Upload
dinhanh
View
224
Download
4
Embed Size (px)
Citation preview
January 30, 2018
Cymmetria MazeRunner
COMMUNITY EDITION
USER GUIDE
© Cymmetria MazeRunner 2018 – Community 1.10 2 www.cymmetria.com
Supported environments (all must have nested virtualization enabled – follow the links below to learn more)
VMware Player (7 or higher) – on page 33
VMware Workstation (11 or higher) – on page 33
ESXi server (5.1 or higher) – on page 15
KVM hypervisor – on page 33
OpenStack
Not supported: VirtualBox, Microsoft Hyper-V, Xen
Requirements
Minimum requirements for installation:
500GB minimum storage
4GB of RAM (add 2GB for each additional nested decoy)
2 x CPU @ 2 GHz (add another CPU core for each additional nested decoy)
VMware hypervisor (Player 7 or higher; Workstation 11 or higher; ESXi server 5.1 or higher) or KVM
hypervisor, with nested virtualization enabled
Additional requirements
Nested virtualization
Promiscuous mode
For deployment automation:
o Read-only domain user for importing endpoints from Active Directory
o Local admin user on endpoints –OR– orchestration tool able to run EXE, MSI or shell scripts
Quick start
1. First choose which hypervisor you will use to run your MazeRunner™ virtual machine. Cymmetria®
suggests using a VMware Player hypervisor, as this is the most straightforward option and involves
the least number of steps (it is also free). Other hypervisors are supported as well.
2. Enable nested virtualization on your hypervisor. Please refer to Installation and setup on page 9 for
more information.
3. MazeRunner uses DHCP by default. For advanced networking setup or VLAN support, please refer to
MazeRunner network configuration on page 63.
4. Use MazeRunner's Deception story wizard to create a deception campaign. Using MazeRunner on
page 36 will walk you through all aspects of product usage.
5. On the Endpoints screen, you can import endpoints to MazeRunner from Active Directory or CIDR
blocks, and then deploy breadcrumbs to them. See Importing endpoints on page 49 and Deploying
breadcrumbs on page 56 for details on how to do this.
6. Once the breadcrumbs are deployed, your deception campaign is ready. You can review the
Dashboard and the Investigation screen for alerts on attackers accessing your decoys.
7. If you encounter any difficulties while working through this guide, please refer to
FAQ/Troubleshooting on page 128 for help.
© Cymmetria MazeRunner 2018 – Community 1.10 3 www.cymmetria.com
CONTENTS
Introduction – What is MazeRunner? ................................................................................................................................... 7
Legal notices ..................................................................................................................................................................... 7
How is the Community Edition different from the Enterprise Edition? ............................................................................ 7
Installation and setup ........................................................................................................................................................... 9
BIOS setup ......................................................................................................................................................................... 9
DELL PowerEdge server ................................................................................................................................................ 9
Mac machine................................................................................................................................................................. 9
Lenovo ThinkPad ......................................................................................................................................................... 10
Virtual appliance (VMware Player) ................................................................................................................................. 10
Virtual appliance (VMware Workstation) ....................................................................................................................... 12
Virtual appliance (VMware ESXi) .................................................................................................................................... 15
Enabling nested virtualization using vCenter .............................................................................................................. 24
Enabling nested virtualization using VMware Workstation (version 11 and up)........................................................ 27
Enabling nested virtualization using SSH .................................................................................................................... 28
Powering on your virtual machine .............................................................................................................................. 31
Virtual appliance (KVM) .................................................................................................................................................. 33
Using MazeRunner .............................................................................................................................................................. 36
First use ........................................................................................................................................................................... 36
Creating a deception campaign ...................................................................................................................................... 41
Creating a deception campaign (using the Deception story wizard) .......................................................................... 42
Creating a basic deception campaign manually.......................................................................................................... 45
Importing endpoints ....................................................................................................................................................... 49
Importing endpoints from Active Directory ................................................................................................................ 49
Importing endpoints from CIDR blocks ....................................................................................................................... 53
Importing endpoints from a file .................................................................................................................................. 55
Post-import ................................................................................................................................................................. 55
Deploying breadcrumbs .................................................................................................................................................. 56
Deploying breadcrumbs from the Endpoints screen .................................................................................................. 56
Deploying breadcrumbs from the Campaign screen .................................................................................................. 59
Periodic breadcrumb deployment & campaign refresh ................................................................................................. 60
Integrating with a syslog/SIEM ....................................................................................................................................... 62
Advanced usage .................................................................................................................................................................. 63
MazeRunner network configuration ............................................................................................................................... 63
© Cymmetria MazeRunner 2018 – Community 1.10 4 www.cymmetria.com
Static IP ....................................................................................................................................................................... 63
VLAN support .............................................................................................................................................................. 64
Non-promiscuous mode ............................................................................................................................................. 65
SSL certificate .............................................................................................................................................................. 66
Forensic Puller ................................................................................................................................................................ 67
Relay – Enterprise Edition only ....................................................................................................................................... 68
Dashboard in Relay mode ........................................................................................................................................... 71
Investigation screen in Relay mode ............................................................................................................................ 71
Automatic Hackback – Enterprise Edition only ............................................................................................................... 72
ActiveSOC – Enterprise Edition only ............................................................................................................................... 74
ActiveSOC and Responder Monitor activity feed........................................................................................................ 74
SOC interfaces ............................................................................................................................................................. 75
ActiveSOC .................................................................................................................................................................... 76
Responder Monitor ..................................................................................................................................................... 78
Changing alerting policy .................................................................................................................................................. 83
Product reference ............................................................................................................................................................... 85
Product interface ............................................................................................................................................................ 85
Settings ........................................................................................................................................................................... 85
General ....................................................................................................................................................................... 85
Email and reporting .................................................................................................................................................... 86
Networking ................................................................................................................................................................. 87
Access control ............................................................................................................................................................. 87
Alerting policy ............................................................................................................................................................. 88
Campaign and deployment ......................................................................................................................................... 88
Custom services – Enterprise Edition only .................................................................................................................. 88
Golden images – Enterprise Edition only .................................................................................................................... 89
Active Directory .......................................................................................................................................................... 90
Relay – Enterprise Edition only ................................................................................................................................... 90
SSL certificate .............................................................................................................................................................. 90
API keys ....................................................................................................................................................................... 90
User management ...................................................................................................................................................... 91
Diagnostics .................................................................................................................................................................. 93
Task manager .................................................................................................................................................................. 93
Notification center .......................................................................................................................................................... 94
Stability alert emails ................................................................................................................................................... 94
© Cymmetria MazeRunner 2018 – Community 1.10 5 www.cymmetria.com
Deception story wizard ................................................................................................................................................... 95
User menu....................................................................................................................................................................... 95
Change password ........................................................................................................................................................ 95
System update ............................................................................................................................................................ 95
Send logs to Cymmetria .............................................................................................................................................. 96
Help features .................................................................................................................................................................. 97
Help icon ..................................................................................................................................................................... 97
Deception element descriptions ................................................................................................................................. 97
Tooltips ....................................................................................................................................................................... 98
Integrations ..................................................................................................................................................................... 98
Cuckoo sandbox .......................................................................................................................................................... 98
IBM BigFix ................................................................................................................................................................... 99
SCCM ........................................................................................................................................................................... 99
Tanium ........................................................................................................................................................................ 99
McAfee ePO ................................................................................................................................................................ 99
AWS............................................................................................................................................................................. 99
Syslog ........................................................................................................................................................................ 100
ThreatConnect .......................................................................................................................................................... 100
Phantom ................................................................................................................................................................... 104
Chef ........................................................................................................................................................................... 104
Endpoints screen .......................................................................................................................................................... 105
Filter & sort options .................................................................................................................................................. 106
Bulk actions ............................................................................................................................................................... 107
Dashboard ..................................................................................................................................................................... 109
Campaign screen ........................................................................................................................................................... 111
Investigation screen ...................................................................................................................................................... 112
Attack story section .................................................................................................................................................. 113
Investigation table .................................................................................................................................................... 115
Filter & sort options .................................................................................................................................................. 117
Bulk actions ............................................................................................................................................................... 119
Types of events ............................................................................................................................................................. 119
Supported operating systems ....................................................................................................................................... 122
Types of decoys ............................................................................................................................................................. 123
Types of services ........................................................................................................................................................... 123
Types of breadcrumbs .................................................................................................................................................. 126
© Cymmetria MazeRunner 2018 – Community 1.10 6 www.cymmetria.com
FAQ/Troubleshooting ....................................................................................................................................................... 128
Decoys not working ...................................................................................................................................................... 128
Problem resolving endpoint name ............................................................................................................................... 128
Nested virtualization support ....................................................................................................................................... 129
Deploying breadcrumbs automatically to Linux machines ........................................................................................... 129
ArcSight CEF .................................................................................................................................................................. 129
Service is inactive/unable to deploy breadcrumbs ....................................................................................................... 129
Creating users ............................................................................................................................................................... 130
Users affected during breadcrumb deployment .......................................................................................................... 130
Clearing up hard drive space ........................................................................................................................................ 130
Running Internet-facing decoys .................................................................................................................................... 131
Problems during OVA import ........................................................................................................................................ 131
MazeRunner storage allocation .................................................................................................................................... 131
Creating a web application service ............................................................................................................................... 132
Problems deploying an OVA decoy on ESXi .................................................................................................................. 132
Creating a Git service .................................................................................................................................................... 132
Automatic deployment to endpoints failed .................................................................................................................. 133
Error: Could not resolve hostname ........................................................................................................................... 133
Error: Incorrect credentials ....................................................................................................................................... 133
Error: SMB TCP ports (139, 445) are unreachable .................................................................................................... 133
Error: Deployment timeout ...................................................................................................................................... 133
Error: Invalid configuration for deployment ............................................................................................................. 134
Error: Deployment failed .......................................................................................................................................... 134
Error: No active deployment group found ................................................................................................................ 134
Error: No breadcrumbs supported on the endpoint's operating system were found in the deployment group ..... 134
© Cymmetria MazeRunner 2018 – Community 1.10 7 www.cymmetria.com
INTRODUCTION – WHAT IS MAZERUNNER?
MazeRunner is a platform for creating effective deception stories. Attackers making lateral movement will
first collect information on their next targets. At that time, they will find breadcrumbs deployed by
MazeRunner that point to decoys. Once the attackers connect to the decoys, they are led to believe that
they have successfully gained access to a target machine. Having gained a false sense of security, attackers
reveal their attack tools and methods, which defenders are then able to document and analyze.
Finally, MazeRunner communicates with an organization's existing defense infrastructure, exporting threat
information that allows for the creation of attack signatures.
For a more detailed overview of MazeRunner, please read our product whitepaper, which can be
downloaded for free from our website.
LEGAL NOTICES
Thank you for your interest in the free MazeRunner Community Edition!
If you are installing MazeRunner Community Edition for your own private use in a non-commercial
and non-production environment, you are not limited in the amount of decoys and endpoints you
may deploy.
If you are installing MazeRunner Community Edition on behalf of an Organization, you may use the
product solely for internal testing and evaluation of the Software and its performance in a non-
production environment. The software is not limited to any number of decoys and endpoints for the
first 30 days, but its use is limited to 1 decoy and 10 endpoints following this 30-day period.
Please consult the full text of the license for additional details, as the full terms of the license govern. For
more information or to provide feedback, please contact [email protected] or visit our website.
HOW IS THE COMMUNITY EDITION DIFFERENT FROM THE ENTERPRISE EDITION?
Cymmetria supports the cybersecurity community it calls home and believes strongly in giving back to that
community. This is why we decided to release a free Community Edition of our enterprise software platform.
The MazeRunner Community Edition is publicly available for private initiatives and research endeavors at no
cost or commitment to purchase. The platform is fully customizable and integrates seamlessly with existing
IT and security tools, allowing users to implement deception elements across the network. It is flexible and
does not burden existing organizational systems.
© Cymmetria MazeRunner 2018 – Community 1.10 8 www.cymmetria.com
Community Enterprise
Linux decoys
Windows decoys ×
User-provided decoy image (golden image) ×
Linux breadcrumbs
Windows breadcrumbs
Mac OS X breadcrumbs
Deception stories using business cases
Commercial use First 30 days only*
Large-scale deployment support ×
API
Remote deployment to endpoints through MazeRunner
Deception campaign auto-regeneration
Alerting through syslog and email
STIX/TAXII integration
Domain integration
Cuckoo sandbox integration
Alerting when attacker steals credentials using Responder.py
Alerting of attempts to use deceptive credentials obtained using Responder.py
×
Forensic Puller ×
Automatic Hackback ×
ActiveSOC™ ×
Remote Desktop session video recording ×
Security visualization
Attack stories for event investigation and reporting
Relay architecture for integrating multiple instances of MazeRunner
×
Custom service support ×
Get MazeRunner Download machine Contact us
*See Legal notices on page 7.
© Cymmetria MazeRunner 2018 – Community 1.10 9 www.cymmetria.com
INSTALLATION AND SETUP
This section will guide you through the installation and setup of Cymmetria's MazeRunner solution. It
includes information on MazeRunner's platform and deployment.
The installation and setup process includes two main steps:
1. Enable nested virtualization in the BIOS*
2. Hypervisor installation and setup
*Not all machines are configured to support nested virtualization by default. Even if your hypervisor
supports nested virtualization, your host machine (i.e., laptop or server) may not support it. In that case, you
will need to enable nested virtualization from the BIOS.
BIOS SETUP
To begin, you must enable nested virtualization in the BIOS of your hardware. To do so, follow these steps:
1. Restart your computer. During startup, follow the screen prompt to enter the BIOS (this is typically
achieved by pressing F1, Enter, Delete, etc.).
2. Find the virtualization feature, select it, and make sure it is enabled.
3. Save your changes and exit the BIOS. Your computer will automatically reboot.
Each manufacturer has its own BIOS interface. We have included some examples below.
DELL POWEREDGE SERVER
To enable virtualization, follow these steps:
1. Press F2 to open the boot menu. 2. Use the up and down arrows to select "BIOS", and then press Enter. 3. Use the up and down arrows to select "Processor Settings", and then press Enter. 4. Use the up and down arrows to select "Virtualization Technology", and then use the left and right
arrows to enable the feature. 5. Press Esc three times to exit the submenus, and then press Enter to confirm saving changes.
MAC MACHINE
Generally, Mac machines have virtualization enabled by default. If for some reason MazeRunner notifies you that nested virtualization is not supported, then you will need to install Apple updates.
© Cymmetria MazeRunner 2018 – Community 1.10 10 www.cymmetria.com
LENOVO THINKPAD
To enable virtualization, follow these steps:
1. Click Enter to open the boot menu, and then F1 to open the BIOS.
2. Use the left and right arrows to select the Security tab.
3. Use the up and down arrows to select "Virtualization", and then press Enter.
4. Use the up and down arrows to select "Intel (R) Virtualization Technology", and then the +/- keys to
enable it.
5. Press F10 to save and exit.
VIRTUAL APPLIANCE (VMWARE PLAYER)
To begin, make sure you have VMware Player installed on your computer. Then, navigate to the directory in
which the MazeRunner OVA file is stored and proceed according to the following instructions:
1. To import MazeRunner into VMware Player, double-click on the OVA file (if you have multiple
hypervisors installed on your computer, you will need to right-click on the OVA file, select "Open
with", and then select "VMware Player"). You will need to provide a name and local storage path for
the new virtual machine, and then click "Import":
2. Before powering on your new virtual machine, you must enable nested virtualization support in
order to run MazeRunner with nested decoys. To do this:
a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings…":
© Cymmetria MazeRunner 2018 – Community 1.10 11 www.cymmetria.com
b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI"
and "Virtualize CPU performance counters" boxes are checked, then click "OK":
c. Nested virtualization is now enabled.
3. Now you can power on your virtual machine by clicking "Play virtual machine":
© Cymmetria MazeRunner 2018 – Community 1.10 12 www.cymmetria.com
4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the
console:
Save this IP address; you will need to use it in subsequent sections of this guide.
That's it! MazeRunner is now ready for use.
By default, MazeRunner obtains its network configuration through DHCP. If you would like to change
MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page
63 of this guide.
Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this
guide, on page 36.
VIRTUAL APPLIANCE (VMWARE WORKSTATION)
To begin, make sure you have VMware Workstation installed on your computer. Then, navigate to the
directory in which the MazeRunner OVA file is stored and proceed according to the following instructions:
1. To import MazeRunner into VMware Workstation, double-click on the OVA file. You will need to
provide a name and local storage path for the new virtual machine, and then click "Import":
© Cymmetria MazeRunner 2018 – Community 1.10 13 www.cymmetria.com
2. Before powering on your new virtual machine, you must enable nested virtualization support in
order to run MazeRunner with nested decoys. To do this:
a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings…":
b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI"
and "Virtualize CPU performance counters" boxes are checked, then click "OK":
© Cymmetria MazeRunner 2018 – Community 1.10 14 www.cymmetria.com
c. Nested virtualization is now enabled.
3. Now you can power on your virtual machine by clicking "Power on this virtual machine":
4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the
console:
© Cymmetria MazeRunner 2018 – Community 1.10 15 www.cymmetria.com
Save this IP address; you will need to use it in subsequent sections of this guide.
That's it! MazeRunner is now ready for use.
By default, MazeRunner obtains its network configuration through DHCP. If you would like to change
MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page
63 of this guide.
Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this
guide, on page 36.
VIRTUAL APPLIANCE (VMWARE ESXI)
To begin, open your vSphere Client and connect to your ESXi server by entering your username and
password. From the File drop-down menu, choose "Deploy OVF Template" and open the MazeRunner OVA
file supplied.
Move through the stages of deploying the OVF Template:
1. Choose a name for your virtual machine (for example, "Cymmetria MazeRunner").
2. Choose your specific datacenter as the Host / Cluster on which to run the deployed template.
3. Select a destination for storing the virtual machine files.
4. Use the default values that appear in the Disk Format section.
5. Notice that the source network is shown as "bridged". Click "Next" to review all parameters and
finish the virtual machine creation:
© Cymmetria MazeRunner 2018 – Community 1.10 16 www.cymmetria.com
After your virtual machine has finished being deployed (this will take some time), select your virtual machine
from the sidebar on the left-hand side of the screen, then navigate to Home > Inventory > Hosts and
Clusters:
Now you will need to configure the network. Decoys can connect to the MazeRunner network in two ways:
using promiscuous mode or without using promiscuous mode. Cymmetria recommends running
MazeRunner in promiscuous mode, as it greatly simplifies decoy usage and system setup. It is possible to use
MazeRunner in non-promiscuous mode, but it will take more time and effort, and more issues may arise
during campaign creation.
© Cymmetria MazeRunner 2018 – Community 1.10 17 www.cymmetria.com
Using MazeRunner with promiscuous mode
Open the Configuration tab and choose "Networking" by clicking on the link located in the Hardware box to
the left:
To make the nested virtual machines accessible from the network, enable promiscuous mode for the Virtual
Machine Port Group, where your virtual machine is connected (in our example, “Maze”). To do this, go to
“Properties”, select your virtual machine's port group, and then click “Edit”:
Go to the Security tab and make sure both “Promiscuous Mode” and “Forged Transmits” are enabled
("Accept"). Click "OK":
© Cymmetria MazeRunner 2018 – Community 1.10 18 www.cymmetria.com
Why do we need promiscuous mode and forged transmits? In order for the nested virtual machines to
receive data packets, we need to enable these functions. If you do not enable promiscuous mode and forged
transmits, you will need to use MazeRunner in non-promiscuous mode, which requires defining a network
interface for each decoy.
Using MazeRunner without promiscuous mode
Make sure your virtual machine is turned off, then right-click on your virtual machine and select "Edit
Settings…":
© Cymmetria MazeRunner 2018 – Community 1.10 19 www.cymmetria.com
Each decoy needs its own interface. For each decoy you would like to set up on MazeRunner, follow these
steps:
1. On the Hardware tab, click "Add…":
2. Choose "Ethernet Adapter" as the device type you would like to add to your virtual machine, then
click "Next":
© Cymmetria MazeRunner 2018 – Community 1.10 20 www.cymmetria.com
3. Choose your network connection from the drop-down list, then click "Next":
4. Review the options you selected and click "Finish" to add the hardware:
© Cymmetria MazeRunner 2018 – Community 1.10 21 www.cymmetria.com
5. You will now see the hardware you added on the Hardware tab. Click "OK" to finish:
NOTE: You will also need to enable non-promiscuous mode within MazeRunner; see Non-promiscuous mode
on page 65 for more information.
Now you can configure VLAN support, if you wish to do so. Later, you will also need to configure VLAN
support within MazeRunner; see VLAN support on page 64 for more information.
To configure VLAN support, you need to make sure that your port group is configured to accept VLAN
tagging. Follow these steps:
1. In your vSphere control panel, access the Properties menu of the switch to which MazeRunner is
connected by navigating to Configuration > Networking > Properties…:
© Cymmetria MazeRunner 2018 – Community 1.10 22 www.cymmetria.com
2. Under the Ports tab, select the appropriate switch name and click "Edit…":
3. Under the General tab, select "All (4095)" as the VLAN ID:
© Cymmetria MazeRunner 2018 – Community 1.10 23 www.cymmetria.com
4. To make sure that the network adapter "sees" the VLAN network, expand the Networks list under
the Status area in Configuration > Networking > Properties > Network Adapters:
Now you must enable nested virtualization support, in order to run MazeRunner with nested decoys. There
are three common methods used to enable nested virtualization in ESXi products:
1. using vCenter
2. using VMware Workstation
3. using SSH
To find out which of these three methods you will need to use, you must look at which VMware hypervisor
you are running. To do this, open vSphere Client and go to Help > About VMware vSphere:
© Cymmetria MazeRunner 2018 – Community 1.10 24 www.cymmetria.com
If you see the following pop-up window, it means you are using vCenter:
If you see the following pop-up window, it means you are using ESXi:
If you are using vCenter, see the instructions provided in the section entitled Enabling nested virtualization
using vCenter, below. If you are using ESXi, you have two options for enabling nested virtualization: via
VMware Workstation or SSH (see the relevant sections on page 27 and 28 of this guide).
ENABLING NESTED VIRTUALIZATION USING VCENTER
The following steps will guide you through enabling nested virtualization using vCenter.
1. Open vSphere Web Client in your web browser by navigating to the IP address of your vCenter server
(using HTTPS), and log in with the same credentials you used to log in to your vSphere client:
© Cymmetria MazeRunner 2018 – Community 1.10 25 www.cymmetria.com
2. Make sure your virtual machine is turned off, then select "VMs and Templates" from the Home
menu:
3. Right-click on your virtual machine and select "Edit Settings…":
© Cymmetria MazeRunner 2018 – Community 1.10 26 www.cymmetria.com
4. Expand the CPU drop-down options, check the Hardware virtualization and Performance counters
checkboxes, and click "OK":
Nested virtualization is now enabled. Please continue to the Powering on your virtual machine section of this
guide, on page 31.
© Cymmetria MazeRunner 2018 – Community 1.10 27 www.cymmetria.com
ENABLING NESTED VIRTUALIZATION USING VMWARE WORKSTATION (VERSION 11 AND UP)
The following steps will guide you through enabling nested virtualization using VMware Workstation (version
11 and up).
1. Open VMware Workstation and navigate to File > Connect to Server…:
2. Enter your login details (your ESXi credentials) and navigate to your MazeRunner virtual machine.
Make sure the virtual machine is turned off, and then right-click on it and select "Settings…" (you
may have to double-click on your virtual machine name before right-clicking):
3. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI" and
"Virtualize CPU performance counters" boxes are checked, then click "OK":
© Cymmetria MazeRunner 2018 – Community 1.10 28 www.cymmetria.com
Nested virtualization is now enabled. Please continue to the Powering on your virtual machine section of this
guide, on page 31.
ENABLING NESTED VIRTUALIZATION USING SSH
The following steps will guide you through enabling nested virtualization using SSH.
1. In your vSphere client, under the Configuration tab, choose "Security Profile" from the Software box
on the bottom left of the screen, and then click "Properties":
2. Enable the ESXi Shell by selecting it from the list of labels, and then clicking on Options → Start →
OK:
© Cymmetria MazeRunner 2018 – Community 1.10 29 www.cymmetria.com
3. Follow the same steps to enable the SSH service:
4. Once finished, click "OK".
© Cymmetria MazeRunner 2018 – Community 1.10 30 www.cymmetria.com
5. Log in to the ESXi Shell via an SSH client (PuTTY, for example), using your ESXi root user's credentials.
To do this:
a. Open PuTTY. In PuTTY, click "Open" to open a new SSH console:
b. In the SSH console, enter your username and password. Your shell should look like this:
6. Navigate to the MazeRunner virtual machine directory, located in
/vmfs/volumes/<datastore_name>/<virtual_machine_name>/. For example:
© Cymmetria MazeRunner 2018 – Community 1.10 31 www.cymmetria.com
7. Make sure your MazeRunner virtual machine is turned off. Then, use your editor of choice to edit
the .vmx file (for example, "MazeRunner_release.vmx") in this directory by adding the following flags
to the end of the file:
vhv.enable = "TRUE"
vpmc.enable = "TRUE”
Nested virtualization is now enabled. Please continue to the Powering on your virtual machine section of this
guide, below.
POWERING ON YOUR VIRTUAL MACHINE
Once you have enabled nested virtualization, you can power on your new virtual machine. To do this, open
vSphere Client and navigate to Home > Inventory > VMs and Templates:
Use the search bar to find your virtual machine, select it, and then click "Power on the virtual machine":
© Cymmetria MazeRunner 2018 – Community 1.10 32 www.cymmetria.com
Switch to the Console tab to see the virtual machine powering on. Once it finishes booting, you will see its
assigned IP address displayed on the console:
Save this IP address; you will need to use it in subsequent sections of this guide.
That's it! MazeRunner is now ready for use.
By default, MazeRunner obtains its network configuration through DHCP. If you would like to change
MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page
63 of this guide.
Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this
guide, on page 36.
© Cymmetria MazeRunner 2018 – Community 1.10 33 www.cymmetria.com
VIRTUAL APPLIANCE (KVM)
To begin, open a terminal, navigate to the directory in which the MazeRunner DSK file is stored (in QCOW2
format), and proceed according to the following instructions:
1. Enable promiscuous mode – Check if promiscuous mode is enabled on the network interface to
which MazeRunner's virtual machine bridge will be connected (if you know that it is already enabled,
you can skip to step 3 of this section now):
a. Run the command 'netstat -i'.
b. If the network interface to which you are going to connect the virtual machine bridge has 'P'
in its flag (as shown in Figure A), promiscuous mode is already enabled and you can skip to
step 3 of this section now:
Figure A. netstat -i command output with promiscuous mode off/on.
2. If promiscuous mode is off, you will need to enable it according to the following instructions
(depending on which OS you are using). To enable promiscuous mode:
a. On Red Hat/CentOs:
i. Open /etc/sysconfig/network-scripts/ifcfg-X (replace X with the name of the network
interface to which MazeRunner's virtual machine bridge will be connected).
ii. Add the line 'PROMISC=yes' to the end of the file.
b. On Ubuntu/Debian:
i. Open the "interfaces" file located in /etc/network.
ii. Add the following lines under the configuration for the network interface to which
MazeRunner's virtual machine bridge will be connected:
up ifconfig $IFACE up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
© Cymmetria MazeRunner 2018 – Community 1.10 34 www.cymmetria.com
3. Import the MazeRunner image (DSK file) using the following command (run as root):
virt-install -n <name> -r <amount_of_RAM> --os-type=linux --os-variant= ubuntu14.04 --disk
MazeRunnerVirt.dsk,bus=virtio -w bridge=<name_of_network_bridge>,model=virtio --vnc --
noautoconsole --import --cpu=host
For example:
virt-install -n MazeRunner -r 16384 --os-type=linux --os-variant=ubuntu14.04 --disk
MazeRunnerVirt.dsk,bus=virtio -w bridge=virbr0,model=virtio --vnc --noautoconsole --import --
cpu=host
*NOTE: On some older virt-install versions, the os-variant argument for "ubuntu14.04" was
"ubuntutrusty". You can check the available variants on your system using the command 'osinfo-
query os'.
Parameters Detailed:
-n [an internal name for your virtual machine]
-r [the amount of RAM, in MB, for your virtual machine]
--os-type [the type of OS – Linux or Windows]
--os-variant [the distribution or version – for a full list, run command 'man virt-
install']
--disk [specifies media to use as storage for the guest, with various options]
-w [the network configuration]
--vnc [configures the graphics card to use VNC, allowing you to use virt-viewer or
virt-manager to see the desktop]
--noautoconsole [configures the installer to NOT automatically try to open virt-
viewer to view the console in order to complete the installation – this is helpful
if you are working on a remote system through SSH]
4. Check that the virtual machine was created successfully (we will use Virtual Machine Manager to do
this in our example):
a. Open Virtual Machine Manager and find the name you gave to the MazeRunner virtual
machine in step 3:
© Cymmetria MazeRunner 2018 – Community 1.10 35 www.cymmetria.com
b. Click on the Open button and wait for the MazeRunner virtual machine to boot. Once it
finishes booting, you will see its assigned IP address displayed on the console:
c. Save this IP address; you will need to use it in subsequent sections of this guide.
That's it! MazeRunner is now ready for use.
By default, MazeRunner obtains its network configuration through DHCP. If you would like to change
MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page
63 of this guide.
Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this
guide, on page 36.
© Cymmetria MazeRunner 2018 – Community 1.10 36 www.cymmetria.com
USING MAZERUNNER
Congratulations! You have completed the installation and setup of your MazeRunner appliance. You are now
ready to start using the MazeRunner platform. Use the information in the following sections to get
acquainted with, and start using, MazeRunner.
FIRST USE
Whether you are using a VMware Player, VMware Workstation, VMware ESXi or KVM hypervisor, your
MazeRunner virtual machine was assigned an IP address at the end of the installation and setup process. Use
this IP address to access the virtual machine from a web browser (make sure to use an HTTPS connection; for
example, https://<IP_address>). You will be taken to MazeRunner's signup screen:
Proceed according to the following instructions in order to complete initial signup:
1. Enter your email address and the activation key you received from Cymmetria (if you have not
received an activation key, contact [email protected]):
© Cymmetria MazeRunner 2018 – Community 1.10 37 www.cymmetria.com
2. Choose an admin password, and a password for usern (usern is a network configuration user that is
used for accessing the Cymmetria management server; please assign usern a password that is
different from your admin password):
3. System time zone is automatically set to UTC; you may change this by selecting a different time zone
from the drop-down list. You can also set the HTTP proxy server (and set the credentials you would
like to use for proxy authentication, if you wish to authenticate using credentials) and NTP server:
4. Be sure to read and understand Cymmetria's end-user license agreement and privacy policy; you will
need to agree to the terms of both in order to continue (optional – Choose to share intelligence from
your MazeRunner instance back with the community; this will help us fix issues and generally
improve the product. If you have any questions about this, please contact Cymmetria at
5. Click "Continue" to proceed to the second screen. Here, choose from one of the three configuration
options available, then click "Continue":
© Cymmetria MazeRunner 2018 – Community 1.10 38 www.cymmetria.com
NOTE: If you choose "Enable decoy VLAN support", you will need to select a VLAN trunk interface
and then click "Add VLAN". A pop-up window will appear and you will need to create a VLAN entry.
See step 4 of VLAN Support in the MazeRunner Network Configuration section of this guide (page 64)
for further instructions on how to do this:
6. On the next screen you will see MazeRunner diagnostics running. If the diagnostic tests finish
successfully, you will see a green check mark next to each test. You can then click the "Launch
MazeRunner" button to finish setup and launch MazeRunner:
© Cymmetria MazeRunner 2018 – Community 1.10 39 www.cymmetria.com
a. If a test was unsuccessful, you will see a red X and an error message with further
instructions on how to proceed. After resolving the issue (if you choose to do so), click
the "Run MazeRunner diagnostics" button to re-run the tests:
NOTE: You can choose to ignore failed tests and launch MazeRunner by clicking the
"Skip and launch MazeRunner" button.
b. If at any time you would like to go back to the previous screen to change your
configuration choice, simply click the "Review configuration" button at the bottom right
of the screen (you will then need to run diagnostics again in order to complete the
setup).
Once finished, you will be redirected to MazeRunner's Configuration wizard. Please read the notice that
appears on your screen, and consult the full terms of the license. You will need to click "Agree" to continue:
After clicking “Agree” you will find yourself in the MazeRunner Configuration Wizard:
© Cymmetria MazeRunner 2018 – Community 1.10 40 www.cymmetria.com
Here you can configure key features of MazeRunner (available for admin users only— see Role-based access
control on page 92 for more information about user roles). You can choose to configure these features now
(recommended), or return to configure them at any time by navigating to Settings from the main
MazeRunner UI and clicking the Configuration wizard button. If you would like to skip this initial
configuration, simply click the gray X located in the top right-hand corner of the screen, and you will be
redirected to the Deception story wizard.
Some notes about the Configuration wizard:
Settings you define and changes you make while using the Configuration wizard are only saved when
you click “Finish” in the final stage of the wizard (even if individual forms are validated, the data is
not saved and the settings do not actually change until this is done)
Note that if you do not complete the Local admin credentials stage, the wizard will skip over the
Endpoint Forensic Puller stage and the Periodic deployment stage (since these configurations require
that local admin credentials already be configured)
You will find details and instructions for each stage of the wizard along the way. For more detailed
information about the key features included in MazeRunner’s Configuration wizard, see the individual
sections of this user guide:
1. Email and reporting (page 86)
2. Active Directory source (page 90)
3. Local admin credentials (page 88)
4. Endpoint Forensic Puller (page 67)
5. Periodic deployment (page 60)
6. Syslog (page 100)
Once you have finished with the Configuration wizard, click “Finish” on the Syslog stage and you will be
redirected to the Deception campaign wizard:
© Cymmetria MazeRunner 2018 – Community 1.10 41 www.cymmetria.com
You are now ready to start creating deception campaigns. NOTE: For all future uses of MazeRunner, you will
simply need to log in to your account using your username and password:
CREATING A DECEPTION CAMPAIGN
A deception campaign consists of three elements:
1. Decoys – Decoys are virtual machines (servers or other devices) running Windows1 or Linux systems.
They look and act like production machines. When a decoy is accessed, there is no doubt that this is
the work of an attacker. Decoys are most easily reached by following a breadcrumb found on an
endpoint.
2. Services – Each decoy server runs live services (e.g., SMB, SSH, OpenVPN servers, etc.). Each
breadcrumb leads to a specific service on a decoy machine.
3. Breadcrumbs – These are passive elements of data (e.g., browser cookies, SSH credentials, network
shares, OpenVPN scripts, etc.), placed on an organization's endpoints to be found by attackers
during the reconnaissance phase. Breadcrumbs are placed in a natural manner that is compatible
with a user’s habits, so they blend into the environment and do not raise suspicion. Breadcrumbs
and decoys can be used separately or as part of an end-to-end deception story.
1 Windows decoys are only available in MazeRunner Enterprise Edition.
© Cymmetria MazeRunner 2018 – Community 1.10 42 www.cymmetria.com
By dividing deception campaigns into three basic components, MazeRunner allows you to easily create a
more elaborate deception network.
MazeRunner allows you to create a deception campaign manually or use Cymmetria's Deception story
wizard to help create your campaign. See Creating a deception campaign (using the Deception story wizard)
below and Creating a deception campaign manually on page 45 for detailed instructions on both of these
options.
For detailed product information regarding deception campaigns, see Supported operating systems (page
122), Types of decoys (page 123), Types of services (page 123), and Types of breadcrumbs (page 126) in the
Product reference section.
CREATING A DECEPTION CAMPAIGN (USING THE DECEPTION STORY WIZARD)
Using MazeRunner's Deception story wizard, you can build a deception campaign with the help of templates
that have been prepared by Cymmetria's security team. Alternatively, you also have the choice to build your
own customized deception stories without the help of the wizard. See Creating a deception campaign
manually on page 45 for more information.
On first use of MazeRunner, the wizard will open automatically as your home screen. During all subsequent
uses of MazeRunner, you can navigate to the wizard by clicking the New story button located on the top
right of the Campaign screen:
In the wizard, you will see a variety of prepared deception stories (for example, "Linux backup server",
"Internal website", and "VPN server"). Each story includes a short description to help you decide which one
you would like to use.
Enterprise Edition note: Only Linux-based stories are available in the Community Edition. Notice that there
are two Windows-based stories that are grayed out; these are available in MazeRunner's Enterprise Edition.
Each template already has default values defined for you (you may change some of these values if you wish,
but do not have to). NOTE: If you do not wish to change any of the default values provided, you can simply
click the "Next" button through all of the below story creation stages until the story is created (except where
otherwise noted).
Use the Back button at the bottom right of the screen within each stage of the wizard to go back and make
changes to previous selections. You can also click the X icon on the top right-hand side of the screen at any
time; this will delete any deception elements defined in previous stages and take you to the Campaign
screen.
© Cymmetria MazeRunner 2018 – Community 1.10 43 www.cymmetria.com
To use the wizard, follow these steps:
1. Choose a deception story, then click "Next":
2. Customize the details of your decoy, such as name, hostname, DNS address2, and VM type. NOTE:
You cannot change the OS type. You can also choose to manually configure network settings,
including static IP, gateway, DNS server, and subnet mask. When you are ready, click "Next":
3. Now you can customize your story's services and breadcrumbs. A set of services will appear by
default, as defined by the template, on the left side of the screen. Each service, when selected, will
show its details, including the breadcrumbs attached to it. You cannot add or remove services from
the template; however, you can edit some service fields. You can also edit breadcrumb fields if you
wish (you must edit the breadcrumb fields if you are using a "Responder Monitor" or "VPN server"
story). Note that for Windows network share breadcrumbs, you will need to choose whether you
would like them to be non-persistent or persistent after endpoint restart. When you are ready, click
"Next":
2 By default, breadcrumbs point to a decoy's IP address. You can set breadcrumbs to point to a DNS address instead. If
you choose to fill out this field, be sure to create a matching DNS entry in your name server.
© Cymmetria MazeRunner 2018 – Community 1.10 44 www.cymmetria.com
4. Now it is time to deploy your deception story. First, you can assign breadcrumbs to one or more
deployment groups3 (this can also be done later, from the Deployment Groups sub screen of the
Campaign screen). NOTE: Later on, we will use these same deployment groups when importing
endpoints and deploying breadcrumbs to them. When you are ready, click "Finish":
5. Here's an example of what your screen will look like once your campaign has been created
successfully:
6. You will need to activate each of your servers by using the On/Off toggle button on the Decoys sub
screen (in the Power column).
7. You can now view the details of your campaign by using the Decoys, Services, Breadcrumbs, and
Deployment Groups tabs (sub screens). If you did not assign your breadcrumbs to a deployment
group during story creation in the wizard, you can do so now. See Create a new deployment group
on page 48 for detailed instructions on how to do so.
That’s it! Your deception campaign is up and running. Jump to Importing endpoints on page 49 or Deploying
breadcrumbs on page 56 to continue learning about the MazeRunner platform.
3 Deployment groups are used to group several breadcrumbs together for ease of management and deployment. For
example, you can decide to group together a few breadcrumbs that will be deployed to all endpoints used by a specific
department in your organization. This will allow you to easily deploy these grouped breadcrumbs to this department's
endpoints using one of MazeRunner's manual or automatic deployment methods (see Deploying breadcrumbs on page
56 for more information). Cymmetria recommends the use of deployment groups in all of your deployments.
© Cymmetria MazeRunner 2018 – Community 1.10 45 www.cymmetria.com
CREATING A BASIC DECEPTION CAMPAIGN MANUALLY
The following is a step-by-step guide for manually creating the basic elements of a deception campaign.
Alternatively, you can use MazeRunner's Deception story wizard to build a deception campaign with the help
of templates that have been prepared by Cymmetria's security team. See Creating a deception campaign
(using the Deception story wizard) on page 42 for more information.
CREATE A NEW DECOY
In this stage, you will create a decoy server.
1. Go to the Campaign screen (if you are in the Deception story wizard, click the gray X icon on the top
right-hand side of the screen; this will take you to the Campaign screen). On the Decoys sub screen,
click the Create decoy button.
2. Fill in the required information. For example, to start an Ubuntu server, include a meaningful name
such as "HR_Server", a hostname such as "hrsrvr01", and choose Nested as the VM type. If you
would like to configure a static IP, click the toggle button next to "Manually configure network
settings" and fill out the Static IP field. Notice that you have the option to add a DNS address.4
3. Click "Save" in order to create the decoy.
4. Power on the server using the On/Off toggle button, which is located in the Power column.
5. That's it! Here is an example of what your screen will look like once the server has finished booting:
Enterprise Edition note: Notice that Windows decoys are grayed out in the Operating system drop-down list.
Windows decoys are only available in MazeRunner Enterprise Edition.
4 By default, breadcrumbs point to a decoy's IP address. You can set breadcrumbs to point to a DNS address instead. If
you choose to fill out this field, be sure to create a matching DNS entry in your name server.
© Cymmetria MazeRunner 2018 – Community 1.10 46 www.cymmetria.com
CREATE A NEW SERVICE
In this stage you will add services (SMB, SSH, OpenVPN, etc.) to your decoy. For the purposes of this
example, let's assume that you want to create a deception story for your HR department.
1. Go to the Campaign screen (if you are in the Deception story wizard, click the gray X icon on the top
right-hand side of the screen; this will take you to the Campaign screen). On the Services sub screen,
click the Create service button.
2. Select the desired service type (e.g., SMB service) and enter an appropriate name (e.g.,
"Personnel_Files").
3. Add necessary data (for example, if you chose an SMB service, you will need a name for its shared
folder and a ZIP file for the content). Click "Save".
4. Choose the new service and connect it to the decoy (in this case, the decoy named "HR_Server" that
we created in the previous section). Do this by selecting the decoy name from the drop-down box in
the Decoy column:
5. That's it! Here is an example of what your screen will look like once the connection has finished
configuring (you can monitor its status on the Decoys sub screen):
CREATE A NEW BREADCRUMB
In this stage you will create a breadcrumb and connect it to the previously created decoy and service.
1. Go to the Campaign screen (if you are in the Deception story wizard, click the gray X icon on the top
right-hand side of the screen; this will take you to the Campaign screen). On the Breadcrumbs sub
screen, click "Create breadcrumb".
© Cymmetria MazeRunner 2018 – Community 1.10 47 www.cymmetria.com
2. Select the breadcrumb type5 (make sure it matches the service you have defined), and then select an
appropriate name. For example, you could select a network share breadcrumb and name it
"Personnel_Files_BC". You can also assign the breadcrumb to a deployment group here, but for now
we will leave this blank; we will talk about deployment groups in the next section.
3. After filling in all of the fields (according to the breadcrumb type you chose), click "Save". NOTE:
Some types of breadcrumbs will require you to create a user (you will need to enter a username and
password). The Username field will provide a drop-down list of suggestions that you may want to
use (all of the unique username/password pairs that currently exist in your MazeRunner instance).
Alternatively, you can choose "Randomize credentials from a predefined pool"; MazeRunner has a
list of common usernames and passwords that it uses to supply these. Note also that, for Windows
breadcrumbs, you will need to choose whether you would like them to be non-persistent or
persistent after endpoint restart.
4. Connect this breadcrumb to a service by selecting a service from the drop-down list in the Services
column:
5. Once the connection has finished configuring (you can monitor its status on the Decoys sub screen),
the breadcrumb will show as "Active":
6. Notice the Deployment groups column. Here you can assign your breadcrumb to a deployment
group you have already created. See Create a new deployment group on page 48 for information on
how to create groups.
5 Note that the Responder Monitor breadcrumb relates to the Responder Monitor feature (a feature used with your
SOC interface). For more information on this type of breadcrumb and this feature, see the section entitled ActiveSOC on
page 74.
© Cymmetria MazeRunner 2018 – Community 1.10 48 www.cymmetria.com
CREATE A NEW DEPLOYMENT GROUP
Deployment groups are used to group several breadcrumbs together for ease of management and
deployment. For example, you can decide to group together a few breadcrumbs that will be deployed to all
endpoints used by a specific department in your organization. This will allow you to easily deploy these
grouped breadcrumbs to this department's endpoints using one of MazeRunner's manual or automatic
deployment methods (see Deploying breadcrumbs on page 56 for more information). Cymmetria
recommends the use of deployment groups in all of your deployments.
NOTE: Deployment groups will be used later when importing endpoints and deploying breadcrumbs to them;
see Importing endpoints on page 49 and Deploying breadcrumbs on page 56 for more information.
To create a new deployment group:
1. Go to the Campaign screen (if you are in the Deception story wizard, click the gray X icon on the top
right-hand side of the screen; this will take you to the Campaign screen). On the Deployment Groups
sub screen, click "Create group".
2. Enter a name for your deployment group (e.g., "IT" or "all users"), and click "Save":
3. Now you can add breadcrumbs to this group. To do so, return to the Breadcrumbs sub screen of the
Campaign screen and use the drop-down list in the Deployment groups column to add specific
breadcrumbs to deployment groups:
You can see that your breadcrumb now belongs to the IT deployment group:
NOTE: You can assign a single breadcrumb to multiple deployment groups.
© Cymmetria MazeRunner 2018 – Community 1.10 49 www.cymmetria.com
4. Now you are ready to deploy your deployment group. To save time and resources, you can automate
breadcrumb deployment (Cymmetria recommends this option). If you prefer to deploy manually,
you can do so from the Deployment Groups sub screen or from the Endpoints screen. See Deploying
breadcrumbs on page 56 for detailed information on breadcrumb deployment options.
That’s it! Your deception campaign is up and running. Jump to Importing endpoints below to continue
learning about the MazeRunner platform.
IMPORTING ENDPOINTS
To enable automatic breadcrumb deployment (discussed in the next section), which will simplify campaign
deployment, MazeRunner allows you to import endpoints from Active Directory, from CIDR blocks, or from a
file (.CSV). Note that these methods are not mutually exclusive: for example, if you import from Active
Directory and then import from a CIDR block, MazeRunner will check to see if each endpoint already exists in
the system; if so, the endpoint will not be imported a second time.
IMPORTING ENDPOINTS FROM ACTIVE DIRECTORY
In order to import endpoints from Active Directory, you will need to add an Active Directory source. Navigate
to the Endpoints screen from the top navigation bar and click "Import endpoints":
This will take you to the Active Directory sub screen of Import endpoints. NOTE: This screen can also be
reached by navigating to Settings > Active Directory > View Active Directory.
From the Active Directory sub screen of Import endpoints, click the link provided and you will be redirected
to the Active Directory sub screen in Settings.
To specify the Active Directory server from which you would like to import endpoints, follow these steps:
1. Click the Create source button and enter the source details (name, domain controller address, port,
username, password, and base DN).
2. Test your connection by clicking "Test connection". If the test connection is successful, click "Save"
to continue:
© Cymmetria MazeRunner 2018 – Community 1.10 50 www.cymmetria.com
NOTE: Some Active Directories do not allow connection without SSL. If you receive an error when trying to
connect, use the toggle button next to "Use SSL" to use secure LDAP on port 636:
Now you need to import the Active Directory. To do this, follow these steps from the Active Directory sub
screen:
1. Click the View Active Directory button. Select the domain you would like to import and click "Import
from Active Directory":
© Cymmetria MazeRunner 2018 – Community 1.10 51 www.cymmetria.com
While your AD groups are importing, you can exit the Import endpoints screen. You can see the
import's progress in the task manager's Running tab. Once the process is complete, you will see an
orange dot on the task manager icon, and the import details on the Complete tab:
2. Once your groups have finished importing, return to the Import endpoints screen by clicking "Import
endpoints" from the Endpoints screen. Select the Active Directory source you just imported (from
the drop-down list) and notice that the source's details appear on the screen. To the right of each
organizational unit (OU), notice that there are two numbers: one labeled "Self" and one labeled
"Total". The number next to "Self" indicates the number of endpoints in that particular OU; the
number next to "Total" indicates the total number of endpoints under that OU, including those of
other OUs:
3. Now you need to import endpoints from your Active Directory organizational units. You can choose
specific endpoints to import by selecting the checkbox next to an OU's name (which selects only the
endpoints in that particular OU), or select "Select all":
Before importing, you must assign the endpoints you would like to import to specific deployment
groups. Notice that two new functions appear on the right side of your screen when you select any
OU: "Assign to group" and "Clear assignment". After you have clicked the checkbox next to an OU's
name, click "Assign to group" and select the desired deployment group from the drop-down list. You
can choose from an existing deployment group that you previously created, import your endpoints
without assigning them to a deployment group (you will need to assign them later) or create a new
deployment group to assign the endpoints to:
© Cymmetria MazeRunner 2018 – Community 1.10 52 www.cymmetria.com
This will assign all endpoints on that particular OU to the selected deployment group. You will see
the name of the deployment group to which an OU's endpoints have been assigned, to the right of
the OU name and endpoint count. You can assign all endpoints to one deployment group, or to
different deployment groups:
If you would like to change to which deployment group your endpoints have been assigned, mark
the checkbox next to an OU's name and re-assign to another deployment group by using the "Assign
to group" function. You can use the "Clear assignment" function to clear the assignment for selected
endpoints.
NOTE: Only endpoints that have been assigned to a deployment group will be imported. Remember
that, if you would like to import endpoints and assign them to a deployment group later, simply
chose "Import without assigning" from the Assign to group drop-down options:
4. If for some reason you would like to remove the data from an Active Directory source that you have
previously imported to MazeRunner, simply click "Delete retrieved data".
5. Once you are ready, click "Start importing assigned endpoints daily". NOTE: Once you click this
button, your selected endpoints will continue to import (i.e., refresh) daily, at the time you originally
clicked the button. For example, if you click "Start importing assigned endpoints daily" at 2:00pm,
© Cymmetria MazeRunner 2018 – Community 1.10 53 www.cymmetria.com
the selected endpoints will import daily at 2:00pm6. If you would like to stop this daily import, simply
click "Stop importing assigned endpoints daily".
After exiting the Import endpoints screen, you can check the status of your import in the task manager's
Running tab. You will see a notification (red dot on the task manager icon) once the import is complete, at
which time you can view import details on the task manager's Complete tab:
IMPORTING ENDPOINTS FROM CIDR BLOCKS
As an alternative to importing endpoints from Active Directory, MazeRunner allows you to import endpoints
from CIDR blocks.
To import endpoints from CIDR blocks, complete the following steps:
1. Navigate to MazeRunner’s Endpoints screen and click "Import endpoints", and then click on the CIDR
blocks tab:
2. Click on the Add button to add CIDR blocks and assign them to deployment groups. NOTE: You
cannot enter overlapping CIDR blocks.
3. Enter the CIDR block from which you would like to import, then use the Deployment group drop-
down to assign the endpoints in this CIDR block to a deployment group. You can import your block
without assigning it to a deployment group (you will need to assign it later) or choose from an
existing deployment group that you previously created:
6 If an endpoint already exists in MazeRunner and has already been assigned to a deployment group, the endpoint will
be refreshed/updated, but its deployment group will not be changed.
© Cymmetria MazeRunner 2018 – Community 1.10 54 www.cymmetria.com
4. Click "Save" to finish.
If you would like to make changes to the information you entered, you can do so using the "Edit" and
"Delete" functions, located in the Actions column. After importing multiple CIDR blocks, you can use the
"On/Off" button in the Status column of each block to skip certain CIDR blocks, but import others, during
your daily import.
When you are ready, click "Start importing endpoints from CIDR blocks daily":
NOTE: Once you click this button, your selected endpoints will continue to import (i.e., refresh) daily, at the
time you originally clicked the button. For example, if you click "Start importing endpoints from CIDR blocks
daily" at 2:00pm, the selected endpoints will import daily at 2:00pm7. If you would like to stop this daily
import, simply click "Stop importing endpoints from CIDR blocks daily".
After exiting the Import endpoints screen, you can check the status of your import in the task manager's
Running tab. You will see a notification (red dot on the task manager icon) once the import is complete, at
which time you can view import details on the task manager's Complete tab:
7 If an endpoint already exists in MazeRunner and has already been assigned to a deployment group, the endpoint will
be refreshed/updated, but its deployment group will not be changed.
© Cymmetria MazeRunner 2018 – Community 1.10 55 www.cymmetria.com
IMPORTING ENDPOINTS FROM A FILE
MazeRunner allows you to import endpoints from a CSV file. To import endpoints from a file, follow these
steps:
1. Navigate to MazeRunner’s Endpoints screen and click "Import endpoints", and then click on the
Import from file tab:
2. Click the Choose file button and select the CSV file of endpoints you wish to upload. The file can
contain the following columns (must be declared in the first row of the file): ip_address, hostname,
dns, and deployment_group_name. At least one of IP address, DNS, or hostname fields must exist
and be filled out for each endpoint; the Deployment group name column is only required if you
choose to assign according to the uploaded file (see Step 3), otherwise it will be ignored. NOTE: The
columns can appear in any order.
3. Using the drop-down list provided, choose which deployment group you would like to assign the
new endpoints to (you can also import without assigning), or choose to assign the endpoints
according to the uploaded file. NOTE: If you choose to assign to deployment groups according to
the uploaded file and you leave a deployment group name field blank, that endpoint will be
imported as "Unassigned". Furthermore, if you enter a name of a group that does not exist in
MazeRunner, that endpoint will not be imported.
4. When you are ready, click “Import endpoints” to start your import.
POST-IMPORT
Navigate back to MazeRunner's Endpoints screen; all of the endpoints you imported are now shown here
(you might need to click the Refresh button).
Notice the endpoint status chart at the top of the screen. Right after importing endpoints for the first time,
100% of your endpoints will be "clean", since you have not yet deployed any breadcrumbs to them:
© Cymmetria MazeRunner 2018 – Community 1.10 56 www.cymmetria.com
For a full explanation of the different endpoints statuses, as well as information on the various actions that
can be taken on your endpoints, see the section entitled Endpoints screen on page 105.
For now, let's look at how to deploy breadcrumbs to your endpoints (next section).
DEPLOYING BREADCRUMBS
To save time and resources, you can automate breadcrumb (deployment group) deployment using the
Endpoints screen (Cymmetria recommends this option). You can also deploy deployment groups manually
from the Deployment Groups sub screen of the Campaign screen.
DEPLOYING BREADCRUMBS FROM THE ENDPOINTS SCREEN
From the Endpoints screen, you can deploy breadcrumbs to your endpoints manually or automatically. To
set up automatic breadcrumb deployment8, complete the following steps:
1. Click "Deploy to endpoints" and choose from the deployment methods in the drop-down list:
2. Enter your local admin credentials (username, password, and endpoint IP or hostname9). If the user
is a domain user (versus a local user on an endpoint), you will need to fill in the optional domain
8 The MazeRunner UI currently supports automatic breadcrumb deployment to Windows endpoints only. If you would
like to set up automatic deployment to Linux endpoints, you can do so using the MazeRunner API.
© Cymmetria MazeRunner 2018 – Community 1.10 57 www.cymmetria.com
name. NOTE: If you have previously configured local admin credentials for endpoints in Settings >
Campaign and Deployment, you will see these credentials listed here. You can change these
credentials by clicking "Change".
3. Click "Test credentials" to ensure you have entered everything correctly. If something is not right,
proceed according to the error message shown on your screen.
4. Using the toggle button, choose whether you would like to save these credentials for further use.
NOTE: If you had previously configured credentials in Settings > Campaign and Deployment, but
chose to change those credentials in step 2 above, enabling this feature will overwrite the existing
credentials for all purposes.
5. Choose a Deployment mode and select the deployment groups you would like to deploy, then click
"Deploy":
NOTE: You will not be able to select and deploy a group if at least one of the following is applicable:
There are no endpoints in the group.
One or more of the breadcrumbs in the group is inactive.
There are no breadcrumbs in the group.
There are breadcrumb conflicts within that deployment group (for example, two
breadcrumbs with the same decoy username but different passwords will conflict).
If any of the above is applicable, make sure that your decoy(s) is turned on (check the Decoy sub
screen of the Campaign screen), that you have assigned breadcrumbs to groups (check the
Breadcrumbs sub screen of the Campaign screen), and that you have assigned endpoints to groups
(check the Endpoints screen).
Cymmetria recommends deploying breadcrumbs automatically. Manual deployment is useful if automatic
deployment is impossible, or if you would like to use other orchestration software such as Chef, McAfee ePO
or Tanium.
To deploy breadcrumbs manually, complete the following steps:
1. Click "Deploy to endpoints" and choose "Manual" from the Deployment method drop-down list:
9 This is the IP or hostname of an endpoint on which the credentials will be tested. It is only used for this test, and is not
mandatory for the deployment.
© Cymmetria MazeRunner 2018 – Community 1.10 58 www.cymmetria.com
2. Choose your preferred deployment option and download the relevant installation files by clicking on
the appropriate download button. If you are deploying to a Windows OS, you have four deployment
options from which to choose:
1. Deployment Package (ZIP) – A ZIP file containing a folder for each breadcrumb group.
Each folder contains both an install and uninstall shell script for that deployment group.
2. Deployment Package (TAR.GZ) – A TAR.GZ file containing a folder for each breadcrumb
group. Each folder contains both an install and uninstall shell script for that deployment
group.
3. Executable – A ZIP file containing a folder for each breadcrumb group. Each folder
contains both an installer and uninstaller (in EXE format) for each breadcrumb group.
4. Windows Installer – A ZIP file containing a folder for each breadcrumb group. Each
folder contains both an install and uninstall file (in MSI format) for each breadcrumb
group.
If you are deploying to a Linux or Mac OS, you must choose one of the "Deployment package"
options (a ZIP or TAR.GZ file containing a folder with an installation script for each group).
3. You will need to unpack the ZIP or TAR.GZ file and run the installation files contained in each group
folder (as administrator or root) on the endpoint, in order to place the group's breadcrumb(s). Note
that the script/executable, once executed, will delete itself and all accompanying files in order to
leave no trace of which breadcrumbs have been deployed. Remember to remove the ZIP or TAR.GZ
© Cymmetria MazeRunner 2018 – Community 1.10 59 www.cymmetria.com
file from the endpoint (after saving the uninstall files in a safe location for later use) once you are
finished.
After deploying manually, a beacon10 will be sent from the endpoint to update MazeRunner about the status
of the deployment.
Now that you have deployed breadcrumbs to your endpoints, you can expand each endpoint by clicking the
+ icon to see details about the breadcrumbs on that endpoint:
NOTE: It might take the endpoint status a few more minutes to update, due to the time it takes the
breadcrumb to install, and possible network delays. If you don't see any change within a few minutes, click
the Refresh button.
DEPLOYING BREADCRUMBS FROM THE CAMPAIGN SCREEN
You can manually deploy deployment groups from the Deployment Groups sub screen of the Campaign
screen. To do so:
1. Navigate to the Campaign screen and then to the Deployment Groups sub screen.
2. In the Actions column of the deployment group you would like to deploy, click the Download icon
(on hover the icon shows "Download deployment group package"). This will open the Deploy
deployment group form.
10
The beacon is part of the breadcrumb installer (and uninstaller) that communicates with MazeRunner. It relays the
status of the endpoint and reports on the success or failure of breadcrumb installation. For the beacon to work, the
MazeRunner management server must be accessible to endpoints, meaning that endpoints should be able to connect
to it over HTTPS (port 443).
© Cymmetria MazeRunner 2018 – Community 1.10 60 www.cymmetria.com
3. Choose "Install" as the package type (uninstall packages are also located here), and then download
the relevant installation files by clicking on the appropriate download button. For Windows, the
installer is either a ZIP or TAR.GZ file containing shell scripts (PowerShell), an executable (EXE) or a
Windows installer (MSI); for Linux and Mac, it is always a ZIP or TAR.GZ file containing shell scripts
(Python):
4. You will need to unpack and run this installer (as administrator or root) on the endpoint, in order to
place the breadcrumb(s). Note that the script/executable, once executed, will delete itself and all
accompanying files in order to leave no trace of which breadcrumbs have been deployed. Remember
to remove the ZIP or TAR.GZ file from the endpoint (after saving the uninstall files in a safe location
for later use) once you are finished.
You can now validate the deployment on the Endpoints screen (see relevant section on page 105).
PERIODIC BREADCRUMB DEPLOYMENT & CAMPAIGN REFRESH
You can schedule breadcrumb deployment at regular intervals by enabling MazeRunner's Periodic
deployment feature. This can be done using the toggle button from the Campaign and Deployment sub
screen of Settings (Settings > Campaign and Deployment):
© Cymmetria MazeRunner 2018 – Community 1.10 61 www.cymmetria.com
Set the interval (in hours, days or weeks) at which you would like to automatically deploy, and choose a
deployment mode. If there are new endpoints in a deployment group (new endpoints may have arrived via
the Active Directory or CIDR blocks automatic importation feature, for example), the refresh feature will
deploy to them.
In addition to redeploying breadcrumbs at the fixed interval you set, you can also refresh the deception
campaign every fixed number of automatic deployments. When a refresh frequency is set, breadcrumbs with
randomized credentials will have the credentials changed to new random values in order to update the
deception campaign. Set the refresh frequency value to 0 to disable campaign refreshing:
You can also define your remote deployment settings. Choose a run method (executable or native script) and
deployment path:
Lastly, enter the local admin credentials to use in the deployment (these credentials will be saved and used
for future deployments). You can test these credentials using the relevant field and the Test credentials
button:
Be sure to save your configuration when you are finished. NOTE: If you do not configure local admin
credentials for endpoints, or if they change, you will receive an error message at the next designated
deployment interval. Please make sure these credentials are configured correctly, otherwise your periodic
deployment will fail.
© Cymmetria MazeRunner 2018 – Community 1.10 62 www.cymmetria.com
Notice the sections labeled "Endpoint Forensic Puller" and "Automatic Hackback". See Forensic Puller on
page 67 and Automatic Hackback on page 72 for more information about these features.
INTEGRATING WITH A SYSLOG/SIEM
Integrating with a syslog/SIEM can be done from the Integrations screen. See Integrations on page 98 for
detailed information.
© Cymmetria MazeRunner 2018 – Community 1.10 63 www.cymmetria.com
ADVANCED USAGE
Now that you have a handle on basic configuration and usage, you are ready to learn about the advanced
configuration options available to MazeRunner users.
MAZERUNNER NETWORK CONFIGURATION
This section includes information on configuring static IP, and enabling VLAN support and non-promiscuous
mode.
STATIC IP
By default, MazeRunner automatically obtains its network configuration through DHCP. If you would like to
change MazeRunner's network configuration, follow these steps:
1. Open the server's console. The console can be accessed using your hypervisor UI.
2. Log in as "usern":
a. Enter 'usern' as the MazeRunner login. For example:
b. Enter the password 'Password1!'11 and then enter ‘static’. For example:
Enter the details relevant to your network (IP address, netmask, default gateway, nameserver IP address,
DNS search domains). If you do not know your network details, contact your IT administrator. You will also
need to choose the main network interface for MazeRunner management.
NOTE: During automated deployment, the nameserver (DNS server) and the DNS search domains will be
used to look up endpoint names.
11
You will be prompted to change this password on first use of MazeRunner.
© Cymmetria MazeRunner 2018 – Community 1.10 64 www.cymmetria.com
VLAN SUPPORT
VLAN support can be enabled by following the steps outlined below (make sure you have already completed
the steps outlined for configuring VLAN support, on page 21 of this guide):
1. In MazeRunner, navigate to Settings > Networking, select "Enable decoy VLAN support", and then
click "Save configuration". NOTE: You can change the VLAN trunk interface field before saving:
2. Next, click the Add VLAN button and enter a VLAN ID (for example, "2"). NOTE: VLAN ID must use
numbers, not letters or other characters. If you are using static IP in your network, please assign the
Cymmetria management server a static IP address and a subnet mask in the spaces provided. If you
have a separate DNS server for this VLAN, be sure to add its address in the DNS field. To deploy
breadcrumbs to endpoints in different subnets, enter CIDR blocks (separated by commas) in the
Routing CIDR blocks field. A gateway must be set if you plan to route specific CIDR blocks. When you
are finished, click "Save":
That's it! VLAN support is now configured. NOTE: When you define a new decoy in MazeRunner (when
building your deception campaign either manually or with the help of the wizard; see page 41 for details),
you will need to select your VLAN ID from the drop-down list.
© Cymmetria MazeRunner 2018 – Community 1.10 65 www.cymmetria.com
NON-PROMISCUOUS MODE
If you did not enable promiscuous mode for MazeRunner's VM during installation and setup, you must
enable non-promiscuous mode by selecting the "Run MazeRunner in non-promiscuous mode" option from
the Networking tab of the Settings screen, or during MazeRunner's initial setup. NOTE: You will need to add
additional network interfaces to your MazeRunner VM. Each decoy will use one interface (for example, for
three decoys you would need four network interfaces overall: one for MazeRunner and one for each of the
three decoys).
To enable non-promiscuous mode, follow these steps:
1. Make sure you have completed the steps outlined for using MazeRunner without promiscuous
mode, on page 18 of this guide.
2. Also make sure you have chosen the main network interface for MazeRunner management:
NOTE: If you already configured static IP, please reference the section entitled Static IP on page 63.
3. In MazeRunner, navigate to Settings > Networking, select the Run MazeRunner in non-promiscuous
mode option, and then click "Save configuration":
That's it! You have now enabled non-promiscuous mode. NOTE: When you define a new nested decoy in
MazeRunner (when building your deception campaign either manually or with the help of the wizard; see
page 41 for details), you will need to select an interface from the drop-down list. You can create only one
decoy for each interface.
© Cymmetria MazeRunner 2018 – Community 1.10 66 www.cymmetria.com
SSL CERTIFICATE
You can view MazeRunner's current server certificate and download the certification authority (CA)
certificate. Additionally, you can replace the server certificate with a new certificate signed by your trusted
CA. If you would like to update the details of your certificate, you can also replace the server certificate with
a new certificate signed by MazeRunner.
To carry out any of these actions, navigate to Settings > SSL Certificate. On the SSL Certificate tab, you will
see several options. To download the current CA certificate, simply click the Download CA certificate button.
To replace the current server certificate with one signed by your trusted CA, click "Generate certificate
signing request" and fill in your information. Click "Download CSR" to download the certificate signing
request (CSR):
After downloading, sign the certificate with your trusted CA. NOTE: You will also need the CA's certificate for
the next step.
When available, upload the certificate signed by your trusted CA (PEM encoded certificate) and the CA's
certificate (PEM encoded CA certificate) by clicking "Load signed CSR", choosing the appropriate files, and
then clicking "Load and use":
© Cymmetria MazeRunner 2018 – Community 1.10 67 www.cymmetria.com
If you would like to update the details of your certificate, you can replace the server certificate with a new
certificate signed by MazeRunner. To do this, follow these steps:
1. Click the Generate certificate button under "Signed by MazeRunner" and fill in your information.
2. Click "Generate and use" to replace the certificate. NOTE: After submitting this form, you will need
to restart your browser to use MazeRunner. All OVA and EC2 decoys will need to be recreated
manually:
FORENSIC PULLER
Forensic Puller enriches MazeRunner alerts by pulling forensic information from the endpoint that triggered
the alert. It uses remote local admin access and PsExec to pull alert data from specific endpoints, providing a
more complete forensic picture.
© Cymmetria MazeRunner 2018 – Community 1.10 68 www.cymmetria.com
To enable the Forensic Puller, follow these steps:
1. Navigate to Settings > Campaign and Deployment.
2. Activating the feature requires local admin credentials. Fill in your credentials under "Local admin
credentials for endpoints".
3. Under “Endpoint Forensic Puller”, click the toggle button to the right of “Enable MazeRunner to
automatically collect forensic data from alerted endpoints” to enable the feature.
Forensic Puller will run on all events that have not been configured to be ignored in your alerting policy. For
more information on the event generated by the Forensic Puller, see “Forensic data” under Types of events
on page 119.
NOTE: If MazeRunner storage is 70% full, the Forensic Puller will stop retrieving forensic data until storage
usage drops below 70%. You will receive a notification (in the UI as well as by email) if this happens.
RELAY – ENTERPRISE EDITION ONLY
Enterprise Edition note: This feature is currently available to MazeRunner Enterprise customers only. The
following documentation is provided here to give Community Edition users an explanation of how the
feature works.
You can connect multiple MazeRunner instances to one master MazeRunner machine. This allows you to
view and investigate the events and the Dashboards of all the MazeRunner instances, from the master
MazeRunner machine. NOTE: Campaign and deception management is done by connecting directly to the
relevant MazeRunner machine.
To configure Relay, follow these steps:
1. Navigate to Settings > Relay.
2. To activate the Relay feature, use the toggle button next to "Turn on MazeRunner relay".
3. If you would like to use the current machine as the master machine, keep the toggle button next to
"Run MazeRunner in slave mode" set to "Off":
a. To connect MazeRunner instances to the master machine, download the relay package from
the master and upload it to the instances you would like to connect:
© Cymmetria MazeRunner 2018 – Community 1.10 69 www.cymmetria.com
On the master instance, you will see a table under "Connected MazeRunners" that will list all of the
slaves connected to this master. Here you can see information about each slave machine, as well as
edit and delete a machine using the icons in the Actions column. NOTE: Deleting a slave from the
"Connected MazeRunners" table will delete all of its alerts on the master machine. If the slave is still
associated with the master, the slave will reappear in the table once the data finishes pushing. To
completely remove a slave instance from the master machine, you will need to disconnect the slave
instance (this is done from the slave machine; see 4.b.ii. below).
4. If you would like to use the current machine as a slave machine, set the toggle button next to "Run
MazeRunner in slave mode" to "On":
a. To connect this slave machine to the master machine, download the relay package from the
master machine and upload it to this machine:
b. Once the package has finished uploading, details of the master machine will appear on the
screen.
i. Use the Test connection button to check whether the slave instance has access to
the master machine, and if so, whether they are compatible for the Relay feature
(whether both instances are running the same version of MazeRunner).
ii. You can disconnect the slave instance by clicking the Disconnect button.
Disconnecting will return the machine to the state it was in before a relay package
was uploaded. NOTE: This will not delete any existing data about this slave instance
that has already been sent to the master; this needs to be done separately (see
number 3, above).
c. If changes are made to your network or master MazeRunner machine, you will need to
upload a new relay package to the slave machine(s).
© Cymmetria MazeRunner 2018 – Community 1.10 70 www.cymmetria.com
NOTE: If you update the relay package, all the alerts that failed sending during/before the update will be
resent once the master is accessible again from the slave. Alternatively, if you disconnect a slave instance
from the master, all the alerts that appeared in the slave before disconnecting and failed sending to the
master will never be resent.
Additional notes about Relay:
Deleting or archiving alerts in the slave If a user deletes or archives alerts in the slave, it does not affect the state of the alerts in the master
Deleting or archiving alerts in the master If a user deletes or archives alerts in the master it does not affect the state of the alerts in the slave
Rule policy differences between master and slave 1. Ignored events in the slave will not be sent to the master
2. Once an event from the slave is sent to the master, it is classified in the master according to the master machine's rule policy (not the slave's). This does not affect the classification of the same event in the slave (e.g., the event can be muted in the slave and set to raise an alert in the master).
3. A master instance cannot shut down decoys on a slave instance even if the rule policy requires it; such a rule must be configured on the slave instance
Deleting a decoy in the slave Deleting a decoy from the salve will delete all of the related alerts in the master and the slave
Custom services in Relay Alerts generated in the slave due to a custom service that exists only in the slave will NOT appear in the master MazeRunner (the user would need to configure the same custom services in both MazeRunner instances)
Forensic Puller in Relay Each instance of MazeRunner will only run Forensic Puller on its own alerts/endpoints. For example, if an alert appears in the slave, the master will never run Forensic Puller (even if the Forensic Puller is enabled in the master; the master will only run Forensic Puller on its own alerts/endpoints).
NOTE: Even if you try to run Forensic Puller on events manually from the Investigation screen (using the Bulk action), it will not work; Forensic Puller will only run on that machine's events and the others will fail.
© Cymmetria MazeRunner 2018 – Community 1.10 71 www.cymmetria.com
Integrations in Relay Data originating from integrations connected to the slave will not be sent to the master
RDP Session Recorded alerts in Relay RDP Session Recorded alerts/events will only be pushed to the master after the timeout for the recording was exceeded (i.e., the RDP recording will NOT be sent while it is still recording)
DASHBOARD IN RELAY MODE
The Dashboard displays content from one MazeRunner instance. You can change which MazeRunner
instance is displayed using the filter at the top right of the Dashboard screen:
By default, the Dashboard of the master instance is shown every time the Dashboard page is opened.
When viewing the Dashboard of a slave instance from the master UI, some of the data is displayed
differently from how it is usually displayed. For example, when viewing a deployment group belonging to a
slave instance, events originating from an endpoint in that group will appear as alerts from unassigned
endpoints.
Events appear according to their status in the master instance, and you will see a reminder of this at the top
of your Dashboard:
INVESTIGATION SCREEN IN RELAY MODE
By default, the Investigation screen will display events and alerts from all MazeRunner instances (note that
attack stories will only include events from one MazeRunner instance, even if events have the same
originating endpoint).
© Cymmetria MazeRunner 2018 – Community 1.10 72 www.cymmetria.com
You can filter the data you see on the Investigation screen by MazeRunner instance, using the drop-down at
the top left of the screen:
When viewing a slave instance from the master MazeRunner:
1. In the Investigation table, a new field labeled "Originating MazeRunner name" is seen in an event's
expanded view, under "Source information". "Decoy name" will display the decoy name followed by
the name of the MazeRunner instance (e.g., An alert with a decoy named "Backup server 123" that
runs on MazeRunner slave instance "MazeRunner AZ" will have this value: "Backup server 123
(MazeRunner AZ)":
2. Attack story and alert IDs are assigned to the entities in the master MazeRunner; they may have a
different value in the originating MazeRunner instance.
NOTE: In Relay mode, reports from the master MazeRunner instance will include all of the events and stories
on the master (including those originating from slave instances). The reports from the master will not include
campaign data about the slave MazeRunner instances. See Email and Reporting on page 86 for more
information about reports.
AUTOMATIC HACKBACK – ENTERPRISE EDITION ONLY
Enterprise Edition note: This feature is currently available to MazeRunner Enterprise customers only. The
following documentation is provided here to give Community Edition users an explanation of how the
feature works.
Enterprises can do a lot of threat hunting within the law, including engaging live attackers on their own
networks with direct response and active countermeasures. Automatic Hackback gives you the ability to
engage in these steps legally and allows you to operate within the legal boundaries necessary to investigate
and take action when interfacing with live adversaries, and compromised hosts and tools, within the
confines of your network environment. This feature allows you to automatically and remotely execute a
© Cymmetria MazeRunner 2018 – Community 1.10 73 www.cymmetria.com
process on an endpoint in response to events. For detailed information about the feature, see this post on
Cymmetria's blog (the post includes a link to a separate, in-depth legal analysis).
To enable Automatic Hackback, follow these steps:
1. Navigate to Settings > Campaign and Deployment.
2. Under “Automatic Hackback”, click the toggle button to the right of “Enable MazeRunner to
automatically deploy and execute an executable file on alerted endpoints” to enable the feature.
NOTE: This feature is governed by special provisions in the license agreement for MazeRunner. It is solely
and exclusively your responsibility to ensure that you do not upload or use MazeRunner to deploy any scripts
or executables in violation of any applicable laws, regulations or industry standards, or which might result in
such violation, and you assume all liability and risks associated with this feature. You must read and agree to
the special provisions governing the use of this feature in order to enable it. Please be sure you fully
understand the potential consequences of the use of this feature before continuing; this might include
consulting with your own legal counsel to determine policies and procedures:
Once the feature has been activated, you will need to upload an executable package for the feature to use.
Click the Choose file button and select a ZIP package to be deployed to the endpoint (the package must
include a 'run.exe' file in its root):
The feature will start working only after MazeRunner validates the package. If the package validation fails,
the feature will be deactivated and you will receive a notification.
© Cymmetria MazeRunner 2018 – Community 1.10 74 www.cymmetria.com
ACTIVESOC – ENTERPRISE EDITION ONLY
Enterprise Edition note: ActiveSOC and all related features, with the exception of the Responder Monitor
deployment feature, is currently available to MazeRunner Enterprise customers only. The following
documentation is provided here to give Community Edition users an explanation of how ActiveSOC and its
related features work.
ActiveSOC allows you to automate incident response. Through integration with the SIEM, ActiveSOC allows
you to deploy deception elements to your network, based on rules you define and corresponding events
observed by the SOC. The Responder Monitor, which can be configured as part of the ActiveSOC feature,
monitors the SOC for use of credentials stolen using the Responder.py tool.
ACTIVESOC AND RESPONDER MONITOR ACTIVITY FEED
Here you can monitor all ActiveSOC and Responder Monitor activity and export the information to CSV:
You can filter and search your activity feed using the funnel icons. To do so, click on a funnel icon to the right
of a column title, choose your filter criteria from the available options, and then click "Apply Filter":
NOTE: If filtering by endpoint or deployment group, you will need to enter the endpoint IP address and the
deployment group name, respectively.
To clear your filter results, click again on the funnel icon to the right of the column title and then click
"clear".
To clean your feed (delete all entries), click the Clean feed button at the top of the screen.
© Cymmetria MazeRunner 2018 – Community 1.10 75 www.cymmetria.com
SOC INTERFACES
You can connect MazeRunner to your SOC (e.g., via MazeRunner API, ArcSight Data Platform, ArcSight ESM
or Splunk), in order to use the ActiveSOC and Responder Monitor features, which are discussed in the next
sections.
To add a SOC interface, follow these steps:
1. Click the Add button next to “SOC interfaces”.
2. Select an interface type from the drop-down options:
3. Fill in the required information according to the SOC interface you chose. If you chose ArcSight or
Splunk, you will need to test the connection by clicking “Test connection”, and then click “Save” to
finish:
You will now see the details of the SOC interface you added in the SOC interfaces table. To edit or delete an
interface, use the links located in the Actions column on the right-hand side of the screen.
NOTE: It may take some time for a SOC interface to fully load. You can see the progress of this task in the
task manager. Autocomplete for SOC field names will only be partial until the SOC interface is fully loaded.
© Cymmetria MazeRunner 2018 – Community 1.10 76 www.cymmetria.com
ACTIVESOC
The ActiveSOC feature allows MazeRunner to deploy breadcrumbs to endpoints in your organization based
on events observed by your SOC. Using ActiveSOC, you can set up specific rules that, when verified, will
cause MazeRunner to assign an endpoint to a deployment group (as defined by your rule) and deploy that
group’s breadcrumbs to the endpoint. MazeRunner achieves this through integration with your SIEM or
through the MazeRunner API. By automatically deploying deception tailored to specific suspicious behavior
(e.g., privilege escalation or abnormal traffic), ActiveSOC is able to create new intelligence out of “below-the-
threshold” events, and also validate events that might otherwise be ignored by analysts.
Before turning on the ActiveSOC feature, you will need to add a SOC interface. See the section entitled SOC
Interfaces on page 75 for information on how to do this.
Once you have added a SOC interface, use the toggle button next to “ActiveSOC” to turn on the feature:
NOTE: This feature requires local admin credentials for endpoints, which can be configured in Settings >
Campaign and Deployment.
Rules
Add rules to define the response to specific SOC events12. The rules will define how to identify the relevant
endpoint, how to filter the specific event, and to which deployment group to assign it and for how long.
To add a rule, follow these steps:
1. Click the Add button next to “Rules”. Enter a name for your rule and choose the SOC interface to
which you would like it to apply (each rule will be defined for a specific SOC interface):
12
Events could include, for example:
A user logging in from an unusual location
A privilege escalation alert (someone logged in as admin)
A computer connecting to an IP that doesn’t exist and then reaching a decoy
Someone attempting to access a web page/app that doesn’t exist
© Cymmetria MazeRunner 2018 – Community 1.10 77 www.cymmetria.com
2. Define how to identify the endpoint in this type of event. Select the field from where your SIEM’s
target data is extracted (IP address or Hostname), fill in a field name, and if you would like, fill in a
DNS suffix (for example, hostname "myhost" and DNS suffix "mydomain.local" will become
"myhost.mydomain.local") or an IP range (CIDR):
3. For ArcSight ESM, each rule must have a query. The query is the name (ArcSight ESM QueryViewer)
predefined on your ArcSight ESM, from which MazeRunner will receive the events. All other rule
conditions will apply to the events received from that query. It's important to note that the
frequency of retrieval is dependent on the frequency of the query as defined in ArcSight ESM and
not controlled from within MazeRunner:
4. Add conditions for your event (field name and value). Be as specific as you can (there is no limit to
the number of conditions you can add per event):
5. Choose the deployment group to which you would like to deploy when this rule is verified, and the
deployment duration (how long to keep the breadcrumbs on the endpoint). For example, if you
enter ‘4’ here, the breadcrumbs will be deleted from the endpoint after 4 hours. When you are
finished, click "Save":
© Cymmetria MazeRunner 2018 – Community 1.10 78 www.cymmetria.com
You will now see the details of the rule you added in the Rules table. In the Rank column of the Rules table,
note that there are two arrows; these are used to set priority for a rule. Clicking the up/down arrows will
move the location of rules in the table, thereby changing their rank (a rule with a rank of 0 has the highest
priority).
Notice the “On/Off” button in the Actions columns on the right-hand of the screen. Use this button to
activate and deactivate specific rules at certain times. You can also delete and edit your rules from this
column.
That’s it! From now on, if a rule you set is verified, MazeRunner will assign the endpoint to a deployment
group (as defined by your rule) and deploy that group’s breadcrumbs to the endpoint. When this happens, a
new record will be created in the Activity Feed and a new endpoint will appear on the Endpoints screen. The
breadcrumbs that were deployed will be removed from the endpoint after the period of time you defined in
your rule.
For more information about the ActiveSOC activity feed, see the ActiveSOC and Responder Monitor activity
feed section on page 74.
RESPONDER MONITOR
MazeRunner’s Responder Monitor (Pass-the-Hash) feature allows MazeRunner to periodically broadcast
deceptive credentials from endpoints and decoys. Attackers listening in on the network using the
Responder.py tool (or a similar tool) will capture these broadcasts and will potentially use these deceptive
credentials. The Responder Monitor feature gives you more deception options, as its alerting is based on
detected NBNS poisoning and stolen hashed credentials, and the use of these credentials on the network. To
use the Responder Monitor feature, you have two options:
1. Activate monitoring from a decoy via a Responder Monitor service.
Allows monitoring for use of Responder.py tool on the network subnet of the decoy.
Place the decoy in the same network subnet that you wish to defend.
Allows you to choose a hostname for MazeRunner to query. NOTE: If this hostname actually
exists in the network, make sure to also configure its IP in order to prevent false positives.
2. Activate monitoring from a specific endpoint via the Responder Monitor deployment feature.
Allows monitoring for use of Responder.py tool on the network subnet of endpoints.
© Cymmetria MazeRunner 2018 – Community 1.10 79 www.cymmetria.com
By choosing endpoints from each network subnet, you can effectively monitor your entire
network for the use of Responder.py tool.
Cymmetria recommends creating a separate deployment group for each Responder Monitor
breadcrumb, and assigning a single endpoint from each network subnet to one of these
groups.
MazeRunner will query the hostname of the decoy to which the Responder Monitor
breadcrumb is connected.
To start working with the Responder Monitor feature, you first need to create a Responder Monitor
breadcrumb and connect it to a Responder Monitor service (and then connect to an active decoy). You can
do this easily using the Deception story wizard:
1. Navigate to the wizard (click "New story" from the Campaign screen) and select the Responder
Monitor story:
2. In step 3 ("Set up breadcrumbs"), you must enter a domain name, username, and password (the
domain name is the name of the domain that you want to monitor for Pass-the-Hash attacks):
© Cymmetria MazeRunner 2018 – Community 1.10 80 www.cymmetria.com
3. You must assign Responder Monitor breadcrumbs to a deployment group. In the 4th and final step
("Deploy"), use the Assign to group drop-down to assign your breadcrumb to a deployment group
before clicking "Next" to finish.
Responder Monitor deployment
This feature allows deploying Responder Monitor breadcrumbs automatically and periodically. When
deployed, the breadcrumb identifies and alerts on NBNS spoofing and the use of Responder.py tool on the
endpoint's subnet. The username, domain, and password will be fed to the attacker from the endpoint.
To use the Responder Monitor deployment feature, navigate to ActiveSOC > Responder Monitor and use the
toggle button to the right of “Responder Monitor deployment” to activate the feature:
NOTE: This feature requires local admin credentials for endpoints, which can be configured in Settings >
Campaign and Deployment.
MazeRunner will begin to deploy to endpoints in the deployment group you configured in the final step of
the Responder Monitor story creation in the wizard. NOTE: Responder Monitor alerting only works when the
Responder Monitor breadcrumb is deployed via the Responder Monitor deployment feature described
above.
Every time MazeRunner deploys on an endpoint, the Responder Monitor breadcrumb tries to detect NBNS
poisoning of the connected decoy hostname; if it detects this, it broadcasts the deceptive credentials and
reports if Responder.py tool was used to steal these credentials.
MazeRunner aims to maximize the likelihood of an attacker intercepting deceptive credentials. In order to do
this, the Responder Monitor breadcrumb will broadcast (each time from a different endpoint) every X
minutes (where X is the detection interval you defined during breadcrumb creation, or a random interval
between 1-10 minutes that is regenerated for each endpoint deployment).
Responder Monitor SOC integration
To use the Responder Monitor SOC integration (allows detection of Pass-the-Hash attacks), first make sure
that:
1. You have added a SOC interface (see the section entitled SOC Interfaces on page 75 for instructions
on how to do so). NOTE: Make sure that the assets you want to monitor send their Windows event
logs to the SOC interface you configured, and that their audit policy for login attempts is enabled for
failed login attempts.
© Cymmetria MazeRunner 2018 – Community 1.10 81 www.cymmetria.com
2. Once you have added a SOC interface, enable the Responder Monitor SOC integration using the
toggle button to the right of "Responder Monitor SOC integration".
Next, you might need to map custom Responder Monitor fields mapping13. MazeRunner will query the SOC
interfaces you configured to find evidence of someone using the Responder Monitor breadcrumbs that were
deployed by MazeRunner. When MazeRunner is querying your SOC interface, it uses the following default
field names in the query (according to your interface type):
Field name Splunk ArcSight Data Platform
Username Account_Name destinationUserName
Domain Account_Domain destinationNtDomain
Event_code EventCode externalId
Endpoint_hostname Workstation_Name destinationHostName
Endpoint_ip Source_Network_Address destinationAddress
NOTE: ArcSight ESM is not supported for use with the Responder Monitor feature.
If any of these fields is serialized differently in your SOC interface, you will need to add custom mapping for
these fields. To do this, follow these steps:
1. Click the Add button next to “Map Responder Monitor fields”:
2. From the drop-down list, choose the SOC interface you would like to map (you can have more than
one mapping for each SOC interface). Then, fill out the remaining mandatory fields and click “Save”:
13
If you would like to use an API SOC interface with the Responder Monitor feature, you must map the interface's
fields.
© Cymmetria MazeRunner 2018 – Community 1.10 82 www.cymmetria.com
Validating Responder Monitor configuration
In order to check that the Responder Monitor deployment and alerting are working properly, complete the
following steps:
1. To check that the deployment worked, navigate to ActiveSOC > Activity Feed. In the Event column,
check that there is at least one entry with the status "Deployment successful". If after approximately
10 minutes you do not see an entry, please make sure that the Responder Monitor deployment
feature is turned on and that it is configured correctly. If you see an entry with a "Deployment
failed" status, please refer to this FAQ (page 134).
2. There are three types of events ("NBNS poisoning", "Credentials stolen by attacker", and
"Credentials used by attacker"). To verify that you have configured the Responder Monitor SOC
integration feature correctly, there are two tests you can carry out:
1. Select a server in your domain (the domain being monitored in the SOC interface you
configured earlier) that has a network share, and run the following net use command from a
different machine (e.g., your Windows laptop):
net use \\<server_address> /user:<breadcrumb_domain>\<breadcrumb_username>
<breadcrumb_password>
Within approximately 10 minutes, you should see a Network Credential Interaction alert on
MazeRunner’s Investigation screen. If you do not see an alert, please check your SOC
configuration (the SOC interface you added as well as the Responder Monitor fields mapping
you set up).
Now, whenever MazeRunner deploys the Responder Monitor breadcrumb to one of your
endpoints, if there is an attacker in your network who is using Responder.py (or a similar
tool), the attacker will record the Responder Monitor breadcrumb credentials. If the attacker
© Cymmetria MazeRunner 2018 – Community 1.10 83 www.cymmetria.com
then uses these credentials on a machine in one of your monitored domains, MazeRunner
will raise an alert and you will see the details on the Investigation screen.
2. Run Responder.py on one of your network segments and make sure it poisons the hostname
of the decoy on which the Responder Monitor service is running. Import an endpoint from
that network segment to MazeRunner (you can do this by using MazeRunner's "Import by
CIDR blocks" feature) and make sure that this endpoint is the only endpoint in the
Responder Monitor's deployment group. Wait for the deployment to finish on the endpoint
(you will see this status in your activity feed). Notice that the Responder.py tool captured
the hash credentials of the Responder Monitor breadcrumb and that you see "NBNS
poisoning" and "Credentials stolen by attacker" alerts on MazeRunner's Investigation screen.
For more information about the activity feed, see the ActiveSOC and Responder Monitor activity feed
section on page 74.
CHANGING ALERTING POLICY
Changing your alerting policy can be done from the Alerting Policy sub screen in Settings. Navigate to
Settings > Alerting Policy:
Here you can define the system-wide policy for handling events. For each event, you can define whether it
will be ignored, recorded in MazeRunner, or recorded in MazeRunner AND sent to the syslog server. You do
this by setting system-wide rules to be performed for specific types of events. You can also define user rules
that override any system rules.
System-wide rules: These are the built-in rules that define which action should be taken for each
event type. You can choose from "Ignore", "Mute" (default setting), and "Alert":
Ignore – The event is not seen anywhere.
Mute – The event is only seen on the Investigation screen; however, you can choose to
"Send muted events" via syslog or Cuckoo, using the toggle button on the Syslog and Cuckoo
sub screens of MazeRunner's Integrations screen.
Alert – The event is seen on both the Investigation screen and the Dashboard, and an alert is
sent via syslog and email.
© Cymmetria MazeRunner 2018 – Community 1.10 84 www.cymmetria.com
User rules: Here you can define rules that will override the system rules. To do this, follow these
steps:
1. Click "Add rule" to open the rule creation form:
2. To which type of event should this rule apply? Choose one from the drop-down list. NOTE:
You will need to create a separate rule for each type of alert, or a single rule that will match
all alert types.
3. To which decoy(s) and service(s) would you like this rule to apply? Make your selections
from the drop-down lists.
4. You can choose to set a rule for actions originating from a specific IP address. To do this, fill
in the IP address in the field provided. Please note that IP addresses are matched exactly.
5. You can also choose to set a rule for a specific file located on a decoy (e.g., "/bin/netcat" or
"myshare/important.txt"). To do this, fill in the relevant filename in the field provided. The
filename specified will apply to SMB alerts, code execution alerts, and unsigned code
execution alerts. Please note that the filename is matched exactly (SMB alerts will contain
the share name, there is a distinction between / and \, and names are case sensitive).
6. What would you like to happen? Choose an action ("Ignore", "Mute", "Alert" or "Shut down
decoy") from the drop-down list. If you choose "Shut down decoy", any decoy(s) related to
that event will be automatically shut down when the event is processed. IMPORTANT:
Shutting down the decoy is independent of the action you set for each event type ("Ignore",
"Mute", "Alert"); an event may be ignored by another rule and still shut down the decoy.
7. Once you have finished defining your new rule, click "Save".
© Cymmetria MazeRunner 2018 – Community 1.10 85 www.cymmetria.com
PRODUCT REFERENCE
The following sections provide an overview of the MazeRunner platform, including its user interface and
additional functionalities.
PRODUCT INTERFACE
MazeRunner has a user-friendly interface. You can use the top navigation bar to move between the main
parts of the product:
● Dashboard – Your deception battle map, where you control and review your campaigns.
● Campaign screen – Here you create the different components of your deception campaign.
● Endpoints screen – From this screen you can view and manage your endpoints, as well as deploy
breadcrumbs.
● Investigation screen – Used for viewing your campaign's events and alerts. Here you can see every
move an attacker has made.
● ActiveSOC – Connect MazeRunner to your SOC in order to use MazeRunner's ActiveSOC and
Responder Monitor features14.
● Integrations – Here you can configure integrations with security tools and software (e.g., syslog,
ThreatConnect, AWS).
Alternatively, you may manage the platform using the MazeRunner API. Almost everything that can be done
using the MazeRunner interface can also be achieved by using the API. For details, see our online API
documentation.
SETTINGS
Configure MazeRunner, run diagnostics, manage users and API keys,
view your access log, and more. The Settings screen, which can be
reached by clicking the gear icon on the top right navigation bar,
contains twelve sub screens for configuring MazeRunner.
GENERAL
Here you can enter a virus database URL, choose to share intelligence back with the community,
automatically download updates, set the time zone, enable endpoints tracking (send beacon15), view/change
14
ActiveSOC and all related features, with the exception of the Responder Monitor deployment feature, is currently
available to MazeRunner Enterprise customers only.
15 The beacon is part of the breadcrumb installer (and uninstaller) that communicates with MazeRunner. It relays the
status of the endpoint and reports on the success or failure of breadcrumb installation. For the beacon to work, the
© Cymmetria MazeRunner 2018 – Community 1.10 86 www.cymmetria.com
the NTP server domain address, set the number of hours of inactivity before logout, and restore the default
configuration for General and Email and Reporting.
You can also allow MazeRunner to access the web through a proxy server that requires authentication with a
username and password. To do so, enter an HTTP proxy server URL (e.g., https://<IP>:<PORT>), and activate
the Authenticate using credentials feature by clicking the toggle button and entering a username and
password.
Lastly, you can restart or shut down MazeRunner using the power option buttons located at the bottom of
this screen. NOTE: If you shut down MazeRunner from here, it will shut down the entire system; you will
need physical access to the server (if you are using a physical appliance) or access to the ESXi (if you are
using a virtual appliance on the ESXi) in order to turn MazeRunner on again.
EMAIL AND REPORTING
Here you can define settings for email and reporting:
MazeRunner provides three reports:
1. MazeRunner status report – Generate a report about the current state of MazeRunner. Includes
general statistics about investigation, a list of unresolved attack stories, deception campaign state
(list of decoys), and deployment state (endpoint screen statistics and a list of deployment groups).
2. Time range report – Generate a report about events and alerts within a given time range. Includes
event summary and statistics, an attack story summary, a list of all attack stories, and an annex
(accessed ports, mentioned hosts, and usernames used).
3. Attack story report – Generate a report for a single attack story.
MazeRunner management server must be accessible to endpoints, meaning that endpoints should be able to connect
to it over HTTPS (port 443).
© Cymmetria MazeRunner 2018 – Community 1.10 87 www.cymmetria.com
The first two reports are accessible from Settings > Email and reporting, as well as at the top right-hand side
of the Investigation screen. Simply click the corresponding buttons on either of these screens, select a time
range if necessary, and download the desired reports (PDF format).
The attack story report can be downloaded from individual expanded attack stories, in the attack story
section on the Investigation screen. Simply click the download icon, choose a date range, and click
"Download":
NETWORKING
Here you can add a decoy MAC address prefix and set MazeRunner's networking configuration. You can
choose to use the default configuration, run MazeRunner in non-promiscuous mode or enable VLAN support
for decoys and view/change the VLAN trunk interface:
ACCESS CONTROL
Here you can enable access control to MazeRunner's management interface by limiting access to specific IP
addresses. To add an IP address to your access control whitelist, click "Add rule", enter the IP address, and
then click "Save":
© Cymmetria MazeRunner 2018 – Community 1.10 88 www.cymmetria.com
CAUTION! If this is not done properly, you risk losing your own access to MazeRunner. Please
ensure the validity of the information you enter here. If something goes wrong, please contact
Cymmetria support.
ALERTING POLICY
Here you can define the system-wide policy for handling events. See Changing alerting policy on page 83 for
more details.
CAMPAIGN AND DEPLOYMENT
Here you can enable periodic breadcrumb deployment, MazeRunner's endpoint Forensic Puller, and
Automatic Hackback16, as well as define your campaign refresh frequency, remote deployment settings, and
local admin credentials for endpoints (and test those credentials). See Periodic breadcrumb deployment &
campaign refresh on page 60, Forensic Puller on page 67, and Automatic Hackback on page 72 for detailed
instructions.
CUSTOM SERVICES – ENTERPRISE EDITION ONLY
Enterprise Edition note: This feature is currently available to MazeRunner Enterprise customers only. The
following documentation is provided here to give Community Edition users an explanation of how the
feature works.
Custom services are services that are not part of MazeRunner by default. You can upload a custom service
that you have created or received from another source. Once uploaded, you will be able to add the service
to your deception campaign.
16
This feature is currently available to MazeRunner Enterprise customers only.
© Cymmetria MazeRunner 2018 – Community 1.10 89 www.cymmetria.com
To add a new custom service, navigate to Settings > Custom services, click "Add custom service", and upload
a ZIP file containing your custom service. NOTE: Each custom service file that is uploaded to MazeRunner
must contain a name and description.
The custom service's label and description can be edited from the custom services table, using the edit icon
in the Actions column. To delete a custom service, use the delete icon in the same column of the table. Note
that when you delete a custom service, all related events as well as all instances of the service in your
deception campaign will be deleted.
GOLDEN IMAGES – ENTERPRISE EDITION ONLY
Enterprise Edition note: This feature is currently available to MazeRunner Enterprise customers only. The
following documentation is provided here to give Community Edition users an explanation of how the
feature works.
MazeRunner allows you to add new base images for decoys, in order to keep decoys consistent with your
organization's production machines. You can configure these images in Settings > Golden image.
To add an image, follow these steps:
1. Click "Add golden image", fill in a name, and click "Next".
2. Upload your image. You can stop an upload by clicking "Stop upload":
3. Once your image has finished uploading, click "Done" to finish. You will now see your image and its
details listed on the main screen (your image's status may show as "Onboarding" for several hours):
Now, when you manually create a decoy from the Campaign screen, you can select your new image from the
Operating system drop-down:
© Cymmetria MazeRunner 2018 – Community 1.10 90 www.cymmetria.com
A few notes on support for golden images:
Supported image type: VMware OVA images only
Supported OS types: Windows 7 and above
Code Execution alerts are not supported
ACTIVE DIRECTORY
Here you can import domains from an Active Directory for use when managing your endpoints and
automating breadcrumb deployment. You can also view information on Active Directory sources and CIDR
blocks you have added. Please see Importing endpoints from Active Directory on page 49 for more
information.
RELAY – ENTERPRISE EDITION ONLY
Here you can configure MazeRunner's Relay feature, which allows connecting multiple MazeRunner
instances and monitoring them from one MazeRunner machine. See Relay on page 68 for more information.
SSL CERTIFICATE
Here you can view the current server certificate and download the CA certificate. You can also replace the
certificate with a new certificate signed by MazeRunner or signed by a certification authority (CA). See SSL
Certificate on page 66 for more information.
API KEYS
Almost everything that can be done using the MazeRunner interface can also be achieved by using the API.
Some examples include:
Inspecting and managing alerts
Creating and editing deception campaigns
© Cymmetria MazeRunner 2018 – Community 1.10 91 www.cymmetria.com
Implementing new breadcrumb deployment mechanisms
Integrating MazeRunner with 3rd party systems
On the API Keys sub screen, you can add API keys to allow users to access the MazeRunner API. To do so,
follow these steps:
1. Click "Add API key", enter a description (this is an internal description), and click "Save":
2. Your new API key details (description, key ID, and secret key) will appear on the screen. NOTE: Be
sure to record the secret key, as this is the only time you will see it. Click "Done" to finish.
3. API keys can be removed at any time by clicking the trash icon in the Actions column on the right-
hand side of the screen.
In order to ensure you are communicating with MazeRunner, click "Download CA certificate" and add this to
your API script.
For more details on the MazeRunner API, see our online API documentation.
USER MANAGEMENT
User management allows admins to create and delete users and assign them user roles, as well as view
MazeRunner's access log, which records the date and time each user accesses MazeRunner, and from which
IP address.
To create a new user and assign that user a role, navigate to Settings > User Management and follow these
steps:
1. Click "Add user". Define a unique username and password, assign the user a role (see Role-based
access control, below), then click "Save":
2. Users can be edited at any time by clicking the pencil icon in the Actions column on the right-hand
side of the screen.
© Cymmetria MazeRunner 2018 – Community 1.10 92 www.cymmetria.com
ROLE-BASED ACCESS CONTROL
MazeRunner allows you to assign different levels of access to individual users. Certain features and/or
screens within MazeRunner will be disabled for users with insufficient permissions to view or edit those
features/screens. MazeRunner offers the following levels of access: Administrator (only an administrator
user can create, edit or delete other users), Deception Manager, Incident Response Analyst, and Read-only.
The following table details some specific actions each level of access can take within MazeRunner:
Administrator Deception
Manager
Incident
Response
Analyst
Read-only
Create, edit or delete other users
Create an API key
View the User Management page
Change the deception campaign
Change endpoints
Change settings partial
Change integrations
Acknowledge or stop background tasks and
notifications
Edit/archive events and alerts
Change password, send logs to Cymmetria, view
active tasks and notifications, view the About
screen, send feedback
View most MazeRunner screens and features
(unless otherwise indicated)
Additional notes about user roles:
When upgrading to MazeRunner version 1.9.0 or above from an older version of MazeRunner (1.8.0
and below) that has multiple users, all users will become admin users (one time only). If you wish to
assign lower access to some users, you will need to do so after upgrading. For all future upgrades,
user roles will persist.
For each role, the limits of what the user can do are defined on a screen-by-screen basis. If a user
does not have the necessary permissions to edit an object, for example, control buttons (such as
“Save” or “Delete”) will be disabled, and a tooltip stating "Insufficient permissions" will appear. In
other instances, a banner will appear near the page title stating that some settings are disabled for
non-admin users.
© Cymmetria MazeRunner 2018 – Community 1.10 93 www.cymmetria.com
DIAGNOSTICS
MazeRunner diagnostics allows you to run diagnostics to review the current configuration of MazeRunner.
Simply click "Run MazeRunner diagnostics":
If a test was unsuccessful, you will see a red X and an error message with further instructions on how to
proceed.
TASK MANAGER
The task manager, accessed from the check mark icon that is
located on the top right navigation bar, displays MazeRunner
tasks and their statuses. By clicking the icon, you can view the
status of tasks that are currently running (on the Running tab),
and see a list of completed tasks (on the Complete tab). NOTE: Stopped and failed tasks can be seen on the
Complete tab alongside successful tasks.
If you would like to stop a task that has already been started, you can do so from the Running tab. To stop a
task that is currently in progress, click the Stop icon to the right of the task's name:
Once you do this, the task will move to the Complete tab and its status will appear as "Stopped":
© Cymmetria MazeRunner 2018 – Community 1.10 94 www.cymmetria.com
NOTE: If you stop a task (for example, a breadcrumb deployment) before it has completed, you will need to
navigate to the Endpoints screen, filter out all the endpoints with a Deployment Failed status, and clean the
endpoints on which breadcrumbs have already managed to deploy before you stopped the deployment. For
more information on how to do this, see Filter & sort options and Bulk actions in the Endpoints screen
section on page 105.
If a task fails, you will see this detailed in the task's status bar on the Complete tab:
To check failed deployments, you will need to go to the Endpoints screen, filter out all the endpoints with a
Deployment Failed status, and expand the endpoint rows to check why they failed. For more information on
how to do this, see Filter & sort options on page 106.
NOTIFICATION CENTER
The notification center, accessed from the globe icon on the top right
navigation bar, displays alerts and notifications regarding your
MazeRunner activity. This includes campaign import status, any issues
that need your attention, and more.
STABILITY ALERT EMAILS
To make sure you do not miss important notifications, MazeRunner will send an email alert for some types
of notifications in addition to displaying them in the notification center.
Email settings can be configured by navigating to Settings > Email and Reporting.
© Cymmetria MazeRunner 2018 – Community 1.10 95 www.cymmetria.com
DECEPTION STORY WIZARD
This tool, accessed from the New story button on the Campaign
screen, assists you in building your deception campaign. The wizard
allows you to choose from templates that have been prepared by
Cymmetria's security team. Alternatively, you can build your own
customized deception stories without the help of the wizard.
For more information on how to build deception stories using the wizard, see the section entitled Creating a
deception campaign (using the Deception story wizard) on page 42.
USER MENU
This menu, accessed from the user menu icon on the top right navigation bar, allows you
to change your password, update the system, access MazeRunner's user manual, send
logs to Cymmetria, and open a support ticket (or send feedback).
CHANGE PASSWORD
If you would like to change your password, you can do so here. Simply enter your old password and your
desired new password, and then click "Update":
SYSTEM UPDATE
Use the System Update wizard to check for MazeRunner updates or upload and install an update file you
received from Cymmetria. When you select "Update" from the System Menu, the System update window
will open and display the current system status (either that MazeRunner is up-to-date, or prompting you to
check for updates).
To check for updates, click "Check online for updates":
© Cymmetria MazeRunner 2018 – Community 1.10 96 www.cymmetria.com
If an update is available, you will be prompted to download and install it. The system will reboot after
installation is complete.
To upload and install an update file you received from Cymmetria, click "Upload and install an update file".
Once you click this button, the update file will upload and then automatically begin to install. NOTE: During
installation, you will not be able to use MazeRunner; the system will reboot after installation is complete:
If your update fails, please contact Cymmetria support and we will be happy to help you.
IMPORTANT: If your MazeRunner server is connected to the Internet, it will automatically check for version
updates once a week and will prompt you with a notification if there is a new version to download. Also,
when a new version of MazeRunner is released, Cymmetria will notify you by email. This way, if your
MazeRunner is not connected to the Internet, you can manually update the system by using the MazeRunner
Update wizard to upload an update file.
SEND LOGS TO CYMMETRIA
Sending logs to Cymmetria will allow us to better investigate issues related to your specific MazeRunner
instance. You can send logs automatically by entering your email address in the field provided and then
clicking "Send logs":
© Cymmetria MazeRunner 2018 – Community 1.10 97 www.cymmetria.com
HELP FEATURES
The MazeRunner UI includes several types of help features to guide you in your use of the product.
HELP ICON
A help icon ? is located at the top right of the services and breadcrumbs forms (click “Create service” or
“Create breadcrumb” from the Services or Breadcrumbs sub screens of the Campaign screen). Clicking the
help icon will provide a description of all available services, or a description of available breadcrumbs and
how they affect endpoints. When in help mode, the help icon will change to a back icon < that, when clicked,
will take you back to the creation form:
DECEPTION ELEMENT DESCRIPTIONS
A short description is located at the top of the services and breadcrumbs creation forms, to provide a
general description of what these elements are:
© Cymmetria MazeRunner 2018 – Community 1.10 98 www.cymmetria.com
TOOLTIPS
Tooltips are located throughout MazeRunner in various places, such as on hover over certain icons and
buttons. When you hover your mouse cursor/pointer over a relevant item, a tooltip will appear in order to
provide further information about the item:
INTEGRATIONS
MazeRunner has bi-directional integrations, meaning it either uses other security tools to trigger deception
in MazeRunner (e.g., playbooks) or it sends threat intelligence data from MazeRunner to other solutions,
such as ThreatConnect. You can also integrate MazeRunner's intelligence feed with your SIEM (e.g., Splunk,
ArcSight), or with your sandbox to send files gathered by MazeRunner for sandbox analysis.
CUCKOO SANDBOX
You can send malware samples to Cuckoo and have the results sent back to and displayed in MazeRunner.
You will be able to download the results (a ZIP file) from the alert details on MazeRunner's Investigation
screen. This integration can be used for Code Execution and Unsigned Code Execution alerts.
To configure a Cuckoo sandbox in MazeRunner, follow these steps:
1. Navigate to Integrations > Cuckoo sandbox and click "Add instance".
2. Give your instance a name (internal), and enter the internet address (either IP or full DNS address) of
your Cuckoo instance, as well as its API and display ports. Enable using HTTPS if you wish to do so.
3. Choose a status for your integration; there are three options:
1. Active – Automatic – Relevant events will automatically be fed to the integration.
2. Active – Manual – You will need to manually send relevant events to the integration, by
choosing to do so from the expanded alert view on MazeRunner's Investigation screen:
3. Turned off – Integration is currently inactive.
© Cymmetria MazeRunner 2018 – Community 1.10 99 www.cymmetria.com
4. If you would like, enable "Send muted events" (send data from events set to "Mute" in the alerting
policy) using the toggle button.
5. Test your connection using the Test connection button, and then click "Save changes".
You can add additional instances by clicking the "Add instance" button at the top right-hand side of the
screen. To delete an instance, click the trash can icon for that particular instance.
NOTE: You can use the Resend event data button to resend event data that previously failed to send.
IBM BIGFIX
You can deploy breadcrumbs to endpoints in your organization using IBM BigFix. See the IBM BigFix sub
screen of Integrations in the MazeRunner UI for more information.
SCCM
You can deploy breadcrumbs to endpoints in your organization using SCCM. See the SCCM sub screen of
Integrations in the MazeRunner UI for more information.
TANIUM
You can deploy breadcrumbs to endpoints in your organization using Tanium. See the Tanium sub screen of
Integrations in the MazeRunner UI for more information.
MCAFEE EPO
You can deploy breadcrumbs to endpoints in your organization using McAfee ePO. See the McAfee ePO sub
screen of Integrations in the MazeRunner UI for more information.
AWS
You can deploy MazeRunner in AWS. To do so, please contact Cymmetria to receive a version of
MazeRunner that is configured to work in AWS.
© Cymmetria MazeRunner 2018 – Community 1.10 100 www.cymmetria.com
SYSLOG
MazeRunner supports several integrations for reporting alerts through syslog (Splunk, ArcSight,
Elasticsearch, and more). Here you can define settings for syslog (UDP/TCP port and address, output format,
and encryption).
Click "Add instance", name your instance, choose which protocol you would like to use (UDP or TCP), and fill
in the UDP/TCP address and port. Use the toggle buttons on this screen to enable using ArcSight CEF,
encrypting the TCP syslog with SSL, and sending muted events, and then click "Save changes":
You can add additional instances by clicking the "Add instance" button at the top right-hand side of the
screen. To delete an instance, click the trash can icon for that particular instance.
NOTE: You can use the Resend event data button to resend event data that previously failed to send.
THREATCONNECT
This section will show you how to set up ThreatConnect for use with MazeRunner.
To set up ThreatConnect integration, follow these steps:
1. Open ThreatConnect. In ThreatConnect, navigate to the Dashboard and select the TAXII feed you
would like to connect to MazeRunner (you can connect any valid TAXII feed; if you are unsure of
which feed to connect, please check with your ThreatConnect contact). In this example, our feed is
called "Cymmetria TAXII Source":
© Cymmetria MazeRunner 2018 – Community 1.10 101 www.cymmetria.com
2. The Dashboard screen will refresh and you will see that a new section, called "Source", has appeared
on your screen. Click on the gear icon to go to your TAXII feed's Source Config:
3. In Source Config, go to the Data tab:
© Cymmetria MazeRunner 2018 – Community 1.10 102 www.cymmetria.com
4. Click "+ NEW INBOUND" to create a new inbound TAXII Exchange:
5. You will now need to configure the new inbound TAXII exchange. Notice that a configuration window
has popped up on your screen:
Enter a name for the new inbound TAXII exchange. For the URL, you will need to enter the TAXII
server URL found in MazeRunner's Integrations settings. To do this:
a) Open MazeRunner in your browser by navigating to your virtual machine's IP address
(using HTTPS). In the MazeRunner UI, navigate to the Integrations screen and select
ThreatConnect from the left-hand side of the screen:
© Cymmetria MazeRunner 2018 – Community 1.10 103 www.cymmetria.com
b) There you will find "TAXII settings". Use the toggle button next to "Enable TAXII server"
to enable the server, click the Submit button, and then copy the link found in the "TAXII
server URL" field.
c) Go back into ThreatConnect and paste this URL into the space provided, then click
"Next".
6. On the Login tab, click on "TEST CONNECTION" and the Available Services section will expand. Click
on the POLL service that appears, and you will see that the MazeRunner URL you entered in step 5
will appear at the top of the screen. Enter "Guest" as both the Username and Password (you will not
need to use these credentials again; they are only required by ThreatConnect in order to proceed to
the next step), then click "Next":
7. On the Feed tab, click "Check for available feeds" and select the feed that is shown (called
"alerts_feed"), then click "Next":
© Cymmetria MazeRunner 2018 – Community 1.10 104 www.cymmetria.com
8. Click "Next" until you reach the Confirm tab, and then click "SAVE".
PHANTOM
You can use Phantom to deploy breadcrumbs to endpoints in your organization. See the Phantom sub screen
of Integrations in the MazeRunner UI for more information.
For help, please contact Cymmetria.
CHEF
You can deploy breadcrumbs to endpoints in your organization using Chef. See the Chef sub screen of
Integrations in the MazeRunner UI for more information.
© Cymmetria MazeRunner 2018 – Community 1.10 105 www.cymmetria.com
ENDPOINTS SCREEN
This screen shows you endpoints and the breadcrumbs they contain, along with their status, details, and
possible actions that can be taken:
Notice the endpoint status chart at the top of the screen. An endpoint's status is defined as follows:
Clean – The endpoint contains no breadcrumbs (usually when the endpoint has recently been
imported and no action has been taken on it)
Deployment Failed – Breadcrumb deployment to the endpoint was unsuccessful (a detailed error
message will be shown when you expand the endpoint row)
Inactive – The endpoint contains breadcrumbs, but a subset of those breadcrumbs are inactive
Active – Breadcrumbs have been deployed to the endpoint successfully, and are active
NOTE: You can redeploy breadcrumbs to endpoints that had issues by choosing the relevant Deployment
mode in the Deploy to endpoints form (see Deploying breadcrumbs on page 56 for more information):
After you have deployed breadcrumbs to your endpoints, you will be able to expand each endpoint by
clicking the + icon to see details about the breadcrumbs on that endpoint.
You have already learned how to import endpoints from Active Directory and from CIDR blocks (page 49 and
53), and how to deploy breadcrumbs to those endpoints (page 56); now let's look at what else you can do
with your endpoints from the Endpoints screen.
© Cymmetria MazeRunner 2018 – Community 1.10 106 www.cymmetria.com
FILTER & SORT OPTIONS
There are several filter and sort options available on the Endpoints screen. You can use the search bar,
and/or the funnel icon to the right of certain column titles (Endpoint ID, Status, Status updated on,
Deployment groups, Origin, and Last connection attempt), and/or the arrow icon to the right of some
column titles (Endpoint hostname, Endpoint IP, Status updated on, and Last connection attempt).
To filter using the search bar:
1. Type your search criteria into the search bar and then click the magnifying glass icon or hit "Enter"
on your keyboard. You can search using letters and numbers pertaining to an endpoint's hostname,
IP address or operating system (e.g., searching '2016' would return a result showing all endpoints
running a Windows Server 2016 Standard operating system):
2. To clear your filter results and return to the main screen (where all endpoints are visible), simply
delete the criteria you entered into the search bar, then click the magnifying glass icon or hit "Enter"
on your keyboard.
To filter using the funnel icon to the right of column titles:
1. Click on the funnel icon to the right of a column title, choose your filter criteria from the available
options, then click "Apply filter":
2. To clear your filter results and return to the main screen (where all endpoints are visible), click again
on the funnel icon to the right of the column title and then click "Clear".
Use the arrow icons next to column titles to sort data numerically or alphabetically.
Refresh the page by using the Refresh button at the top left-hand side of the screen (this page does not
dynamically refresh).
© Cymmetria MazeRunner 2018 – Community 1.10 107 www.cymmetria.com
BULK ACTIONS
Using the checkboxes next to each endpoint, you can take bulk actions on selected endpoints. You can
delete endpoints, clean breadcrumbs from endpoints, deploy breadcrumbs to select endpoints, re-assign
endpoints to a different deployment group, and run Forensic Puller on endpoints.
To delete an endpoint and its related breadcrumbs (remove from database completely):
1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the
left of the endpoint hostname. This will cause the bulk actions drop-down to appear:
2. Click "Delete endpoints"; when prompted to confirm the action, click "Delete".
3. Once the action has been completed successfully, you will see a green confirmation message appear
next to the notification center at the top right-hand corner of your screen.
To clean breadcrumbs from an endpoint (connect remotely and remove breadcrumbs on that endpoint):
1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the
left of the endpoint hostname. This will cause the bulk actions drop-down to appear:
2. Click "Clean breadcrumbs" and choose your preferred deployment method (executable or native
script). If you have previously configured local admin credentials for endpoints in Settings >
Campaign and Deployment, you will see these credentials here. You can change these credentials by
clicking "Change". If you choose to change the credentials, you can save the new credentials for
further use by using the toggle button that appears. NOTE: Saving the new credentials will overwrite
the existing (previously configured) credentials for all purposes:
3. When you are ready, click "Clean".
4. Once the action has been completed successfully, you will see a green confirmation message appear
next to the notification center at the top right-hand corner of your screen.
© Cymmetria MazeRunner 2018 – Community 1.10 108 www.cymmetria.com
To deploy breadcrumbs to select endpoints:
1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the
left of the endpoint hostname. This will cause the bulk actions drop-down to appear:
2. Click "Deploy breadcrumbs" and choose your preferred deployment method (executable or native
script). If you have previously configured local admin credentials for endpoints in Settings >
Campaign and Deployment, you will see these credentials here. You can change these credentials by
clicking "Change". If you choose to change the credentials, you can save the new credentials for
further use by using the toggle button that appears. NOTE: Saving the new credentials will overwrite
the existing (previously configured) credentials for all purposes:
3. When you are ready, click “Deploy”. NOTE: Unassigned endpoints will be skipped.
To re-assign an endpoint to a different deployment group:
1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the
left of the endpoint hostname. This will cause the bulk actions drop-down to appear:
2. Click "Assign to deployment group". From the drop-down list that appears, choose the deployment
group to which you would like to assign the selected endpoint, then click "Assign":
© Cymmetria MazeRunner 2018 – Community 1.10 109 www.cymmetria.com
3. Once the action has been completed successfully, you will see a green confirmation message appear
next to the notification center at the top right-hand corner of your screen. NOTE: An endpoint and
its breadcrumbs must belong to the same deployment group. Therefore, if the endpoint you re-
assigned contains breadcrumbs from a different deployment group, your endpoint will become
inactive and you will see an error message when you expand the endpoint row. You will need to
clean the endpoint and redeploy its breadcrumbs either manually or automatically to resolve this.
To run Forensic Puller on the selected endpoints:
1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the
left of the endpoint hostname. This will cause the bulk actions drop-down to appear:
2. Click "Run Forensic Puller", and when prompted, click “Run”.
DASHBOARD
The Dashboard provides a visualization of all active deception elements (i.e., an active map of your
deception campaign). Here you can see a visualization of your deception story and deployment to endpoints,
and can filter based on date range, alert type, and event status. The Dashboard gives you a bird's-eye view of
how MazeRunner is deployed on your network. To see all events and alerts in the system you can go to the
Investigation screen.
The map displays decoys (as boxes), deployment groups (as circles), and the connections (services,
breadcrumbs, endpoints) between them. Clicking on a decoy will focus the map around it and will show
metadata about that specific decoy (name, IP address, OS, decoy status, a list of the types of services running
© Cymmetria MazeRunner 2018 – Community 1.10 110 www.cymmetria.com
on the decoy, and shortcuts to other MazeRunner screens where you can view more detailed information
related to that decoy). You can deselect a decoy by clicking anywhere outside of it.
Clicking on a deployment group will focus the map around it and will show metadata about that specific
deployment group (name, distribution of endpoints in the group by their status – Active, Inactive,
Deployment failed, and Clean, and shortcuts to other MazeRunner screens where you can view more
detailed information related to that deployment group). You can deselect a group by clicking anywhere
outside of it.
Many icons and numbers have tooltips for clarification; simply move your mouse cursor or pointer over an
icon to learn more:
The Dashboard's legend, which provides an explanation of individual features, can be accessed by clicking
the ? icon located beside the search bar on the top right-hand side of the Dashboard.
© Cymmetria MazeRunner 2018 – Community 1.10 111 www.cymmetria.com
CAMPAIGN SCREEN
The Campaign screen is where you can view your deception campaign and its details. Using the Decoys,
Services, Breadcrumbs, and Deployment Groups sub screens, you can manually create and manage your
campaign's deception elements. For more information on how to do this, see Creating a basic deception
campaign manually on page 45.
Once you have added deception elements to your campaign, you will see them visualized on the top part of
the screen:
Each decoy displays its name and operating system. On hover over the information icon (the i on the right
side of the decoy), status and IP info will also be displayed. Clicking the information icon will show detailed
information about that particular decoy, on the Decoys sub screen.
Each service displays its name and type. On hover over the information icon, the service's status will also be
displayed. Clicking the information icon will show detailed information about that particular service, on the
Services sub screen.
Each breadcrumb displays its name and type. On hover over the information icon, the breadcrumb's status
will also be displayed. Clicking the information icon will show detailed information about that particular
breadcrumb, on the Breadcrumbs sub screen.
Each deployment group displays its name and the number of active endpoints out of the total number of
endpoints assigned to that group. Notice that the deployment groups shown in the above screenshot sit
© Cymmetria MazeRunner 2018 – Community 1.10 112 www.cymmetria.com
below the rest of the deception elements; this is because no breadcrumbs have been assigned to them yet.
Once a breadcrumb is assigned to a deployment group, you will see the connection visualized along with the
other deception elements:
Color-coded lines show the various connections between deception elements. Note that each service can
only connect to one decoy, and each breadcrumb can be connected to one decoy (via multiple services).
In addition to the visualization on the top part of the screen, your deception elements will also appear on the
relevant sub screens on the bottom part of the screen. Here you can view additional details about each
deception element (status, details, connections to other deception elements, etc.) and edit each element:
The Decoys, Services, and Breadcrumbs sub screens can also be filtered to show only active or inactive
elements, using the "Showing" drop-down list located at the top left of the sub screens:
Additional information about each sub screen is explained in Creating a basic deception campaign manually
on page 45.
INVESTIGATION SCREEN
The Investigation screen is split into two sections: on the right-hand side of the screen is the Investigation
table, which shows deception campaign events (including alerts); on the left-hand side of the screen is the
attack story section, which contains a list of attack stories:
© Cymmetria MazeRunner 2018 – Community 1.10 113 www.cymmetria.com
Each time an attacker carries out an action on a decoy machine, an event is created. Not every event
warrants an alert; for example, events such as port scans and protocol connections are documented without
raising alerts. The following are examples of common types of events documented by MazeRunner (for a full
list of event types and their descriptions, see Types of events on page 119):
1. Port access – An indication that an attacker has probed a decoy.
2. Interaction event – An attacker might try to interact with one of the services on a decoy; this type of
event will notify the user of such attempts. For example, an SSH Interaction event would indicate
that an attacker tried to log into SSH.
3. Code execution – An indication that an attacker has executed a program on a decoy.
4. Unsigned code execution – An indication that an attacker has added and executed a program on a
decoy. This is different than a regular code execution, where the program is already located on the
decoy.
DON'T FORGET: You can configure which action you would like to be taken for different events on the
Alerting Policy sub screen of Settings (see page 83).
ATTACK STORY SECTION
This section is expanded by default; it can be collapsed to the left (and expanded again) using the arrow
button on the top left side of the section:
Attack stories provide detailed information (what actually happened, where, and in which order) about
events that are related to one another, in order to help you contain and remediate attacks faster and more
accurately.
© Cymmetria MazeRunner 2018 – Community 1.10 114 www.cymmetria.com
An attack story contains a list of events sharing common data; it contains general data and statistics derived
from the events. Each attack story is automatically assigned an ID by MazeRunner, and each event that
appears in the Investigation table (on the right-hand side of the Investigation screen) shows the ID of the
story it appears in.
There are two types of attack stories:
1. "Endpoint accessed a decoy" – The events that happened from a specific endpoint to a specific decoy
2. "Credentials theft detected" – All of the events regarding credential theft and usage from a specific
endpoint
NOTE: An event cannot be assigned to more than one attack story.
By default, attack stories appear collapsed in the attack stories section. The collapsed view shows Story ID,
Story type, Number of alerts and events, Most recent event, First event, Attacker IP, Attacker hostname, and
(only for "Endpoint accessed decoy" stories) Decoy name:
Clicking the Investigate button on the top right of the story will expand the story to show full details:
When an attack story is expanded, notice that the Investigation table on the right-hand side of the
Investigation screen automatically filters itself according to that story:
© Cymmetria MazeRunner 2018 – Community 1.10 115 www.cymmetria.com
Clicking the X on the left side of the blue bar will cancel the filter and will collapse the expanded story on the
left-hand side of the Investigation screen.
When an attack story is expanded, you can download a detailed report about that attack story to further
investigate events (including alerts). Simply click the download icon, select a date range, and click
"Download". See Email and reporting on page 86 for more information.
INVESTIGATION TABLE
The Investigation table shows information about events. By clicking the + icon (or clicking anywhere on the
row), you can expand each entry in the Investigation table to see more information about the event:
If you have configured custom integrations (e.g., Cuckoo) with a status of "Active – Automatic", you will see
information for relevant events in that event's expanded entry data:
© Cymmetria MazeRunner 2018 – Community 1.10 116 www.cymmetria.com
If you have configured custom integrations (e.g., Cuckoo) with a status of "Active – Manual", you can choose
to manually send that data to the integration by selecting the instance from the Send to drop-down:
While in an expanded entry, you can click “Create user rule” to create a rule that will apply to alerts that are
similar to the one you are currently viewing:
The Create user rule form that opens will auto-populate its fields based on information from the alert you
are viewing; if you wish to edit any of these fields, you can do so before clicking “Save”.
© Cymmetria MazeRunner 2018 – Community 1.10 117 www.cymmetria.com
NOTE: The Investigation table does not refresh automatically so as not to disturb users who may be browsing
the table’s content. If new events occur while a user is viewing the Investigation screen, an animated bell
icon and message will appear, next to the Refresh button at the top of the table. Clicking the message or icon
(or the Refresh button) will refresh the table:
FILTER & SORT OPTIONS
There are several filter and sort options available on the Investigation screen, for both attack stories and
events (Investigation table).
Events are classified as "Unresolved" when they first appear on the Investigation screen. You can change
them to "Resolved" after you have reviewed them and have taken all necessary actions. Resolved events can
be seen as archived; they will not appear by default unless you specifically choose to filter the Investigation
screen to show them (only unresolved content is displayed by default). You can change your Investigation
screen's filter using the drop-down list at the top of the screen, and then click "Refresh":
This filter affects both the Investigation table as well as attack stories. An attack story with all of its events
resolved will be considered resolved; otherwise the story is unresolved.
NOTE: When upgrading from a version of MazeRunner that does not support the resolved/unresolved event
state, all of the existing events will be marked as unresolved.
Attack stories section
You can use the search bar and/or filter by date range.
To filter using the search bar (will search on all story fields, not events within stories; matched strings within
a story will be highlighted):
1. Type your search criteria into the search bar and then click the magnifying glass icon or hit "Enter"
on your keyboard. You can search using letters and numbers.
2. To clear your filter results and return to the main screen (where all attack stories are visible), simply
delete the criteria you entered into the search bar, then click the magnifying glass icon or hit "Enter"
on your keyboard.
© Cymmetria MazeRunner 2018 – Community 1.10 118 www.cymmetria.com
To filter by date range (stories that have events within the range will be displayed):
1. Click on the Date Range field, choose your "from" and "to" dates, then click "Save":
2. To clear your filter results and return to the main screen (where all attack stories are visible), return
the date to the current date.
NOTE: The counters and fields in the attack stories change according to the filter (e.g., If the filter for date
range is tighter, the number of total alerts will probably be lower).
Investigation table
Using the drop-down at the top of the table, you can choose to view muted events and alerts, or alerts only.
By default, you will see muted events and alerts only.
You can also use the search bar, and/or the funnel icon to the right of certain column titles (ID, Time, Type,
Decoy name, Username, Source), and/or the arrow icon to the right of some column titles (Time).
To filter using the search bar:
1. Type your search criteria into the search bar and then click the magnifying glass icon or hit "Enter"
on your keyboard. You can search using letters and numbers pertaining to an event or alert.
2. To clear your filter results and return to the main screen (where all events are visible), simply delete
the criteria you entered into the search bar, then click the magnifying glass icon or hit "Enter" on
your keyboard.
To filter using the funnel icon to the right of column titles:
1. Click on the funnel icon to the right of a column title, choose your filter criteria from the available
options, then click "Apply Filter":
© Cymmetria MazeRunner 2018 – Community 1.10 119 www.cymmetria.com
2. To clear your filter results and return to the main screen (where all endpoints are visible), click again
on the funnel icon to the right of the column title and then click "clear".
Use the arrow icons next to column titles to sort data numerically or alphabetically.
Refresh the page by using the Refresh button at the top left-hand side of the screen (this page does not
dynamically refresh).
BULK ACTIONS
By selecting the checkbox to the right of the + icon, you can take bulk actions on selected events. You can
delete an event, mark an event as Resolved or Unresolved, or run Forensic Puller on an event, using the
Action on selected alerts drop-down that appears after you select one or more checkboxes. NOTE: Events
marked as resolved will appear in the table as slightly faded, in comparison to unresolved events.
If you configured it as such on the Syslog sub screen of the Integrations screen, all alerts will go to a syslog
server that may be monitored by your SIEM (e.g., Splunk). Likewise, if you configured a different, relevant
integration (such as Cuckoo), your alerts will be sent there for processing.
To export event information in CSV format, click "Export to CSV" on the bottom left side of the screen.
That's it! You now know how to use MazeRunner's platform to create and monitor a basic deception
campaign.
We're here to help. If you have any questions, please contact us at [email protected].
TYPES OF EVENTS
MazeRunner provides the following types of events. Some events are configured to “Mute” by default;
others are configured to “Alert”. The alerting policy can be customized from Settings > Alerting policy.
Code execution
An indication that an attacker has executed a program on a decoy.
Unsigned code execution
An indication that an attacker has added and executed a program on a decoy. This is different than a regular
code execution, where the program is already located on the decoy. Currently supported on Linux decoys.
© Cymmetria MazeRunner 2018 – Community 1.10 120 www.cymmetria.com
NBNS poisoning detected
An attacker poisoned an NBNS hostname query that MazeRunner issued, either from a decoy or an
endpoint.
HoneyDoc
A HoneyDoc deployed to an endpoint was opened. IMPORTANT: This alert may be triggered even if the
HoneyDoc file is taken from the endpoint and opened in a different location.
GitLab interaction
A Git operation was carried out on a decoy running an active Git service.
Network credential interaction
Specific network credentials were used on a decoy.
Credentials stolen by attacker
MazeRunner detected use of Responder.py tool and fed the attacker deceptive credentials.
OpenVPN interaction
An OpenVPN operation was carried out on a decoy running an active OpenVPN service.
SSH interaction
Someone connected or tried to connect to a decoy running an SSH service. Other interactions, such as failed
logins, etc., might also be recorded.
HTTP request
An HTTP request was made to a decoy running a web application service.
MySQL request
A MySQL operation was carried out on a decoy running an active MySQL service.
© Cymmetria MazeRunner 2018 – Community 1.10 121 www.cymmetria.com
Port access
An indication that an attacker has probed a decoy. The alert will contain additional information about the
protocol (TCP/UDP) and the specific port access (e.g., 389). Please note that some ports are ignored by
default in order to minimize false positive alerts; you can change this policy in Settings > Alerting Policy (see
Changing alerting policy on page 83 for more information).
Share access
A file on an SMB share was accessed on a decoy running the SMB service.
Busybox Telnet authentication
An attacker connected to the Telnet port.
Busybox Telnet command execution
An attacker executed a command.
Mirai worm detected
The Mirai Worm Monitor service fingerprinted an attacker using Mirai.
Intel AMT authentication attempt
An attacker attempted to authenticate against the AMT service.
Intel AMT exploited
An attacker exploited a known AMT vulnerability to gain access to a decoy.
SMTP interaction
An attacker sent SMTP traffic to the SMTP service.
FTP interaction
There are multiple types of FTP interaction alerts:
Client connected – An attacker connected to the service
Client disconnected – An attacker disconnected from the service
User logged in – An attacker logged in to the service
User failed to log in – An attacker failed to log in to the service
User logged out – An attacker logged out from the service
© Cymmetria MazeRunner 2018 – Community 1.10 122 www.cymmetria.com
User uploaded a file – An attacker uploaded a file
User downloaded a file – An attacker downloaded a file
User deleted a file – An attacker deleted a file
User listed directory content – An attacker listed directory content
User navigated to directory – An attacker changed working directory
User created a directory – An attacker created a directory
User deleted a directory – An attacker deleted a directory
Enterprise Edition note: In addition to the above-listed event types, MazeRunner Enterprise Edition includes
the following types of events: “Unrecognized machine”, “RDP session recorded”, “RDP interaction”, and
“Stolen credentials used by attacker”.
SUPPORTED OPERATING SYSTEMS
MazeRunner Community Edition decoys and breadcrumbs currently support the following operating
systems:
Decoys
Linux (Ubuntu 14.04)
Breadcrumbs
Windows: Windows 7 up to and including Windows 10 (including Windows Server 2008 R2 and up to
Server 2016)
Linux:
o Ubuntu 12.04 and above
o CentOS, Redhat, and Debian
Mac: OS X Yosemite 10.10 and up
Enterprise Edition note: In addition to the above-listed operating systems, MazeRunner Enterprise Edition
decoys support Windows (7, Server 2008, Server 2012). Enterprise Edition also allows the use of golden
images: MazeRunner allows you to upload and set up your own Windows images as decoys (Windows 7 and
above).
© Cymmetria MazeRunner 2018 – Community 1.10 123 www.cymmetria.com
TYPES OF DECOYS
You can choose from the following two virtual machine types when manually creating a decoy in
MazeRunner:
Nested (KVM)
Cymmetria recommends using nested virtualization for your decoys (when possible), as it makes decoy
management easier and more centralized. If you choose to use nested decoys, no additional actions are
required to create or manage a decoy – simply select “Nested” from the VM type drop-down list when
creating a new decoy. NOTE: If you change MazeRunner’s IP address, you will need to recreate the decoy.
See this FAQ (page 128) for instructions on how to do so.
For information on how to create a decoy, see Creating a basic deception campaign manually on page 45.
Standalone (OVA)
If you decide to create a standalone decoy (instead of a decoy that uses nested virtualization), you will need
to download the decoy's OVA file. Do this by clicking the download icon in the Actions column on the Decoys
sub screen of the Campaign screen.
After downloading the decoy's OVA file, upload it to your chosen hypervisor. Once the file has been
uploaded to your hypervisor, make sure that you configure the virtual machine to have network access to
MazeRunner.
NOTE: If you change MazeRunner’s IP address, you will need to manually recreate the decoy. To do this, you
will need to delete the decoy and create a new one.
For information on how to create a decoy, see Creating a basic deception campaign manually on page 45.
TYPES OF SERVICES
The following is a list of services and the breadcrumb types they support:
Git
Description: Source-code management.
Supported breadcrumb type(s): Git credentials
Supported decoy type(s): Linux
© Cymmetria MazeRunner 2018 – Community 1.10 124 www.cymmetria.com
HoneyDoc
Description: Monitors the use of HoneyDoc breadcrumbs. A shared folder will be created on the decoy for
this purpose.
Supported breadcrumb type(s): HoneyDoc
Supported decoy type(s): Windows and Linux
Intel AMT – Low Interaction
Description: Mimics Intel AMT interface to catch attackers that are interacting with it.
Supported breadcrumb type(s): N/A
Supported decoy type(s): Windows and Linux
Mirai Worm Monitor
Description: Monitors for attackers who use the Mirai open source botnet in order to attack open telnet
systems.
Supported breadcrumb type(s): N/A
Supported decoy type(s): Linux
MySQL
Description: Database service.
Supported breadcrumb type(s): MySQL
Supported decoy type(s): Linux
OpenVPN
Description: Virtual private network (VPN) service.
Supported breadcrumb type(s): OpenVPN
Supported decoy type(s): Linux
SMB
Description: Creates a shared folder on the decoy.
Supported breadcrumb type(s): Credentials, Network share
Supported decoy type(s): Windows and Linux
© Cymmetria MazeRunner 2018 – Community 1.10 125 www.cymmetria.com
Responder Monitor
Description: This service can, in addition to connecting to the Responder Monitor breadcrumb, monitor for
attackers performing NBNS spoofing and using Responder.py tool directly from the decoy. The username,
domain, and password will be fed to the attacker from the decoy. Activating MazeRunner's Responder
Monitor (ActiveSOC > Responder Monitor) allows raising alerts when stolen credentials are used in the
network.
Supported breadcrumb type(s): Responder Monitor
Supported decoy type(s): Windows and Linux
SMTP – Low Interaction
Description: A low-interaction SMTP server.
Supported breadcrumb type(s): N/A
Supported decoy type(s): Windows and Linux
SSH
Description: Remote shell service.
Supported breadcrumb type(s): SSH with private key, SSH with password
Supported decoy type(s): Linux
Web Application
Description: HTTP server with a pre-set web application such as MediaWiki, SugarCRM or phpMyAdmin, or a
custom, user-controlled website.
Supported breadcrumb type(s): Cookie (only when phpMyAdmin is enabled)
Supported decoy type(s): Linux
FTP Server
Description: An empty FTP server.
Supported breadcrumb type(s): N/A
Supported decoy type(s): Windows and Linux
Enterprise Edition note: In addition to the above-listed services, MazeRunner Enterprise Edition includes an
RDP service (a remote desktop service for Windows decoys that supports RDP and Credentials breadcrumbs)
and a Network Monitor service (supports two types of alerting mechanisms: one for unrecognized machines;
one for detecting ARP poisoning around the decoy).
© Cymmetria MazeRunner 2018 – Community 1.10 126 www.cymmetria.com
TYPES OF BREADCRUMBS
The following is a list of breadcrumbs and the endpoints on which they are supported:
Cookie
Description: A Chrome browser cookie that leads to a web application service.
Supported on: Windows endpoints
Credentials
Description: Credentials are stored in the Credential Manager. These credentials can be used for
authentication with any Windows application that uses the Credential Manager.
Supported on: Windows endpoints
Git Credentials
Description: Credentials to the Git service.
Supported on: Windows, Linux, and Mac endpoints
HoneyDoc
Description: A DOCX file to be deployed on an endpoint. Opening the file will raise an alert.
Supported on: Windows endpoints
MySQL
Description: A MySQL service connection command.
Supported on: Linux and Mac endpoints
Network Share
Description: Connects the shared folder to Windows and Linux endpoints.
Supported on: Windows, Linux, and Mac endpoints
OpenVPN
Description: OpenVPN configuration files in commonly used locations.
Supported on: Windows endpoints
© Cymmetria MazeRunner 2018 – Community 1.10 127 www.cymmetria.com
Responder Monitor
Description: This breadcrumb is deployed automatically and periodically. When deployed, it identifies NBNS
spoofing and the use of Responder.py tool on the endpoint's subnet. The username, domain, and password
will be fed to the attacker from the endpoint. Activating MazeRunner's Responder Monitor (ActiveSOC >
Responder Monitor) allows raising alerts when stolen credentials are used in the network.
Supported on: Windows endpoints
SSH with password
Description: SSH connection details are stored in the Registry.
Supported on: Windows endpoints
SSH with private key
Description: An SSH connection command to the decoy is stored in the Bash history or as a command alias.
Supported on: Linux and Mac endpoints
Enterprise Edition note: In addition to the above-listed breadcrumb types, MazeRunner Enterprise Edition
includes an RDP breadcrumb that is supported on Windows endpoints.
© Cymmetria MazeRunner 2018 – Community 1.10 128 www.cymmetria.com
FAQ/TROUBLESHOOTING
This section contains known issues that customers have encountered during MazeRunner installation, setup,
and use.
DECOYS NOT WORKING
Q: My decoys aren't working. What's wrong?
A: Decoys sometimes get stuck in booting or configuring status. This can be caused by various issues (e.g.,
your MazeRunner IP address has been changed). To rectify this issue, go to the Decoys sub screen of the
Campaign screen and click the Recreate icon (located in the Actions column on the right-hand side of the
screen):
This will delete your decoy and recreate it, exactly as it was (i.e., you will not lose any current connections to
services and breadcrumbs).
If this does not solve the problem, please verify that your virtual appliance meets the minimum
requirements for running MazeRunner (check requirements on page 2). Pay particular attention to the
amount of RAM required per decoy.
If you have already tried recreating your decoys and are sure that your virtual appliance meets the minimum
requirements for running MazeRunner, yet the problem persists, please contact Cymmetria support so that
we can investigate the issue.
PROBLEM RESOLVING ENDPOINT NAME
Q: When testing the connection to an endpoint prior to automated deployment, I received the message
"Could not resolve endpoint name".
A: Follow these two steps:
1. Please verify that you are providing the full hostname of the endpoint, including the domain. For
example, "myendpoint.mydomain.local" vs. "myendpoint".
2. Please verify that the endpoint hostname you are providing is listed in your DNS server, or
alternatively that you correctly configured the DNS server during MazeRunner network configuration
(see page 63 for more information).
© Cymmetria MazeRunner 2018 – Community 1.10 129 www.cymmetria.com
NESTED VIRTUALIZATION SUPPORT
Q: Why do I see a "Nested Virtualization not supported" message under "Status" on the Decoys tab of the
Campaign screen?
A: This message indicates that you did not enable support of virtualization (this support is not always turned
on by default in a VMware environment). See environment-specific instructions for enabling nested
virtualization on VMware Player (page 33), VMware Workstation (page 33), VMware ESXi (page 15) or KVM
(page 33).
DEPLOYING BREADCRUMBS AUTOMATICALLY TO LINUX MACHINES
Q: How do I deploy breadcrumbs automatically to Linux machines?
A: You can use the MazeRunner API. Cymmetria's Python SDK also has a fully functional sample script that
deploys remotely to Linux machines, which you can use as is or extend to fit your purposes.
Additionally, in various cloud environments, some users prefer to install breadcrumbs on the base image
that will be cloned by the load-balancer.
ARCSIGHT CEF
Q: Do you support ArcSight CEF syslog format?
A: Yes, MazeRunner supports the use of Common Event Format (CEF) for syslog. This can be enabled on the
Integrations screen. See Syslog on page 100 for more details.
SERVICE IS INACTIVE/UNABLE TO DEPLOY BREADCRUMBS
Q: My service is showing as "Inactive"/I am not able to click on my breadcrumb's "Deploy" link.
A: You need to connect your service to a decoy, and make sure that the decoy is powered on. You will then
be able to deploy breadcrumbs. See Creating a basic deception campaign manually on page 45 for
instructions on adding, connecting, and activating breadcrumbs, services, and decoys.
© Cymmetria MazeRunner 2018 – Community 1.10 130 www.cymmetria.com
CREATING USERS
Q: How do I add a user to a service when creating my campaign?
A: Users are added during breadcrumb creation. Depending on the type of service you created, you will need
to enter a username and password when creating the corresponding breadcrumb (you can also choose to
randomize credentials from Cymmetria's breadcrumb pool):
You then need to ensure that the breadcrumb is connected to a service that is connected to an active decoy.
See Creating a basic deception campaign manually on page 45 for instructions on adding, connecting, and
activating breadcrumbs, services, and decoys.
USERS AFFECTED DURING BREADCRUMB DEPLOYMENT
Q: When deploying breadcrumbs to an endpoint, which users are affected?
A: Some breadcrumbs allow you to explicitly control which users are affected; however, most Windows
endpoint breadcrumbs will install to the users that are logged in when the breadcrumbs were deployed. A
notable exception is the persistent network share breadcrumb, which is installed for all Windows users.
CLEARING UP HARD DRIVE SPACE
Q: What happens when I delete an event from MazeRunner?
A: Deleting an event will remove all of the event's associated data. This is particularly important to consider for events that have large attachments, such as "Code execution" events.
© Cymmetria MazeRunner 2018 – Community 1.10 131 www.cymmetria.com
RUNNING INTERNET-FACING DECOYS
Q: I'm receiving a lot of alerts. Can I run Internet-facing decoys?
A: Yes, you can run Internet-facing decoys; however, these decoys will be scanned often and will generate a
large amount of alerts (that are generally not high-interest alerts). The best way to use MazeRunner is to run
decoys inside of your organizational network. If however, you decide to run Internet-facing decoys, we
recommend you change your alerting policy to generate alerts only on critical events (such as code
execution), and to "ignore" others.
To set your alerting policy to ignore less-critical alerts, navigate to Settings > Alerting Policy and you will see
a "System-wide rules" section. In the Action on event column, select "Ignore" from the drop-down options:
PROBLEMS DURING OVA IMPORT
Q: I received a warning during OVA import saying that the OVA file did not pass OVF specification
conformance or virtual hardware compliance checks.
A: We are aware of this warning, and it is safe to click "Retry" and import the OVA file as is.
MAZERUNNER STORAGE ALLOCATION
Q: How much storage space is used for MazeRunner operation?
A: Only half of the storage allocated for the MazeRunner VM is made available for MazeRunner operation
(the other half is used for updating MazeRunner).
© Cymmetria MazeRunner 2018 – Community 1.10 132 www.cymmetria.com
CREATING A WEB APPLICATION SERVICE
Q: Can I create a service using my own web application?
A: Yes. When adding a service to your campaign, MazeRunner allows you to use your own customized web
application. Currently, MazeRunner supports MediaWiki, SugarCRM, and phpMyAdmin. To add a web
application, follow these steps:
1. Create a ZIP file of your web application.
2. Navigate to the Services tab on MazeRunner's Campaign screen, and click "Create service".
3. Choose "Web application" from the Service type drop-down list.
4. Upload your own ZIP file by clicking "Choose File", then click "Save".
You have now created a new service using your own web application. For information on how to connect
this service to a decoy, and how to add breadcrumbs, see Creating a basic deception campaign manually on
page 45.
PROBLEMS DEPLOYING AN OVA DECOY ON ESXI
Q: I receive an error message when trying to deploy an OVA decoy on ESXi.
A: You may be using an older version of ESXi. MazeRunner OVA decoys are compatible with ESXi version 5.1
and higher, so if you are using an older version, you will need to update your ESXi.
CREATING A GIT SERVICE
Q: Can I create a Git repository service?
A: Yes. You can create a Git source code repository with GitLab web UI. This can be done by adding a Git
service to your campaign. To add a Git service, follow these steps:
1. Create a ZIP file to house your repository files. MazeRunner will accept a ZIP file for your Git service
in one of two formats:
a. ZIP file – all the files in the ZIP folder will be committed as an initial commit and load to the
remote Git service.
b. ZIP file with a Git folder – the folder will load as a repository, including commit history, to the
Git service. NOTE: The Git folder must be on the root ZIP hierarchy.
© Cymmetria MazeRunner 2018 – Community 1.10 133 www.cymmetria.com
2. Navigate to the Services tab on MazeRunner's Campaign screen, and click "Create service".
3. Choose "Git" from the Service type drop-down list.
4. Upload your ZIP file by clicking "Choose File", then click "Save".
You have now created a new Git service. For information on how to connect this service to a decoy, and how
to add breadcrumbs, see Creating a basic deception campaign manually on page 45.
AUTOMATIC DEPLOYMENT TO ENDPOINTS FAILED
Deployment to endpoints can fail for various reasons. See below an explanation of the error messages you
might have received, and instructions on how to solve the problem.
ERROR: COULD NOT RESOLVE HOSTNAME
Q: I received the error message "Could not resolve hostname". What does this mean?
A: MazeRunner was not able to resolve the hostname of the endpoint to which you are trying to deploy.
Please make sure that your DNS server is configured correctly and that the endpoint's hostname has not
changed.
ERROR: INCORRECT CREDENTIALS
Q: I received the error message "Incorrect credentials ". What does this mean?
A: MazeRunner failed to log in to the endpoint using the credentials supplied by the user. Please make sure
that the credentials are valid and that they belong to an admin account (this can be the local admin on the
endpoint).
ERROR: SMB TCP PORTS (139, 445) ARE UNREACHABLE
Q: I received the error message "SMB TCP ports (139, 445) are unreachable". What does this mean?
A: MazeRunner failed to connect to the endpoints via the standard SMB ports. Please make sure that your
firewall allows connecting to these ports (either your organization's firewall or the endpoint's local firewall),
and that the endpoint accepts connection via these ports (this can be checked using the PsExec tool from the
Sysinternals Suite).
ERROR: DEPLOYMENT TIMEOUT
Q: I received the error message "Deployment timeout". What does this mean?
A: MazeRunner failed to complete the breadcrumb deployment within a reasonable time limit. This error
usually indicates that the first connection to the endpoint succeeded, but the endpoint lost connectivity
(either due to the endpoint shutting down/rebooting or some network malfunction). Please try to deploy
again.
© Cymmetria MazeRunner 2018 – Community 1.10 134 www.cymmetria.com
ERROR: INVALID CONFIGURATION FOR DEPLOYMENT
Q: I received the error message "Invalid configuration for deployment". What does this mean?
A: MazeRunner did not have all of the necessary parameters for deployment. Please review your
deployment configuration (see this section on page 56 for more information).
ERROR: DEPLOYMENT FAILED
Q: I received the error message "Deployment failed". What does this mean?
A: MazeRunner failed to deploy to the endpoint due to one of the following reasons:
1. MazeRunner failed to install its deployment service. Please make sure that you do not have a policy
or software running on the endpoint that blocks MazeRunner's service installation.
2. MazeRunner failed to clean the endpoint of all previous breadcrumbs. Trying to clean an endpoint
without ever installing a breadcrumb on it will cause this error.
3. MazeRunner encountered an internal error. Please consult with Cymmetria for further
troubleshooting.
ERROR: NO ACTIVE DEPLOYMENT GROUP FOUND
Q: I received the error message "No active deployment group found". What does this mean?
A: MazeRunner could not deploy the selected breadcrumbs because the deployment group is not active.
Please make sure that all of your decoys, services, and breadcrumbs are active.
ERROR: NO BREADCRUMBS SUPPORTED ON THE ENDPOINT'S OPERATING SYSTEM WERE
FOUND IN THE DEPLOYMENT GROUP
Q: I received the error message "No breadcrumbs supported on the endpoint's operating system were
found in the deployment group". What does this mean?
A: MazeRunner could not deploy to the endpoint because none of the breadcrumbs found in the
deployment group are supported on the selected endpoint's operating system. You can either re-assign the
endpoint to a different deployment group that includes breadcrumbs supported on its operating system, or
add breadcrumbs that are supported on the endpoint's operating system to the current deployment group.