Certiception is a honeypot for Active Directory Certificate Services (ADCS), designed to trap attackers with a realistic and attractive bait that triggers highly relevant alerts.
Developed by the SRLabs Red Team, Certiception creates a vulnerable-looking certificate template in your ADCS environment, sets up restrictions to prevent exploitation, and supports in setting up effective alerting.
Originally released at Troopers24, Certiception comes with a strategic guide to effective deception: The Red Teamers’ guide to deception
In our Red Team and Incident Management engagements we regularly observe that lateral movement and privilege escalation go undetected.
If detections trigger at all, they are not reacted to in a timely manner, because false positives are commonplace.
We believe internal honeypots (aka. canaries, aka. deception tech) are an effective way for defenders to catch threats that make it through initial defenses.
Internal honeypots are intentional traps for attackers placed in your network.
They look vulnerable but trigger an alert on exploitation. Here’s why we think deception has great potential:
Despite their potential, we regularly encounter fundamentally ineffective deception setups. To help defenders create more effective honeypots, Certiception comes with an extensive deception strategy guide.
Active Directory Certificate Services (ADCS) is an ideal location for a honeypot:
This is why we built Certiception.
Certiception sets up a new CA in your environment and configures an ESC1 honeypot.
It is implemented as an Ansible playbook calling multiple roles. Overall, the following steps are executed:
Parameters like the CA or template name can be customized to disguise the honeypot.
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…