaign

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You can only create campaigns if you have the role ARCHITECT.

Base Command

countercraft-create-campaign

Input
Argument NameDescriptionRequired
nameCampaign nameRequired
descriptionCampaign descriptionRequired
Context Output
PathTypeDescription
CounterCraft.Campaign.IDnumberCampaign ID
CounterCraft.Campaign.NamestringName
CounterCraft.Campaign.DescriptionstringDescription
CounterCraft.Campaign.StatusCodestringStatus Code
Command Example

!countercraft-create-campaign name="TestCampaign" description="Test Description"

Human Readable Output
Id5
NameTestCampaign
DescriptionTest Description
StatusCodeDESIGN

8. countercraft-list-dsns


List Deception Support Nodes (DSNs)

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You can only create campaigns if you have the role ARCHITECT.

Base Command

countercraft-list-dsns

Input
Argument NameDescriptionRequired
Context Output
PathTypeDescription
CounterCraft.DSN.IDnumberID
CounterCraft.DSN.NamestringName
CounterCraft.DSN.DescriptionstringDescription
CounterCraft.DSN.HostnamestringHostname
CounterCraft.DSN.PortnumberPort
Command Example

!countercraft-list-dsns

Human Readable Output
Id1
NameLocal DSN
DescriptionLocal DSN in the intranet
Hostname192.168.1.2
Port 4567

9. countercraft-list-providers


List providers (providers for hosts or services i.e. AWS or Office365)

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You will be able to list only the providers you have access to.

Base Command

countercraft-list-providers

Input
Argument NameDescriptionRequired
Context Output
PathTypeDescription
IDnumberID
CounterCraft.Provider.NamestringName
CounterCraft.Provider.DescriptionstringDescription
CounterCraft.Provider.TypeCodestringType
CounterCraft.Provider.StatusCodestringStatus
Command Example

!countercraft-list-providers

Human Readable Output
IDNameDescriptionStatusCodeTypeCode
1SplunkInternal SplunkHEALTHYSPLUNK_PROVIDER
3SignalSignal notificationsHEALTHYSIGNAL_PROVIDER
4Office365Office365 TenantHEALTHYOFFICE365_PROVIDER
5AWSAWS EC2HEALTHYAWS_PROVIDER

10. countercraft-create-host-machine


Deploy a new deception host

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You will be able to create a host if you are MANAGER in a campaign.

Base Command

countercraft-create-host-machine

Input
Argument NameDescriptionRequired
nameNameRequired
descriptionDescriptionOptional
provider_idProviderRequired
deception_support_node_idDeception Support Node IDRequired
campaign_idCampaignRequired
os_familyOperating SystemRequired
ip_addressIP AddressRequired
portPortRequired
usernameUsernameRequired
passwordPasswordRequired
Context Output
PathTypeDescription
CounterCraft.Host.IdnumberHost ID
Command Example

!countercraft-create-host-machine campaign_id=2 deception_support_node_id=1 os_family=linux ip_address=192.168.1.2 port=22 name="Test host" description="Test Description" username="ubuntu" password="ubuntu provider_id=1"

Human Readable Output
Id8
NameTest Host
DescriptionTest Description
StatusCodeDESIGN
TypeCodeMACHINE

11. countercraft-list-incidents


List all incidents currently active

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You will be able to list only the incidents you have access to.

Base Command

countercraft-list-incidents

Input
Argument NameDescriptionRequired
campaign_idCampaign IDRequired
Context Output
PathTypeDescription
CounterCraft.Incident.IDnumberIncident ID
CounterCraft.Incident.NamestringName
CounterCraft.Incident.DescriptionstringDescription
CounterCraft.Incident.StatusCodestringStatus
CounterCraft.Incident.TLPCodestringTLP code
Command Example

!countercraft-list-incidents campaign_id=1

Human Readable Output
IDNameDescriptionStatusCodeTLPCodeTags
1APT incidentState-sponsoredOPENAMBER
2Internal FraudSWIFT appsCLOSEDAMBER

12. countercraft-manage-campaign


Manage Campaign parameters

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You will be able to manage only the campaigns you have access to.

Base Command

countercraft-manage-campaign

Input
Argument NameDescriptionRequired
campaign_idCampaign IDRequired
operationOperationRequired
Context Output
PathTypeDescription
CounterCraft.Campaign.MessagestringResult message
CounterCraft.Campaign.IDnumberCampaign ID
Command Example

!countercraft-manage-campaign campaign_id=5 operation=activate

Human Readable Output
Id5
MessageCampaign is currently in state: PAUSED. Action activate discarded

13. countercraft-manage-host


Manage a deception host

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You will be able to manage only the hosts you have access to.

Base Command

countercraft-manage-host

Input
Argument NameDescriptionRequired
host_idHost IDRequired
operationOperationRequired
Context Output
PathTypeDescription
CounterCraft.Host.MessagestringResult message
CounterCraft.Host.IDnumberHost ID
Command Example

!countercraft-manage-campaign host_id=5 operation=activate

Human Readable Output
Id5
MessageHost is currently in state: PAUSED. Action activate discarded

14. countercraft-manage-service


Manage a deception service

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You will be able to manage only the services you have access to.

Base Command

countercraft-manage-service

Input
Argument NameDescriptionRequired
service_idService IDRequired
operationOperationRequired
Context Output
PathTypeDescription
CounterCraft.Service.MessagestringResult message
CounterCraft.Service.IDnumberService ID
Command Example

!countercraft-manage-campaign service_id=5 operation=activate

Human Readable Output
Id5
MessageService is currently in state: PAUSED. Action activate discarded

15. countercraft-manage-breadcrumb


Manage breadcrumb

Required Permissions

Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.

You will be able to manage only the breadcrumbs you have access to.

Base Command

countercraft-manage-breadcrumb

Input
Argument NameDescriptionRequired
breadcrumb_idBreadcrumb IDRequired
operationOperationRequired
Context Output
PathTypeDescription
CounterCraft.Breadcrumb.MessagestringResult message
CounterCraft.Breadcrumb.IDnumberBreadcrumb ID
Command Example

!countercraft-manage-campaign breadcrumb_id=5 operation=activate

Human Readable Output
Id5
MessageBreadcrumb is currently in state: PAUSED. Action activate discarded

Additional Information


Please check the Deception Director user manual for more guidance on how to use and deploy campaigns.

Known Limitations


Troubleshooting