Sinon is a modular tool for automatic burn-in of Windows-based deception hosts that aims to reduce the difficulty of orchestrating deception hosts at scale whilst enabling diversity and randomness through generative capabilities. It has been created as a proof-of-concept and is not intended for production deception environments. It would likely be better suited to having content pre-generated and built into a one-time script, as we wouldn't want to be storing secrets like OpenAI API keys on a decoy or deception host.
- As featured on helpnetsecurity.com, itsecuritynews.info
- Generative content including files, emails, and so on using OpenAI API (Configured for GPT-4o)
- Randomness factor - select from list in config, or follow config completely
- Temporal randomness - set delay to execution and delay between events including randomness factor
Sinon performs the following functions, as determined by a config file:
- Install Applications: Automatically install applications from a predefined list using Chocolatey.
- Browse Websites: Automatically open a list of websites to simulate user activity.
- Change Preferences: Modify system preferences such as default browser, background images, screen resolutions, and system languages.
- Add Start Menu Items: Add shortcuts to specified applications in the start menu.
- Create and Modify Files: Generate and modify text files with the option to use OpenAI GPT-4 for content generation.
- Send Emails: Send emails with the option to use OpenAI GPT-4 for content generation.
- Download Decoy Files: Download files from specified URLs to simulate decoy file activity.
- Manage Software: Install or uninstall software applications using predefined commands.
- Perform System Updates: Execute system update commands.
- Manage User Accounts: Create and manage user accounts with specified attributes.
- Manage Network Settings: Configure Wi-Fi network connections using SSID and password.
- Open Media Files: Open media files such as images, videos, and audio files.
- Print Documents: Print specified text documents.
- Create Scheduled Tasks: Schedule tasks to run specified commands at defined times.
- Simulate User Interaction: Control the duration and delay of interactions with randomness.
- Create Lures: Generate various types of lures to deceive intruders.
- Credential pairs
- SSH keys
- Website URLs
- Registry keys
- CSV documents
- API keys
- LNK files (shortcuts)
- Monitor File System: Watch specified paths for file system events such as modifications and log these events.
- Redis Connectivity: Send generated lure data to Redis server for utilisation in additional deception steps and platforms.
-
Clone the repository:
git clone https://github.com/yourusername/sinon.git cd sinon
-
Configure the application:
- Modify the
config.yaml
file to suit your needs. See the Config Items section for details.
- Modify the
-
Build the application:
go build -o sinon # building for windows on linux: GOOS=windows GOARCH=amd64 go build -o sinon.exe
-
Deploy the application to your target machine:
- This could be accomplished many ways, you may want to burn it in to an image, use SCCM/Intune etc.
The config.yaml
file contains all the configuration options for Sinon. Here is an example configuration file with explanations:
applications:
options:
- googlechrome
- firefox
- notepadplusplus
- vlc
selection_method: random
websites:
options:
- https://www.google.com
- https://www.wikipedia.org
- https://www.github.com
selection_method: random
preferences:
default_browser:
options:
- "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
- "C:\\Program Files\\Mozilla Firefox\\firefox.exe"
selection_method: random
background_images:
location: "C:\\Users\\user\\Pictures"
type: http
selection_method: random
options:
- https://example.com/background1.jpg
- https://example.com/background2.jpg
screen_resolutions:
options:
- "1920x1080"
- "1366x768"
selection_method: random
languages:
options:
- en-US
- es-ES
selection_method: random
start_menu_items:
options:
- "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
- "C:\\Program Files\\Mozilla Firefox\\firefox.exe"
selection_method: random
file_operations:
create_modify_files:
- path: "C:\\Users\\user\\Documents\\example.txt"
content: "This is an example text file."
use_gpt: false
gpt_prompt: ""
email_operations:
google_account:
email: "[email protected]"
password: "password"
microsoft_account:
email: "[email protected]"
password: "password"
send_receive:
- send_to: "[email protected]"
subject: "Test Email"
body: "This is a test email."
use_gpt: true
gpt_prompt: "Write a friendly email to a colleague."
software_management:
options:
- upgrade all
- uninstall vlc
selection_method: random
system_updates:
method: install_all
specific_updates:
- KB123456
- KB789012
selection_method: random
hide_updates:
- KB654321
- KB210987
user_accounts:
- name: user1
password: password1
full_name: User One
description: First user account
- name: user2
password: password2
full_name: User Two
description: Second user account
network_settings:
- ssid: ExampleSSID
password: examplepassword
system_logs:
options:
- Application
- System
selection_method: random
media_files:
location: "C:\\Users\\user\\Videos"
type: http
selection_method: random
options:
- https://example.com/video1.mp4
- https://example.com/video2.mp4
printing:
options:
- "C:\\Users\\user\\Documents\\print_me.txt"
selection_method: random
scheduled_tasks:
options:
- name: Task1
path: "C:\\Windows\\System32\\notepad.exe"
schedule: "daily"
start_time: "14:00"
- name: Task2
path: "C:\\Windows\\System32\\calc.exe"
schedule: "weekly"
start_time: "10:00"
selection_method: random
decoy_files:
sets:
- location:
- "https://example.com/decoy1.txt"
- "https://example.com/decoy2.txt"
type: http
target_directory:
- "C:\\Users\\user\\Documents"
selection_method: random
lures:
- name: CredentialLure
type: credential_pair
location: "C:\\Users\\user\\Desktop\\credential.txt"
generation_params:
length: 12
generative_type: golang
openai_prompt: ""
- name: SSLLure
type: ssh_key
location: "C:\\Users\\user\\Desktop\\id_rsa"
generation_params: {}
generative_type: golang
openai_prompt: ""
- name: URLLure
type: website_url
location: "C:\\Users\\user\\Desktop\\phishing_link.url"
generation_params:
base_url: "https://malicious.example.com"
generative_type: golang
openai_prompt: ""
- name: RegistryLure
type: registry_key
location: "HKEY_CURRENT_USER\\Software\\ExampleKey"
generation_params:
registry_key_type: "REG_SZ"
registry_key_value: "ExampleValue"
generative_type: golang
openai_prompt: ""
- name: CSVLure
type: csv
location: "C:\\Users\\user\\Desktop\\financial_records.csv"
generation_params:
document_content: "Date,Amount,Description\n2024-01-01,1000,Salary"
generative_type: golang
openai_prompt: ""
- name: APIKeyLure
type: api_key
location: "C:\\Users\\user\\Desktop\\api_key.txt"
generation_params:
api_key_format: "uuid"
generative_type: golang
openai_prompt: ""
- name: LNKLure
type: lnk
location: "C:\\Users\\user\\Desktop\\shortcut.lnk"
generation_params:
target_path: "C:\\Windows\\System32\\notepad.exe"
generative_type: golang
openai_prompt: ""
general:
redis:
ip: "127.0.0.1"
port: 6379
log_file: "C:\\Users\\user\\sinon.log"
openai_api_key: "your_openai_api_key"
interaction_duration: 60
action_delay: 5
randomness_factor: 2
Sinon is designed to automate the setup of deception hosts by performing a variety of actions that simulate real user activity. The goal is to create a realistic environment that can deceive potential intruders. The modular and configurable nature of Sinon allows for easy adjustments and randomization, making each deployment unique.
- Prepare the Windows environment: Ensure that the target Windows machine is ready and accessible.
- Configure Sinon: Edit the config.yaml file to define the desired behaviors and settings.
- Run Sinon: Execute the compiled Sinon binary to start the automation process.
- Monitor and manage: Keep an eye on the deployed deception host and make necessary adjustments to the configuration as needed.
Note: Since Sinon is a proof-of-concept, it is recommended to use pre-generated content and avoid storing sensitive information like API keys on deception hosts in production environments.