CounterCraft Deception Director
This Integration is part of the CounterCraft Deception Director Pack.#
Overview#
CounterCraft Deception Solution detects advanced adversaries. Automate counterintelligence campaigns to discover targeted attacks with real-time active response. This integration was integrated and tested with version 2.5.13 of CounterCraft Deception Director
CounterCraft Deception Director Playbook#
Use Cases#
- Query IOCs (objects) in your Deception Director
- Retrieve events from your deception campaigns
- Retrieve configuration from your Deception Director
- Retrieve alerts (notifications) from your Deception Director
- Create new deception campaigns
- Create new deception hosts
- Operate your campaigns, hosts, services and breadcrumbs
Prerequisites#
You need to obtain the following Deception Director information.
- Server URL
- API Key
- Secret Key
In order to obtain the API Key and the Secret Key you need to go to the user settings in the Deception Director and copy both or generate a new pair if they are not already generated.
Configure CounterCraft Deception Director on Cortex XSOAR#
- Navigate to Settings > Integrations > Servers & Services.
- Search for CounterCraft Deception Director.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Deception Director Domain or IP Address: for example, https://192.168.1.1
- Fetch incidents: if you select this option, your notifications in the Deception Director will be created as Cortex XSOAR incidents.
- Incident type
- API Key for Deception Director connection: paste your API Key.
- Secret Key for Deception Director connection: paste your Secret Key.
- Ignore SSL Warnings: in case the SSL certificate is self-signed.
- Use system proxy settings: in case you need to connect through a proxy.
- Click Test to validate the URLs, token, and connection.
Fetched Incidents Data#
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- countercraft-list-campaigns
- countercraft-list-hosts
- countercraft-list-services
- countercraft-list-breadcrumbs
- countercraft-get-object
- countercraft-get-events
- countercraft-create-campaign
- countercraft-list-dsns
- countercraft-list-providers
- countercraft-create-host-machine
- countercraft-list-incidents
- countercraft-manage-campaign
- countercraft-manage-host
- countercraft-manage-service
- countercraft-manage-breadcrumb
1. countercraft-list-campaigns#
List all deception campaigns
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You will be able to list only the campaigns you have access to.
Base Command#
countercraft-list-campaigns
Input#
| Argument Name | Description | Required |
|---|---|---|
| name | Campaign Name | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.Campaign.ID | number | Campaign ID |
| CounterCraft.Campaign.Name | string | Campaign Name |
| CounterCraft.Campaign.Description | string | Campaign Description |
| CounterCraft.Campaign.StatusCode | string | Campaign Status |
Command Example#
!countercraft-list-campaigns
Human Readable Output#
| ID | Name | Description | StatusCode |
|---|---|---|---|
| 1 | AntiPhishing | Gather intelligence from phishers | ACTIVE |
| 2 | External recoinassance | Collect pre-attack evidence | ACTIVE |
| 3 | Internal lateral movement | Detect lateral movement | ACTIVE |
| 4 | DMZ | DMZ activity | ACTIVE |
| 5 | VIP | VIP mobile protection | ACTIVE |
2. countercraft-list-hosts#
Lists all deception hosts
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You will be able to list only the hosts you have access to.
Base Command#
countercraft-list-hosts
Input#
| Argument Name | Description | Required |
|---|---|---|
| campaign_id | Campaign ID | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.Host.ID | number | Host Id |
| CounterCraft.Host.Name | string | Host Name |
| CounterCraft.Host.Description | string | Host Description |
| CounterCraft.Host.StatusCode | string | Host Status |
| CounterCraft.Host.TypeCode | string | Host Type |
Command Example#
!countercraft-list-hosts campaign_id=2
Human Readable Output#
| ID | Name | Description | StatusCode | TypeCode |
|---|---|---|---|---|
| 1 | Ubuntu Web | Wordpress | ACTIVE | MACHINE |
| 2 | Azure Windows 2019 | RDP with breadcrumbs | ACTIVE | MACHINE |
| 3 | Office365 tenant | Office365 with domain name | ACTIVE | CLOUD_ENTITY |
| 4 | Apache Struts | Vulnerable Apache Struts | ACTIVE | MACHINE |
| 5 | CFO | CFO persona | ACTIVE | IDENTITY |
3. countercraft-list-services#
List services currently deployed on deception hosts
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You will be able to list only the services you have access to.
Base Command#
countercraft-list-services
Input#
| Argument Name | Description | Required |
|---|---|---|
| host_id | Host Id | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.Service.ID | number | Service ID |
| CounterCraft.Service.Name | string | Service Name |
| CounterCraft.Service.Description | string | Service.Description |
| CounterCraft.Service.StatusCode | string | Service Status |
| CounterCraft.Service.TypeCode | string | Service Type |
Command Example#
!countercraft-list-services host_id=1
Human Readable Output#
| ID | Name | Description | StatusCode | TypeCode |
|---|---|---|---|---|
| 1 | Operating system | User events | ACTIVE | SYSTEM |
| 2 | WebApp | Web application | ACTIVE | WEB_SERVER |
| 8 | Tailored Service | Anonymous FTP | ACTIVE | FTP_SERVER |
| 9 | Phishing Sinkhole | Sinkhole | ACTIVE | SMTP_SERVER |
4. countercraft-list-breadcrumbs#
List breadcrumbs in a campaign
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You will be able to list only the breadcrumbs you have access to.
Base Command#
countercraft-list-breadcrumbs
Input#
| Argument Name | Description | Required |
|---|---|---|
| campaign_id | Campaign ID | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.Breadcrumb.ID | number | Breadcrumb ID |
| CounterCraft.Breadcrumb.Name | string | Breadcrumb Name |
| CounterCraft.Breadcrumb.Description | string | Breadcrumb Description |
| CounterCraft.Breadcrumb.StatusCode | string | Breadcrumb Status |
| CounterCraft.Breadcrumb.TypeCode | string | Breadcrumb Type |
Command Example#
!countercraft-list-breadcrumbs campaign_id=1
Human Readable Output#
| ID | Name | Description | StatusCode | TypeCode |
|---|---|---|---|---|
| 1 | Fake document | ACTIVE | DOCUMENT | |
| 2 | Mobile App | ACTIVE | MOBILE_APP | |
| 3 | SSL Certificate | ACTIVE | SSL_CERTIFICATE | |
| 4 | LinkedIn_persona | ACTIVE | HONEYTOKEN |
5. countercraft-get-object#
Get information about an object (IoC)
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You will be able to list only the objects you have access to.
Base Command#
countercraft-get-object
Input#
| Argument Name | Description | Required |
|---|---|---|
| value | Object value | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.Object.ID | number | Object ID |
| CounterCraft.Object.Value | string | Object value |
| CounterCraft.Object.Hits | number | Object hits |
| CounterCraft.Object.Score | number | Object score |
| CounterCraft.Object.TypeCode | string | Object type |
| CounterCraft.Object.FirstSeen | date | Object first seen |
| CounterCraft.Object.LastSeen | date | Object last seen |
| CounterCraft.Object.EventsCount | number | Object events count |
| CounterCraft.Object.Tags | string | Object tags |
Command Example#
!countercraft-get-object value=root
Human Readable Output#
| Id | 852 |
| Value | root |
| EventsCount | 7 |
| TypeCode | CC_USERNAME |
| Score | 0 |
| FirstSeen | Wed Jan 29 12:33:34 2020 |
| LastSeen | Wed Jan 29 12:53:19 2020 |
| Tags |
6. countercraft-get-events#
Get full list of Events
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You will be able to list only the objects you have access to.
Base Command#
countercraft-get-events
Input#
| Argument Name | Description | Required |
|---|---|---|
| criteria | Search criteria | Required |
| max_results | Maximum number of results | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.Event.ID | number | Event id |
| CounterCraft.Event.CampaignName | string | Campaign name |
| CounterCraft.Event.CategoryCode | string | Category Code |
| CounterCraft.Event.EventDate | date | Event date |
| CounterCraft.Event.HostName | string | Host name |
| CounterCraft.Event.ServiceName | string | Service name |
| CounterCraft.Event.TypeCode | string | Type |
| CounterCraft.Event.Score | number | Score |
| CounterCraft.Event.Tags | string | Tags |
| CounterCraft.Events.Data | unknown | Data |
Command Example#
!countercraft-get-events criteria="type_code:ValidAuth" max_results="1"
Human Readable Output#
| Id | 45 |
| Campaignname | External recoinassance |
| Hostname | Azure |
| Servicename | OS Logs (Azure |
| Eventdate | Thu Jan 30 08:11:01 2020 |
| Score | 100 |
| Typecode | ValidAuth |
| Data | event: ValidAuth subject: A session was reconnected to a Window Station event_id: 4778 ... |
| Tags | attack.T1078 |
7. countercraft-create-campaign#
Create a new deception campaign
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You can only create campaigns if you have the role ARCHITECT.
Base Command#
countercraft-create-campaign
Input#
| Argument Name | Description | Required |
|---|---|---|
| name | Campaign name | Required |
| description | Campaign description | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.Campaign.ID | number | Campaign ID |
| CounterCraft.Campaign.Name | string | Name |
| CounterCraft.Campaign.Description | string | Description |
| CounterCraft.Campaign.StatusCode | string | Status Code |
Command Example#
!countercraft-create-campaign name="TestCampaign" description="Test Description"
Human Readable Output#
| Id | 5 |
| Name | TestCampaign |
| Description | Test Description |
| StatusCode | DESIGN |
8. countercraft-list-dsns#
List Deception Support Nodes (DSNs)
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You can only create campaigns if you have the role ARCHITECT.
Base Command#
countercraft-list-dsns
Input#
| Argument Name | Description | Required |
|---|
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.DSN.ID | number | ID |
| CounterCraft.DSN.Name | string | Name |
| CounterCraft.DSN.Description | string | Description |
| CounterCraft.DSN.Hostname | string | Hostname |
| CounterCraft.DSN.Port | number | Port |
Command Example#
!countercraft-list-dsns
Human Readable Output#
| Id | 1 |
| Name | Local DSN |
| Description | Local DSN in the intranet |
| Hostname | 192.168.1.2 |
| Port | Â 4567 |
9. countercraft-list-providers#
List providers (providers for hosts or services i.e. AWS or Office365)
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You will be able to list only the providers you have access to.
Base Command#
countercraft-list-providers
Input#
| Argument Name | Description | Required |
|---|
Context Output#
| Path | Type | Description |
|---|---|---|
| ID | number | ID |
| CounterCraft.Provider.Name | string | Name |
| CounterCraft.Provider.Description | string | Description |
| CounterCraft.Provider.TypeCode | string | Type |
| CounterCraft.Provider.StatusCode | string | Status |
Command Example#
!countercraft-list-providers
Human Readable Output#
| ID | Name | Description | StatusCode | TypeCode |
|---|---|---|---|---|
| 1 | Splunk | Internal Splunk | HEALTHY | SPLUNK_PROVIDER |
| 3 | Signal | Signal notifications | HEALTHY | SIGNAL_PROVIDER |
| 4 | Office365 | Office365 Tenant | HEALTHY | OFFICE365_PROVIDER |
| 5 | AWS | AWS EC2 | HEALTHY | AWS_PROVIDER |
10. countercraft-create-host-machine#
Deploy a new deception host
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You will be able to create a host if you are MANAGER in a campaign.
Base Command#
countercraft-create-host-machine
Input#
| Argument Name | Description | Required |
|---|---|---|
| name | Name | Required |
| description | Description | Optional |
| provider_id | Provider | Required |
| deception_support_node_id | Deception Support Node ID | Required |
| campaign_id | Campaign | Required |
| os_family | Operating System | Required |
| ip_address | IP Address | Required |
| port | Port | Required |
| username | Username | Required |
| password | Password | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.Host.Id | number | Host ID |
Command Example#
!countercraft-create-host-machine campaign_id=2 deception_support_node_id=1 os_family=linux ip_address=192.168.1.2 port=22 name="Test host" description="Test Description" username="ubuntu" password="ubuntu provider_id=1"
Human Readable Output#
| Id | 8 |
| Name | Test Host |
| Description | Test Description |
| StatusCode | DESIGN |
| TypeCode | MACHINE |
11. countercraft-list-incidents#
List all incidents currently active
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You will be able to list only the incidents you have access to.
Base Command#
countercraft-list-incidents
Input#
| Argument Name | Description | Required |
|---|---|---|
| campaign_id | Campaign ID | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.Incident.ID | number | Incident ID |
| CounterCraft.Incident.Name | string | Name |
| CounterCraft.Incident.Description | string | Description |
| CounterCraft.Incident.StatusCode | string | Status |
| CounterCraft.Incident.TLPCode | string | TLP code |
Command Example#
!countercraft-list-incidents campaign_id=1
Human Readable Output#
| ID | Name | Description | StatusCode | TLPCode | Tags |
|---|---|---|---|---|---|
| 1 | APT incident | State-sponsored | OPEN | AMBER | |
| 2 | Internal Fraud | SWIFT apps | CLOSED | AMBER |
12. countercraft-manage-campaign#
Manage Campaign parameters
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You will be able to manage only the campaigns you have access to.
Base Command#
countercraft-manage-campaign
Input#
| Argument Name | Description | Required |
|---|---|---|
| campaign_id | Campaign ID | Required |
| operation | Operation | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.Campaign.Message | string | Result message |
| CounterCraft.Campaign.ID | number | Campaign ID |
Command Example#
!countercraft-manage-campaign campaign_id=5 operation=activate
Human Readable Output#
| Id | 5 |
| Message | Campaign is currently in state: PAUSED. Action activate discarded |
13. countercraft-manage-host#
Manage a deception host
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You will be able to manage only the hosts you have access to.
Base Command#
countercraft-manage-host
Input#
| Argument Name | Description | Required |
|---|---|---|
| host_id | Host ID | Required |
| operation | Operation | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.Host.Message | string | Result message |
| CounterCraft.Host.ID | number | Host ID |
Command Example#
!countercraft-manage-campaign host_id=5 operation=activate
Human Readable Output#
| Id | 5 |
| Message | Host is currently in state: PAUSED. Action activate discarded |
14. countercraft-manage-service#
Manage a deception service
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You will be able to manage only the services you have access to.
Base Command#
countercraft-manage-service
Input#
| Argument Name | Description | Required |
|---|---|---|
| service_id | Service ID | Required |
| operation | Operation | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.Service.Message | string | Result message |
| CounterCraft.Service.ID | number | Service ID |
Command Example#
!countercraft-manage-campaign service_id=5 operation=activate
Human Readable Output#
| Id | 5 |
| Message | Service is currently in state: PAUSED. Action activate discarded |
15. countercraft-manage-breadcrumb#
Manage breadcrumb
Required Permissions#
Any interaction will be based on your permissions on the Deception Director. Please consult your Deception Director administrator in you have any questions.
You will be able to manage only the breadcrumbs you have access to.
Base Command#
countercraft-manage-breadcrumb
Input#
| Argument Name | Description | Required |
|---|---|---|
| breadcrumb_id | Breadcrumb ID | Required |
| operation | Operation | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CounterCraft.Breadcrumb.Message | string | Result message |
| CounterCraft.Breadcrumb.ID | number | Breadcrumb ID |
Command Example#
!countercraft-manage-campaign breadcrumb_id=5 operation=activate
Human Readable Output#
| Id | 5 |
| Message | Breadcrumb is currently in state: PAUSED. Action activate discarded |
Additional Information#
Please check the Deception Director user manual for more guidance on how to use and deploy campaigns.