MazeRunner User Guide for Community 1 - Cymmetria · © Cymmetria MazeRunner 2018 – Community 1.10 2 Supported environments (all must have nested virtualization enabled – follow

January 30, 2018

Cymmetria MazeRunner

COMMUNITY EDITION

USER GUIDE

© Cymmetria MazeRunner 2018 – Community 1.10 2 www.cymmetria.com

Supported environments (all must have nested virtualization enabled – follow the links below to learn more)

VMware Player (7 or higher) – on page 33

VMware Workstation (11 or higher) – on page 33

ESXi server (5.1 or higher) – on page 15

KVM hypervisor – on page 33

OpenStack

Not supported: VirtualBox, Microsoft Hyper-V, Xen

Requirements

Minimum requirements for installation:

500GB minimum storage

4GB of RAM (add 2GB for each additional nested decoy)

2 x CPU @ 2 GHz (add another CPU core for each additional nested decoy)

VMware hypervisor (Player 7 or higher; Workstation 11 or higher; ESXi server 5.1 or higher) or KVM

hypervisor, with nested virtualization enabled

Additional requirements

Nested virtualization

Promiscuous mode

For deployment automation:

o Read-only domain user for importing endpoints from Active Directory

o Local admin user on endpoints –OR– orchestration tool able to run EXE, MSI or shell scripts

Quick start

1. First choose which hypervisor you will use to run your MazeRunner™ virtual machine. Cymmetria®

suggests using a VMware Player hypervisor, as this is the most straightforward option and involves

the least number of steps (it is also free). Other hypervisors are supported as well.

2. Enable nested virtualization on your hypervisor. Please refer to Installation and setup on page 9 for

more information.

3. MazeRunner uses DHCP by default. For advanced networking setup or VLAN support, please refer to

MazeRunner network configuration on page 63.

4. Use MazeRunner's Deception story wizard to create a deception campaign. Using MazeRunner on

page 36 will walk you through all aspects of product usage.

5. On the Endpoints screen, you can import endpoints to MazeRunner from Active Directory or CIDR

blocks, and then deploy breadcrumbs to them. See Importing endpoints on page 49 and Deploying

breadcrumbs on page 56 for details on how to do this.

6. Once the breadcrumbs are deployed, your deception campaign is ready. You can review the

Dashboard and the Investigation screen for alerts on attackers accessing your decoys.

7. If you encounter any difficulties while working through this guide, please refer to

FAQ/Troubleshooting on page 128 for help.


CONTENTS

Introduction – What is MazeRunner? ................................................................................................................................... 7

Legal notices ..................................................................................................................................................................... 7

How is the Community Edition different from the Enterprise Edition? ............................................................................ 7

Installation and setup ........................................................................................................................................................... 9

BIOS setup ......................................................................................................................................................................... 9

DELL PowerEdge server ................................................................................................................................................ 9

Mac machine................................................................................................................................................................. 9

Lenovo ThinkPad ......................................................................................................................................................... 10

Virtual appliance (VMware Player) ................................................................................................................................. 10

Virtual appliance (VMware Workstation) ....................................................................................................................... 12

Virtual appliance (VMware ESXi) .................................................................................................................................... 15

Enabling nested virtualization using vCenter .............................................................................................................. 24

Enabling nested virtualization using VMware Workstation (version 11 and up)........................................................ 27

Enabling nested virtualization using SSH .................................................................................................................... 28

Powering on your virtual machine .............................................................................................................................. 31

Virtual appliance (KVM) .................................................................................................................................................. 33

Using MazeRunner .............................................................................................................................................................. 36

First use ........................................................................................................................................................................... 36

Creating a deception campaign ...................................................................................................................................... 41

Creating a deception campaign (using the Deception story wizard) .......................................................................... 42

Creating a basic deception campaign manually.......................................................................................................... 45

Importing endpoints ....................................................................................................................................................... 49

Importing endpoints from Active Directory ................................................................................................................ 49

Importing endpoints from CIDR blocks ....................................................................................................................... 53

Importing endpoints from a file .................................................................................................................................. 55

Post-import ................................................................................................................................................................. 55

Deploying breadcrumbs .................................................................................................................................................. 56

Deploying breadcrumbs from the Endpoints screen .................................................................................................. 56

Deploying breadcrumbs from the Campaign screen .................................................................................................. 59

Periodic breadcrumb deployment & campaign refresh ................................................................................................. 60

Integrating with a syslog/SIEM ....................................................................................................................................... 62

Advanced usage .................................................................................................................................................................. 63

MazeRunner network configuration ............................................................................................................................... 63


Static IP ....................................................................................................................................................................... 63

VLAN support .............................................................................................................................................................. 64

Non-promiscuous mode ............................................................................................................................................. 65

SSL certificate .............................................................................................................................................................. 66

Forensic Puller ................................................................................................................................................................ 67

Relay – Enterprise Edition only ....................................................................................................................................... 68

Dashboard in Relay mode ........................................................................................................................................... 71

Investigation screen in Relay mode ............................................................................................................................ 71

Automatic Hackback – Enterprise Edition only ............................................................................................................... 72

ActiveSOC – Enterprise Edition only ............................................................................................................................... 74

ActiveSOC and Responder Monitor activity feed........................................................................................................ 74

SOC interfaces ............................................................................................................................................................. 75

ActiveSOC .................................................................................................................................................................... 76

Responder Monitor ..................................................................................................................................................... 78

Changing alerting policy .................................................................................................................................................. 83

Product reference ............................................................................................................................................................... 85

Product interface ............................................................................................................................................................ 85

Settings ........................................................................................................................................................................... 85

General ....................................................................................................................................................................... 85

Email and reporting .................................................................................................................................................... 86

Networking ................................................................................................................................................................. 87

Access control ............................................................................................................................................................. 87

Alerting policy ............................................................................................................................................................. 88

Campaign and deployment ......................................................................................................................................... 88

Custom services – Enterprise Edition only .................................................................................................................. 88

Golden images – Enterprise Edition only .................................................................................................................... 89

Active Directory .......................................................................................................................................................... 90

Relay – Enterprise Edition only ................................................................................................................................... 90

SSL certificate .............................................................................................................................................................. 90

API keys ....................................................................................................................................................................... 90

User management ...................................................................................................................................................... 91

Diagnostics .................................................................................................................................................................. 93

Task manager .................................................................................................................................................................. 93

Notification center .......................................................................................................................................................... 94

Stability alert emails ................................................................................................................................................... 94


Deception story wizard ................................................................................................................................................... 95

User menu....................................................................................................................................................................... 95

Change password ........................................................................................................................................................ 95

System update ............................................................................................................................................................ 95

Send logs to Cymmetria .............................................................................................................................................. 96

Help features .................................................................................................................................................................. 97

Help icon ..................................................................................................................................................................... 97

Deception element descriptions ................................................................................................................................. 97

Tooltips ....................................................................................................................................................................... 98

Integrations ..................................................................................................................................................................... 98

Cuckoo sandbox .......................................................................................................................................................... 98

IBM BigFix ................................................................................................................................................................... 99

SCCM ........................................................................................................................................................................... 99

Tanium ........................................................................................................................................................................ 99

McAfee ePO ................................................................................................................................................................ 99

AWS............................................................................................................................................................................. 99

Syslog ........................................................................................................................................................................ 100

ThreatConnect .......................................................................................................................................................... 100

Phantom ................................................................................................................................................................... 104

Chef ........................................................................................................................................................................... 104

Endpoints screen .......................................................................................................................................................... 105

Filter & sort options .................................................................................................................................................. 106

Bulk actions ............................................................................................................................................................... 107

Dashboard ..................................................................................................................................................................... 109

Campaign screen ........................................................................................................................................................... 111

Investigation screen ...................................................................................................................................................... 112

Attack story section .................................................................................................................................................. 113

Investigation table .................................................................................................................................................... 115

Filter & sort options .................................................................................................................................................. 117

Bulk actions ............................................................................................................................................................... 119

Types of events ............................................................................................................................................................. 119

Supported operating systems ....................................................................................................................................... 122

Types of decoys ............................................................................................................................................................. 123

Types of services ........................................................................................................................................................... 123

Types of breadcrumbs .................................................................................................................................................. 126


FAQ/Troubleshooting ....................................................................................................................................................... 128

Decoys not working ...................................................................................................................................................... 128

Problem resolving endpoint name ............................................................................................................................... 128

Nested virtualization support ....................................................................................................................................... 129

Deploying breadcrumbs automatically to Linux machines ........................................................................................... 129

ArcSight CEF .................................................................................................................................................................. 129

Service is inactive/unable to deploy breadcrumbs ....................................................................................................... 129

Creating users ............................................................................................................................................................... 130

Users affected during breadcrumb deployment .......................................................................................................... 130

Clearing up hard drive space ........................................................................................................................................ 130

Running Internet-facing decoys .................................................................................................................................... 131

Problems during OVA import ........................................................................................................................................ 131

MazeRunner storage allocation .................................................................................................................................... 131

Creating a web application service ............................................................................................................................... 132

Problems deploying an OVA decoy on ESXi .................................................................................................................. 132

Creating a Git service .................................................................................................................................................... 132

Automatic deployment to endpoints failed .................................................................................................................. 133

Error: Could not resolve hostname ........................................................................................................................... 133

Error: Incorrect credentials ....................................................................................................................................... 133

Error: SMB TCP ports (139, 445) are unreachable .................................................................................................... 133

Error: Deployment timeout ...................................................................................................................................... 133

Error: Invalid configuration for deployment ............................................................................................................. 134

Error: Deployment failed .......................................................................................................................................... 134

Error: No active deployment group found ................................................................................................................ 134

Error: No breadcrumbs supported on the endpoint's operating system were found in the deployment group ..... 134


INTRODUCTION – WHAT IS MAZERUNNER?

MazeRunner is a platform for creating effective deception stories. Attackers making lateral movement will

first collect information on their next targets. At that time, they will find breadcrumbs deployed by

MazeRunner that point to decoys. Once the attackers connect to the decoys, they are led to believe that

they have successfully gained access to a target machine. Having gained a false sense of security, attackers

reveal their attack tools and methods, which defenders are then able to document and analyze.

Finally, MazeRunner communicates with an organization's existing defense infrastructure, exporting threat

information that allows for the creation of attack signatures.

For a more detailed overview of MazeRunner, please read our product whitepaper, which can be

downloaded for free from our website.

LEGAL NOTICES

Thank you for your interest in the free MazeRunner Community Edition!

If you are installing MazeRunner Community Edition for your own private use in a non-commercial

and non-production environment, you are not limited in the amount of decoys and endpoints you

may deploy.

If you are installing MazeRunner Community Edition on behalf of an Organization, you may use the

product solely for internal testing and evaluation of the Software and its performance in a non-

production environment. The software is not limited to any number of decoys and endpoints for the

first 30 days, but its use is limited to 1 decoy and 10 endpoints following this 30-day period.

Please consult the full text of the license for additional details, as the full terms of the license govern. For

more information or to provide feedback, please contact [email protected] or visit our website.

HOW IS THE COMMUNITY EDITION DIFFERENT FROM THE ENTERPRISE EDITION?

Cymmetria supports the cybersecurity community it calls home and believes strongly in giving back to that

community. This is why we decided to release a free Community Edition of our enterprise software platform.

The MazeRunner Community Edition is publicly available for private initiatives and research endeavors at no

cost or commitment to purchase. The platform is fully customizable and integrates seamlessly with existing

IT and security tools, allowing users to implement deception elements across the network. It is flexible and

does not burden existing organizational systems.

http://l.cymmetria.com/mazerunner-product-whitepaper

https://cymmetria.com/legal/1.10.0/eula/license

mailto:[email protected]

https://community.cymmetria.com/feedback


Community Enterprise

Linux decoys

Windows decoys ×

User-provided decoy image (golden image) ×

Linux breadcrumbs

Windows breadcrumbs

Mac OS X breadcrumbs

Deception stories using business cases

Commercial use First 30 days only*

Large-scale deployment support ×

API

Remote deployment to endpoints through MazeRunner

Deception campaign auto-regeneration

Alerting through syslog and email

STIX/TAXII integration

Domain integration

Cuckoo sandbox integration

Alerting when attacker steals credentials using Responder.py

Alerting of attempts to use deceptive credentials obtained using Responder.py

×

Forensic Puller ×

Automatic Hackback ×

ActiveSOC™ ×

Remote Desktop session video recording ×

Security visualization

Attack stories for event investigation and reporting

Relay architecture for integrating multiple instances of MazeRunner

×

Custom service support ×

Get MazeRunner Download machine Contact us

*See Legal notices on page 7.

https://community.cymmetria.com/



INSTALLATION AND SETUP

This section will guide you through the installation and setup of Cymmetria's MazeRunner solution. It

includes information on MazeRunner's platform and deployment.

The installation and setup process includes two main steps:

1. Enable nested virtualization in the BIOS*

2. Hypervisor installation and setup

*Not all machines are configured to support nested virtualization by default. Even if your hypervisor

supports nested virtualization, your host machine (i.e., laptop or server) may not support it. In that case, you

will need to enable nested virtualization from the BIOS.

BIOS SETUP

To begin, you must enable nested virtualization in the BIOS of your hardware. To do so, follow these steps:

1. Restart your computer. During startup, follow the screen prompt to enter the BIOS (this is typically

achieved by pressing F1, Enter, Delete, etc.).

2. Find the virtualization feature, select it, and make sure it is enabled.

3. Save your changes and exit the BIOS. Your computer will automatically reboot.

Each manufacturer has its own BIOS interface. We have included some examples below.

DELL POWEREDGE SERVER

To enable virtualization, follow these steps:

1. Press F2 to open the boot menu. 2. Use the up and down arrows to select "BIOS", and then press Enter. 3. Use the up and down arrows to select "Processor Settings", and then press Enter. 4. Use the up and down arrows to select "Virtualization Technology", and then use the left and right

arrows to enable the feature. 5. Press Esc three times to exit the submenus, and then press Enter to confirm saving changes.

MAC MACHINE

Generally, Mac machines have virtualization enabled by default. If for some reason MazeRunner notifies you that nested virtualization is not supported, then you will need to install Apple updates.


LENOVO THINKPAD

To enable virtualization, follow these steps:

1. Click Enter to open the boot menu, and then F1 to open the BIOS.

2. Use the left and right arrows to select the Security tab.

3. Use the up and down arrows to select "Virtualization", and then press Enter.

4. Use the up and down arrows to select "Intel (R) Virtualization Technology", and then the +/- keys to

enable it.

5. Press F10 to save and exit.

VIRTUAL APPLIANCE (VMWARE PLAYER)

To begin, make sure you have VMware Player installed on your computer. Then, navigate to the directory in

which the MazeRunner OVA file is stored and proceed according to the following instructions:

1. To import MazeRunner into VMware Player, double-click on the OVA file (if you have multiple

hypervisors installed on your computer, you will need to right-click on the OVA file, select "Open

with", and then select "VMware Player"). You will need to provide a name and local storage path for

the new virtual machine, and then click "Import":

2. Before powering on your new virtual machine, you must enable nested virtualization support in

order to run MazeRunner with nested decoys. To do this:

a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings…":


b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI"

and "Virtualize CPU performance counters" boxes are checked, then click "OK":

c. Nested virtualization is now enabled.

3. Now you can power on your virtual machine by clicking "Play virtual machine":


4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the

console:

Save this IP address; you will need to use it in subsequent sections of this guide.

That's it! MazeRunner is now ready for use.

By default, MazeRunner obtains its network configuration through DHCP. If you would like to change

MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page

63 of this guide.

Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this

guide, on page 36.

VIRTUAL APPLIANCE (VMWARE WORKSTATION)

To begin, make sure you have VMware Workstation installed on your computer. Then, navigate to the

directory in which the MazeRunner OVA file is stored and proceed according to the following instructions:

1. To import MazeRunner into VMware Workstation, double-click on the OVA file. You will need to

provide a name and local storage path for the new virtual machine, and then click "Import":


2. Before powering on your new virtual machine, you must enable nested virtualization support in

order to run MazeRunner with nested decoys. To do this:

a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings…":

b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI"

and "Virtualize CPU performance counters" boxes are checked, then click "OK":


c. Nested virtualization is now enabled.

3. Now you can power on your virtual machine by clicking "Power on this virtual machine":

4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the

console:






63 of this guide.


guide, on page 36.

VIRTUAL APPLIANCE (VMWARE ESXI)

To begin, open your vSphere Client and connect to your ESXi server by entering your username and

password. From the File drop-down menu, choose "Deploy OVF Template" and open the MazeRunner OVA

file supplied.

Move through the stages of deploying the OVF Template:

1. Choose a name for your virtual machine (for example, "Cymmetria MazeRunner").

2. Choose your specific datacenter as the Host / Cluster on which to run the deployed template.

3. Select a destination for storing the virtual machine files.

4. Use the default values that appear in the Disk Format section.

5. Notice that the source network is shown as "bridged". Click "Next" to review all parameters and

finish the virtual machine creation:


After your virtual machine has finished being deployed (this will take some time), select your virtual machine

from the sidebar on the left-hand side of the screen, then navigate to Home > Inventory > Hosts and

Clusters:

Now you will need to configure the network. Decoys can connect to the MazeRunner network in two ways:

using promiscuous mode or without using promiscuous mode. Cymmetria recommends running

MazeRunner in promiscuous mode, as it greatly simplifies decoy usage and system setup. It is possible to use

MazeRunner in non-promiscuous mode, but it will take more time and effort, and more issues may arise

during campaign creation.


Using MazeRunner with promiscuous mode

Open the Configuration tab and choose "Networking" by clicking on the link located in the Hardware box to

the left:

To make the nested virtual machines accessible from the network, enable promiscuous mode for the Virtual

Machine Port Group, where your virtual machine is connected (in our example, “Maze”). To do this, go to

“Properties”, select your virtual machine's port group, and then click “Edit”:

Go to the Security tab and make sure both “Promiscuous Mode” and “Forged Transmits” are enabled

("Accept"). Click "OK":


Why do we need promiscuous mode and forged transmits? In order for the nested virtual machines to

receive data packets, we need to enable these functions. If you do not enable promiscuous mode and forged

transmits, you will need to use MazeRunner in non-promiscuous mode, which requires defining a network

interface for each decoy.

Using MazeRunner without promiscuous mode

Make sure your virtual machine is turned off, then right-click on your virtual machine and select "Edit

Settings…":


Each decoy needs its own interface. For each decoy you would like to set up on MazeRunner, follow these

steps:

1. On the Hardware tab, click "Add…":

2. Choose "Ethernet Adapter" as the device type you would like to add to your virtual machine, then

click "Next":


3. Choose your network connection from the drop-down list, then click "Next":

4. Review the options you selected and click "Finish" to add the hardware:


5. You will now see the hardware you added on the Hardware tab. Click "OK" to finish:

NOTE: You will also need to enable non-promiscuous mode within MazeRunner; see Non-promiscuous mode

on page 65 for more information.

Now you can configure VLAN support, if you wish to do so. Later, you will also need to configure VLAN

support within MazeRunner; see VLAN support on page 64 for more information.

To configure VLAN support, you need to make sure that your port group is configured to accept VLAN

tagging. Follow these steps:

1. In your vSphere control panel, access the Properties menu of the switch to which MazeRunner is

connected by navigating to Configuration > Networking > Properties…:


2. Under the Ports tab, select the appropriate switch name and click "Edit…":

3. Under the General tab, select "All (4095)" as the VLAN ID:


4. To make sure that the network adapter "sees" the VLAN network, expand the Networks list under

the Status area in Configuration > Networking > Properties > Network Adapters:

Now you must enable nested virtualization support, in order to run MazeRunner with nested decoys. There

are three common methods used to enable nested virtualization in ESXi products:

1. using vCenter

2. using VMware Workstation

3. using SSH

To find out which of these three methods you will need to use, you must look at which VMware hypervisor

you are running. To do this, open vSphere Client and go to Help > About VMware vSphere:


If you see the following pop-up window, it means you are using vCenter:

If you see the following pop-up window, it means you are using ESXi:

If you are using vCenter, see the instructions provided in the section entitled Enabling nested virtualization

using vCenter, below. If you are using ESXi, you have two options for enabling nested virtualization: via

VMware Workstation or SSH (see the relevant sections on page 27 and 28 of this guide).

ENABLING NESTED VIRTUALIZATION USING VCENTER

The following steps will guide you through enabling nested virtualization using vCenter.

1. Open vSphere Web Client in your web browser by navigating to the IP address of your vCenter server

(using HTTPS), and log in with the same credentials you used to log in to your vSphere client:


2. Make sure your virtual machine is turned off, then select "VMs and Templates" from the Home

menu:

3. Right-click on your virtual machine and select "Edit Settings…":


4. Expand the CPU drop-down options, check the Hardware virtualization and Performance counters

checkboxes, and click "OK":

Nested virtualization is now enabled. Please continue to the Powering on your virtual machine section of this

guide, on page 31.


ENABLING NESTED VIRTUALIZATION USING VMWARE WORKSTATION (VERSION 11 AND UP)

The following steps will guide you through enabling nested virtualization using VMware Workstation (version

11 and up).

1. Open VMware Workstation and navigate to File > Connect to Server…:

2. Enter your login details (your ESXi credentials) and navigate to your MazeRunner virtual machine.

Make sure the virtual machine is turned off, and then right-click on it and select "Settings…" (you

may have to double-click on your virtual machine name before right-clicking):

3. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI" and

"Virtualize CPU performance counters" boxes are checked, then click "OK":



guide, on page 31.

ENABLING NESTED VIRTUALIZATION USING SSH

The following steps will guide you through enabling nested virtualization using SSH.

1. In your vSphere client, under the Configuration tab, choose "Security Profile" from the Software box

on the bottom left of the screen, and then click "Properties":

2. Enable the ESXi Shell by selecting it from the list of labels, and then clicking on Options → Start →

OK:


3. Follow the same steps to enable the SSH service:

4. Once finished, click "OK".


5. Log in to the ESXi Shell via an SSH client (PuTTY, for example), using your ESXi root user's credentials.

To do this:

a. Open PuTTY. In PuTTY, click "Open" to open a new SSH console:

b. In the SSH console, enter your username and password. Your shell should look like this:

6. Navigate to the MazeRunner virtual machine directory, located in

/vmfs/volumes/<datastore_name>/<virtual_machine_name>/. For example:


7. Make sure your MazeRunner virtual machine is turned off. Then, use your editor of choice to edit

the .vmx file (for example, "MazeRunner_release.vmx") in this directory by adding the following flags

to the end of the file:

vhv.enable = "TRUE"

vpmc.enable = "TRUE”


guide, below.

POWERING ON YOUR VIRTUAL MACHINE

Once you have enabled nested virtualization, you can power on your new virtual machine. To do this, open

vSphere Client and navigate to Home > Inventory > VMs and Templates:

Use the search bar to find your virtual machine, select it, and then click "Power on the virtual machine":


Switch to the Console tab to see the virtual machine powering on. Once it finishes booting, you will see its

assigned IP address displayed on the console:





63 of this guide.


guide, on page 36.


VIRTUAL APPLIANCE (KVM)

To begin, open a terminal, navigate to the directory in which the MazeRunner DSK file is stored (in QCOW2

format), and proceed according to the following instructions:

1. Enable promiscuous mode – Check if promiscuous mode is enabled on the network interface to

which MazeRunner's virtual machine bridge will be connected (if you know that it is already enabled,

you can skip to step 3 of this section now):

a. Run the command 'netstat -i'.

b. If the network interface to which you are going to connect the virtual machine bridge has 'P'

in its flag (as shown in Figure A), promiscuous mode is already enabled and you can skip to

step 3 of this section now:

Figure A. netstat -i command output with promiscuous mode off/on.

2. If promiscuous mode is off, you will need to enable it according to the following instructions

(depending on which OS you are using). To enable promiscuous mode:

a. On Red Hat/CentOs:

i. Open /etc/sysconfig/network-scripts/ifcfg-X (replace X with the name of the network

interface to which MazeRunner's virtual machine bridge will be connected).

ii. Add the line 'PROMISC=yes' to the end of the file.

b. On Ubuntu/Debian:

i. Open the "interfaces" file located in /etc/network.

ii. Add the following lines under the configuration for the network interface to which

MazeRunner's virtual machine bridge will be connected:

up ifconfig $IFACE up

up ip link set $IFACE promisc on

down ip link set $IFACE promisc off

down ifconfig $IFACE down


3. Import the MazeRunner image (DSK file) using the following command (run as root):

virt-install -n <name> -r <amount_of_RAM> --os-type=linux --os-variant= ubuntu14.04 --disk

MazeRunnerVirt.dsk,bus=virtio -w bridge=<name_of_network_bridge>,model=virtio --vnc --

noautoconsole --import --cpu=host

For example:

virt-install -n MazeRunner -r 16384 --os-type=linux --os-variant=ubuntu14.04 --disk

MazeRunnerVirt.dsk,bus=virtio -w bridge=virbr0,model=virtio --vnc --noautoconsole --import --

cpu=host

*NOTE: On some older virt-install versions, the os-variant argument for "ubuntu14.04" was

"ubuntutrusty". You can check the available variants on your system using the command 'osinfo-

query os'.

Parameters Detailed:

-n [an internal name for your virtual machine]

-r [the amount of RAM, in MB, for your virtual machine]

--os-type [the type of OS – Linux or Windows]

--os-variant [the distribution or version – for a full list, run command 'man virt-

install']

--disk [specifies media to use as storage for the guest, with various options]

-w [the network configuration]

--vnc [configures the graphics card to use VNC, allowing you to use virt-viewer or

virt-manager to see the desktop]

--noautoconsole [configures the installer to NOT automatically try to open virt-

viewer to view the console in order to complete the installation – this is helpful

if you are working on a remote system through SSH]

4. Check that the virtual machine was created successfully (we will use Virtual Machine Manager to do

this in our example):

a. Open Virtual Machine Manager and find the name you gave to the MazeRunner virtual

machine in step 3:


b. Click on the Open button and wait for the MazeRunner virtual machine to boot. Once it

finishes booting, you will see its assigned IP address displayed on the console:

c. Save this IP address; you will need to use it in subsequent sections of this guide.




63 of this guide.


guide, on page 36.


USING MAZERUNNER

Congratulations! You have completed the installation and setup of your MazeRunner appliance. You are now

ready to start using the MazeRunner platform. Use the information in the following sections to get

acquainted with, and start using, MazeRunner.

FIRST USE

Whether you are using a VMware Player, VMware Workstation, VMware ESXi or KVM hypervisor, your

MazeRunner virtual machine was assigned an IP address at the end of the installation and setup process. Use

this IP address to access the virtual machine from a web browser (make sure to use an HTTPS connection; for

example, https://<IP_address>). You will be taken to MazeRunner's signup screen:

Proceed according to the following instructions in order to complete initial signup:

1. Enter your email address and the activation key you received from Cymmetria (if you have not

received an activation key, contact [email protected]):



2. Choose an admin password, and a password for usern (usern is a network configuration user that is

used for accessing the Cymmetria management server; please assign usern a password that is

different from your admin password):

3. System time zone is automatically set to UTC; you may change this by selecting a different time zone

from the drop-down list. You can also set the HTTP proxy server (and set the credentials you would

like to use for proxy authentication, if you wish to authenticate using credentials) and NTP server:

4. Be sure to read and understand Cymmetria's end-user license agreement and privacy policy; you will

need to agree to the terms of both in order to continue (optional – Choose to share intelligence from

your MazeRunner instance back with the community; this will help us fix issues and generally

improve the product. If you have any questions about this, please contact Cymmetria at

[email protected]):

5. Click "Continue" to proceed to the second screen. Here, choose from one of the three configuration

options available, then click "Continue":

https://www.cymmetria.com/legal/1.10.0/eula/license

https://www.cymmetria.com/legal/1.10.0/eula/privacy-policy



NOTE: If you choose "Enable decoy VLAN support", you will need to select a VLAN trunk interface

and then click "Add VLAN". A pop-up window will appear and you will need to create a VLAN entry.

See step 4 of VLAN Support in the MazeRunner Network Configuration section of this guide (page 64)

for further instructions on how to do this:

6. On the next screen you will see MazeRunner diagnostics running. If the diagnostic tests finish

successfully, you will see a green check mark next to each test. You can then click the "Launch

MazeRunner" button to finish setup and launch MazeRunner:


a. If a test was unsuccessful, you will see a red X and an error message with further

instructions on how to proceed. After resolving the issue (if you choose to do so), click

the "Run MazeRunner diagnostics" button to re-run the tests:

NOTE: You can choose to ignore failed tests and launch MazeRunner by clicking the

"Skip and launch MazeRunner" button.

b. If at any time you would like to go back to the previous screen to change your

configuration choice, simply click the "Review configuration" button at the bottom right

of the screen (you will then need to run diagnostics again in order to complete the

setup).

Once finished, you will be redirected to MazeRunner's Configuration wizard. Please read the notice that

appears on your screen, and consult the full terms of the license. You will need to click "Agree" to continue:

After clicking “Agree” you will find yourself in the MazeRunner Configuration Wizard:

https://www.cymmetria.com/legal/1.10.0/eula/license


Here you can configure key features of MazeRunner (available for admin users only— see Role-based access

control on page 92 for more information about user roles). You can choose to configure these features now

(recommended), or return to configure them at any time by navigating to Settings from the main

MazeRunner UI and clicking the Configuration wizard button. If you would like to skip this initial

configuration, simply click the gray X located in the top right-hand corner of the screen, and you will be

redirected to the Deception story wizard.

Some notes about the Configuration wizard:

Settings you define and changes you make while using the Configuration wizard are only saved when

you click “Finish” in the final stage of the wizard (even if individual forms are validated, the data is

not saved and the settings do not actually change until this is done)

Note that if you do not complete the Local admin credentials stage, the wizard will skip over the

Endpoint Forensic Puller stage and the Periodic deployment stage (since these configurations require

that local admin credentials already be configured)

You will find details and instructions for each stage of the wizard along the way. For more detailed

information about the key features included in MazeRunner’s Configuration wizard, see the individual

sections of this user guide:

1. Email and reporting (page 86)

2. Active Directory source (page 90)

3. Local admin credentials (page 88)

4. Endpoint Forensic Puller (page 67)

5. Periodic deployment (page 60)

6. Syslog (page 100)

Once you have finished with the Configuration wizard, click “Finish” on the Syslog stage and you will be

redirected to the Deception campaign wizard:


You are now ready to start creating deception campaigns. NOTE: For all future uses of MazeRunner, you will

simply need to log in to your account using your username and password:

CREATING A DECEPTION CAMPAIGN

A deception campaign consists of three elements:

1. Decoys – Decoys are virtual machines (servers or other devices) running Windows1 or Linux systems.

They look and act like production machines. When a decoy is accessed, there is no doubt that this is

the work of an attacker. Decoys are most easily reached by following a breadcrumb found on an

endpoint.

2. Services – Each decoy server runs live services (e.g., SMB, SSH, OpenVPN servers, etc.). Each

breadcrumb leads to a specific service on a decoy machine.

3. Breadcrumbs – These are passive elements of data (e.g., browser cookies, SSH credentials, network

shares, OpenVPN scripts, etc.), placed on an organization's endpoints to be found by attackers

during the reconnaissance phase. Breadcrumbs are placed in a natural manner that is compatible

with a user’s habits, so they blend into the environment and do not raise suspicion. Breadcrumbs

and decoys can be used separately or as part of an end-to-end deception story.

1 Windows decoys are only available in MazeRunner Enterprise Edition.


By dividing deception campaigns into three basic components, MazeRunner allows you to easily create a

more elaborate deception network.

MazeRunner allows you to create a deception campaign manually or use Cymmetria's Deception story

wizard to help create your campaign. See Creating a deception campaign (using the Deception story wizard)

below and Creating a deception campaign manually on page 45 for detailed instructions on both of these

options.

For detailed product information regarding deception campaigns, see Supported operating systems (page

122), Types of decoys (page 123), Types of services (page 123), and Types of breadcrumbs (page 126) in the

Product reference section.

CREATING A DECEPTION CAMPAIGN (USING THE DECEPTION STORY WIZARD)

Using MazeRunner's Deception story wizard, you can build a deception campaign with the help of templates

that have been prepared by Cymmetria's security team. Alternatively, you also have the choice to build your

own customized deception stories without the help of the wizard. See Creating a deception campaign

manually on page 45 for more information.

On first use of MazeRunner, the wizard will open automatically as your home screen. During all subsequent

uses of MazeRunner, you can navigate to the wizard by clicking the New story button located on the top

right of the Campaign screen:

In the wizard, you will see a variety of prepared deception stories (for example, "Linux backup server",

"Internal website", and "VPN server"). Each story includes a short description to help you decide which one

you would like to use.

Enterprise Edition note: Only Linux-based stories are available in the Community Edition. Notice that there

are two Windows-based stories that are grayed out; these are available in MazeRunner's Enterprise Edition.

Each template already has default values defined for you (you may change some of these values if you wish,

but do not have to). NOTE: If you do not wish to change any of the default values provided, you can simply

click the "Next" button through all of the below story creation stages until the story is created (except where

otherwise noted).

Use the Back button at the bottom right of the screen within each stage of the wizard to go back and make

changes to previous selections. You can also click the X icon on the top right-hand side of the screen at any

time; this will delete any deception elements defined in previous stages and take you to the Campaign

screen.


To use the wizard, follow these steps:

1. Choose a deception story, then click "Next":

2. Customize the details of your decoy, such as name, hostname, DNS address2, and VM type. NOTE:

You cannot change the OS type. You can also choose to manually configure network settings,

including static IP, gateway, DNS server, and subnet mask. When you are ready, click "Next":

3. Now you can customize your story's services and breadcrumbs. A set of services will appear by

default, as defined by the template, on the left side of the screen. Each service, when selected, will

show its details, including the breadcrumbs attached to it. You cannot add or remove services from

the template; however, you can edit some service fields. You can also edit breadcrumb fields if you

wish (you must edit the breadcrumb fields if you are using a "Responder Monitor" or "VPN server"

story). Note that for Windows network share breadcrumbs, you will need to choose whether you

would like them to be non-persistent or persistent after endpoint restart. When you are ready, click

"Next":

2 By default, breadcrumbs point to a decoy's IP address. You can set breadcrumbs to point to a DNS address instead. If

you choose to fill out this field, be sure to create a matching DNS entry in your name server.


4. Now it is time to deploy your deception story. First, you can assign breadcrumbs to one or more

deployment groups3 (this can also be done later, from the Deployment Groups sub screen of the

Campaign screen). NOTE: Later on, we will use these same deployment groups when importing

endpoints and deploying breadcrumbs to them. When you are ready, click "Finish":

5. Here's an example of what your screen will look like once your campaign has been created

successfully:

6. You will need to activate each of your servers by using the On/Off toggle button on the Decoys sub

screen (in the Power column).

7. You can now view the details of your campaign by using the Decoys, Services, Breadcrumbs, and

Deployment Groups tabs (sub screens). If you did not assign your breadcrumbs to a deployment

group during story creation in the wizard, you can do so now. See Create a new deployment group

on page 48 for detailed instructions on how to do so.

That’s it! Your deception campaign is up and running. Jump to Importing endpoints on page 49 or Deploying

breadcrumbs on page 56 to continue learning about the MazeRunner platform.

3 Deployment groups are used to group several breadcrumbs together for ease of management and deployment. For

example, you can decide to group together a few breadcrumbs that will be deployed to all endpoints used by a specific

department in your organization. This will allow you to easily deploy these grouped breadcrumbs to this department's

endpoints using one of MazeRunner's manual or automatic deployment methods (see Deploying breadcrumbs on page

56 for more information). Cymmetria recommends the use of deployment groups in all of your deployments.


CREATING A BASIC DECEPTION CAMPAIGN MANUALLY

The following is a step-by-step guide for manually creating the basic elements of a deception campaign.

Alternatively, you can use MazeRunner's Deception story wizard to build a deception campaign with the help

of templates that have been prepared by Cymmetria's security team. See Creating a deception campaign

(using the Deception story wizard) on page 42 for more information.

CREATE A NEW DECOY

In this stage, you will create a decoy server.

1. Go to the Campaign screen (if you are in the Deception story wizard, click the gray X icon on the top

right-hand side of the screen; this will take you to the Campaign screen). On the Decoys sub screen,

click the Create decoy button.

2. Fill in the required information. For example, to start an Ubuntu server, include a meaningful name

such as "HR_Server", a hostname such as "hrsrvr01", and choose Nested as the VM type. If you

would like to configure a static IP, click the toggle button next to "Manually configure network

settings" and fill out the Static IP field. Notice that you have the option to add a DNS address.4

3. Click "Save" in order to create the decoy.

4. Power on the server using the On/Off toggle button, which is located in the Power column.

5. That's it! Here is an example of what your screen will look like once the server has finished booting:

Enterprise Edition note: Notice that Windows decoys are grayed out in the Operating system drop-down list.

Windows decoys are only available in MazeRunner Enterprise Edition.

4 By default, breadcrumbs point to a decoy's IP address. You can set breadcrumbs to point to a DNS address instead. If

you choose to fill out this field, be sure to create a matching DNS entry in your name server.


CREATE A NEW SERVICE

In this stage you will add services (SMB, SSH, OpenVPN, etc.) to your decoy. For the purposes of this

example, let's assume that you want to create a deception story for your HR department.


right-hand side of the screen; this will take you to the Campaign screen). On the Services sub screen,

click the Create service button.

2. Select the desired service type (e.g., SMB service) and enter an appropriate name (e.g.,

"Personnel_Files").

3. Add necessary data (for example, if you chose an SMB service, you will need a name for its shared

folder and a ZIP file for the content). Click "Save".

4. Choose the new service and connect it to the decoy (in this case, the decoy named "HR_Server" that

we created in the previous section). Do this by selecting the decoy name from the drop-down box in

the Decoy column:

5. That's it! Here is an example of what your screen will look like once the connection has finished

configuring (you can monitor its status on the Decoys sub screen):

CREATE A NEW BREADCRUMB

In this stage you will create a breadcrumb and connect it to the previously created decoy and service.


right-hand side of the screen; this will take you to the Campaign screen). On the Breadcrumbs sub

screen, click "Create breadcrumb".


2. Select the breadcrumb type5 (make sure it matches the service you have defined), and then select an

appropriate name. For example, you could select a network share breadcrumb and name it

"Personnel_Files_BC". You can also assign the breadcrumb to a deployment group here, but for now

we will leave this blank; we will talk about deployment groups in the next section.

3. After filling in all of the fields (according to the breadcrumb type you chose), click "Save". NOTE:

Some types of breadcrumbs will require you to create a user (you will need to enter a username and

password). The Username field will provide a drop-down list of suggestions that you may want to

use (all of the unique username/password pairs that currently exist in your MazeRunner instance).

Alternatively, you can choose "Randomize credentials from a predefined pool"; MazeRunner has a

list of common usernames and passwords that it uses to supply these. Note also that, for Windows

breadcrumbs, you will need to choose whether you would like them to be non-persistent or

persistent after endpoint restart.

4. Connect this breadcrumb to a service by selecting a service from the drop-down list in the Services

column:

5. Once the connection has finished configuring (you can monitor its status on the Decoys sub screen),

the breadcrumb will show as "Active":

6. Notice the Deployment groups column. Here you can assign your breadcrumb to a deployment

group you have already created. See Create a new deployment group on page 48 for information on

how to create groups.

5 Note that the Responder Monitor breadcrumb relates to the Responder Monitor feature (a feature used with your

SOC interface). For more information on this type of breadcrumb and this feature, see the section entitled ActiveSOC on

page 74.


CREATE A NEW DEPLOYMENT GROUP

Deployment groups are used to group several breadcrumbs together for ease of management and

deployment. For example, you can decide to group together a few breadcrumbs that will be deployed to all

endpoints used by a specific department in your organization. This will allow you to easily deploy these

grouped breadcrumbs to this department's endpoints using one of MazeRunner's manual or automatic

deployment methods (see Deploying breadcrumbs on page 56 for more information). Cymmetria

recommends the use of deployment groups in all of your deployments.

NOTE: Deployment groups will be used later when importing endpoints and deploying breadcrumbs to them;

see Importing endpoints on page 49 and Deploying breadcrumbs on page 56 for more information.

To create a new deployment group:


right-hand side of the screen; this will take you to the Campaign screen). On the Deployment Groups

sub screen, click "Create group".

2. Enter a name for your deployment group (e.g., "IT" or "all users"), and click "Save":

3. Now you can add breadcrumbs to this group. To do so, return to the Breadcrumbs sub screen of the

Campaign screen and use the drop-down list in the Deployment groups column to add specific

breadcrumbs to deployment groups:

You can see that your breadcrumb now belongs to the IT deployment group:

NOTE: You can assign a single breadcrumb to multiple deployment groups.


4. Now you are ready to deploy your deployment group. To save time and resources, you can automate

breadcrumb deployment (Cymmetria recommends this option). If you prefer to deploy manually,

you can do so from the Deployment Groups sub screen or from the Endpoints screen. See Deploying

breadcrumbs on page 56 for detailed information on breadcrumb deployment options.

That’s it! Your deception campaign is up and running. Jump to Importing endpoints below to continue

learning about the MazeRunner platform.

IMPORTING ENDPOINTS

To enable automatic breadcrumb deployment (discussed in the next section), which will simplify campaign

deployment, MazeRunner allows you to import endpoints from Active Directory, from CIDR blocks, or from a

file (.CSV). Note that these methods are not mutually exclusive: for example, if you import from Active

Directory and then import from a CIDR block, MazeRunner will check to see if each endpoint already exists in

the system; if so, the endpoint will not be imported a second time.

IMPORTING ENDPOINTS FROM ACTIVE DIRECTORY

In order to import endpoints from Active Directory, you will need to add an Active Directory source. Navigate

to the Endpoints screen from the top navigation bar and click "Import endpoints":

This will take you to the Active Directory sub screen of Import endpoints. NOTE: This screen can also be

reached by navigating to Settings > Active Directory > View Active Directory.

From the Active Directory sub screen of Import endpoints, click the link provided and you will be redirected

to the Active Directory sub screen in Settings.

To specify the Active Directory server from which you would like to import endpoints, follow these steps:

1. Click the Create source button and enter the source details (name, domain controller address, port,

username, password, and base DN).

2. Test your connection by clicking "Test connection". If the test connection is successful, click "Save"

to continue:


NOTE: Some Active Directories do not allow connection without SSL. If you receive an error when trying to

connect, use the toggle button next to "Use SSL" to use secure LDAP on port 636:

Now you need to import the Active Directory. To do this, follow these steps from the Active Directory sub

screen:

1. Click the View Active Directory button. Select the domain you would like to import and click "Import

from Active Directory":


While your AD groups are importing, you can exit the Import endpoints screen. You can see the

import's progress in the task manager's Running tab. Once the process is complete, you will see an

orange dot on the task manager icon, and the import details on the Complete tab:

2. Once your groups have finished importing, return to the Import endpoints screen by clicking "Import

endpoints" from the Endpoints screen. Select the Active Directory source you just imported (from

the drop-down list) and notice that the source's details appear on the screen. To the right of each

organizational unit (OU), notice that there are two numbers: one labeled "Self" and one labeled

"Total". The number next to "Self" indicates the number of endpoints in that particular OU; the

number next to "Total" indicates the total number of endpoints under that OU, including those of

other OUs:

3. Now you need to import endpoints from your Active Directory organizational units. You can choose

specific endpoints to import by selecting the checkbox next to an OU's name (which selects only the

endpoints in that particular OU), or select "Select all":

Before importing, you must assign the endpoints you would like to import to specific deployment

groups. Notice that two new functions appear on the right side of your screen when you select any

OU: "Assign to group" and "Clear assignment". After you have clicked the checkbox next to an OU's

name, click "Assign to group" and select the desired deployment group from the drop-down list. You

can choose from an existing deployment group that you previously created, import your endpoints

without assigning them to a deployment group (you will need to assign them later) or create a new

deployment group to assign the endpoints to:


This will assign all endpoints on that particular OU to the selected deployment group. You will see

the name of the deployment group to which an OU's endpoints have been assigned, to the right of

the OU name and endpoint count. You can assign all endpoints to one deployment group, or to

different deployment groups:

If you would like to change to which deployment group your endpoints have been assigned, mark

the checkbox next to an OU's name and re-assign to another deployment group by using the "Assign

to group" function. You can use the "Clear assignment" function to clear the assignment for selected

endpoints.

NOTE: Only endpoints that have been assigned to a deployment group will be imported. Remember

that, if you would like to import endpoints and assign them to a deployment group later, simply

chose "Import without assigning" from the Assign to group drop-down options:

4. If for some reason you would like to remove the data from an Active Directory source that you have

previously imported to MazeRunner, simply click "Delete retrieved data".

5. Once you are ready, click "Start importing assigned endpoints daily". NOTE: Once you click this

button, your selected endpoints will continue to import (i.e., refresh) daily, at the time you originally

clicked the button. For example, if you click "Start importing assigned endpoints daily" at 2:00pm,


the selected endpoints will import daily at 2:00pm6. If you would like to stop this daily import, simply

click "Stop importing assigned endpoints daily".

After exiting the Import endpoints screen, you can check the status of your import in the task manager's

Running tab. You will see a notification (red dot on the task manager icon) once the import is complete, at

which time you can view import details on the task manager's Complete tab:

IMPORTING ENDPOINTS FROM CIDR BLOCKS

As an alternative to importing endpoints from Active Directory, MazeRunner allows you to import endpoints

from CIDR blocks.

To import endpoints from CIDR blocks, complete the following steps:

1. Navigate to MazeRunner’s Endpoints screen and click "Import endpoints", and then click on the CIDR

blocks tab:

2. Click on the Add button to add CIDR blocks and assign them to deployment groups. NOTE: You

cannot enter overlapping CIDR blocks.

3. Enter the CIDR block from which you would like to import, then use the Deployment group drop-

down to assign the endpoints in this CIDR block to a deployment group. You can import your block

without assigning it to a deployment group (you will need to assign it later) or choose from an

existing deployment group that you previously created:

6 If an endpoint already exists in MazeRunner and has already been assigned to a deployment group, the endpoint will

be refreshed/updated, but its deployment group will not be changed.


4. Click "Save" to finish.

If you would like to make changes to the information you entered, you can do so using the "Edit" and

"Delete" functions, located in the Actions column. After importing multiple CIDR blocks, you can use the

"On/Off" button in the Status column of each block to skip certain CIDR blocks, but import others, during

your daily import.

When you are ready, click "Start importing endpoints from CIDR blocks daily":

NOTE: Once you click this button, your selected endpoints will continue to import (i.e., refresh) daily, at the

time you originally clicked the button. For example, if you click "Start importing endpoints from CIDR blocks

daily" at 2:00pm, the selected endpoints will import daily at 2:00pm7. If you would like to stop this daily

import, simply click "Stop importing endpoints from CIDR blocks daily".

After exiting the Import endpoints screen, you can check the status of your import in the task manager's

Running tab. You will see a notification (red dot on the task manager icon) once the import is complete, at

which time you can view import details on the task manager's Complete tab:

7 If an endpoint already exists in MazeRunner and has already been assigned to a deployment group, the endpoint will

be refreshed/updated, but its deployment group will not be changed.


IMPORTING ENDPOINTS FROM A FILE

MazeRunner allows you to import endpoints from a CSV file. To import endpoints from a file, follow these

steps:

1. Navigate to MazeRunner’s Endpoints screen and click "Import endpoints", and then click on the

Import from file tab:

2. Click the Choose file button and select the CSV file of endpoints you wish to upload. The file can

contain the following columns (must be declared in the first row of the file): ip_address, hostname,

dns, and deployment_group_name. At least one of IP address, DNS, or hostname fields must exist

and be filled out for each endpoint; the Deployment group name column is only required if you

choose to assign according to the uploaded file (see Step 3), otherwise it will be ignored. NOTE: The

columns can appear in any order.

3. Using the drop-down list provided, choose which deployment group you would like to assign the

new endpoints to (you can also import without assigning), or choose to assign the endpoints

according to the uploaded file. NOTE: If you choose to assign to deployment groups according to

the uploaded file and you leave a deployment group name field blank, that endpoint will be

imported as "Unassigned". Furthermore, if you enter a name of a group that does not exist in

MazeRunner, that endpoint will not be imported.

4. When you are ready, click “Import endpoints” to start your import.

POST-IMPORT

Navigate back to MazeRunner's Endpoints screen; all of the endpoints you imported are now shown here

(you might need to click the Refresh button).

Notice the endpoint status chart at the top of the screen. Right after importing endpoints for the first time,

100% of your endpoints will be "clean", since you have not yet deployed any breadcrumbs to them:


For a full explanation of the different endpoints statuses, as well as information on the various actions that

can be taken on your endpoints, see the section entitled Endpoints screen on page 105.

For now, let's look at how to deploy breadcrumbs to your endpoints (next section).

DEPLOYING BREADCRUMBS

To save time and resources, you can automate breadcrumb (deployment group) deployment using the

Endpoints screen (Cymmetria recommends this option). You can also deploy deployment groups manually

from the Deployment Groups sub screen of the Campaign screen.

DEPLOYING BREADCRUMBS FROM THE ENDPOINTS SCREEN

From the Endpoints screen, you can deploy breadcrumbs to your endpoints manually or automatically. To

set up automatic breadcrumb deployment8, complete the following steps:

1. Click "Deploy to endpoints" and choose from the deployment methods in the drop-down list:

2. Enter your local admin credentials (username, password, and endpoint IP or hostname9). If the user

is a domain user (versus a local user on an endpoint), you will need to fill in the optional domain

8 The MazeRunner UI currently supports automatic breadcrumb deployment to Windows endpoints only. If you would

like to set up automatic deployment to Linux endpoints, you can do so using the MazeRunner API.

https://community.cymmetria.com/api/


name. NOTE: If you have previously configured local admin credentials for endpoints in Settings >

Campaign and Deployment, you will see these credentials listed here. You can change these

credentials by clicking "Change".

3. Click "Test credentials" to ensure you have entered everything correctly. If something is not right,

proceed according to the error message shown on your screen.

4. Using the toggle button, choose whether you would like to save these credentials for further use.

NOTE: If you had previously configured credentials in Settings > Campaign and Deployment, but

chose to change those credentials in step 2 above, enabling this feature will overwrite the existing

credentials for all purposes.

5. Choose a Deployment mode and select the deployment groups you would like to deploy, then click

"Deploy":

NOTE: You will not be able to select and deploy a group if at least one of the following is applicable:

There are no endpoints in the group.

One or more of the breadcrumbs in the group is inactive.

There are no breadcrumbs in the group.

There are breadcrumb conflicts within that deployment group (for example, two

breadcrumbs with the same decoy username but different passwords will conflict).

If any of the above is applicable, make sure that your decoy(s) is turned on (check the Decoy sub

screen of the Campaign screen), that you have assigned breadcrumbs to groups (check the

Breadcrumbs sub screen of the Campaign screen), and that you have assigned endpoints to groups

(check the Endpoints screen).

Cymmetria recommends deploying breadcrumbs automatically. Manual deployment is useful if automatic

deployment is impossible, or if you would like to use other orchestration software such as Chef, McAfee ePO

or Tanium.

To deploy breadcrumbs manually, complete the following steps:

1. Click "Deploy to endpoints" and choose "Manual" from the Deployment method drop-down list:

9 This is the IP or hostname of an endpoint on which the credentials will be tested. It is only used for this test, and is not

mandatory for the deployment.


2. Choose your preferred deployment option and download the relevant installation files by clicking on

the appropriate download button. If you are deploying to a Windows OS, you have four deployment

options from which to choose:

1. Deployment Package (ZIP) – A ZIP file containing a folder for each breadcrumb group.

Each folder contains both an install and uninstall shell script for that deployment group.

2. Deployment Package (TAR.GZ) – A TAR.GZ file containing a folder for each breadcrumb

group. Each folder contains both an install and uninstall shell script for that deployment

group.

3. Executable – A ZIP file containing a folder for each breadcrumb group. Each folder

contains both an installer and uninstaller (in EXE format) for each breadcrumb group.

4. Windows Installer – A ZIP file containing a folder for each breadcrumb group. Each

folder contains both an install and uninstall file (in MSI format) for each breadcrumb

group.

If you are deploying to a Linux or Mac OS, you must choose one of the "Deployment package"

options (a ZIP or TAR.GZ file containing a folder with an installation script for each group).

3. You will need to unpack the ZIP or TAR.GZ file and run the installation files contained in each group

folder (as administrator or root) on the endpoint, in order to place the group's breadcrumb(s). Note

that the script/executable, once executed, will delete itself and all accompanying files in order to

leave no trace of which breadcrumbs have been deployed. Remember to remove the ZIP or TAR.GZ


file from the endpoint (after saving the uninstall files in a safe location for later use) once you are

finished.

After deploying manually, a beacon10 will be sent from the endpoint to update MazeRunner about the status

of the deployment.

Now that you have deployed breadcrumbs to your endpoints, you can expand each endpoint by clicking the

+ icon to see details about the breadcrumbs on that endpoint:

NOTE: It might take the endpoint status a few more minutes to update, due to the time it takes the

breadcrumb to install, and possible network delays. If you don't see any change within a few minutes, click

the Refresh button.

DEPLOYING BREADCRUMBS FROM THE CAMPAIGN SCREEN

You can manually deploy deployment groups from the Deployment Groups sub screen of the Campaign

screen. To do so:

1. Navigate to the Campaign screen and then to the Deployment Groups sub screen.

2. In the Actions column of the deployment group you would like to deploy, click the Download icon

(on hover the icon shows "Download deployment group package"). This will open the Deploy

deployment group form.

10

The beacon is part of the breadcrumb installer (and uninstaller) that communicates with MazeRunner. It relays the

status of the endpoint and reports on the success or failure of breadcrumb installation. For the beacon to work, the

MazeRunner management server must be accessible to endpoints, meaning that endpoints should be able to connect

to it over HTTPS (port 443).


3. Choose "Install" as the package type (uninstall packages are also located here), and then download

the relevant installation files by clicking on the appropriate download button. For Windows, the

installer is either a ZIP or TAR.GZ file containing shell scripts (PowerShell), an executable (EXE) or a

Windows installer (MSI); for Linux and Mac, it is always a ZIP or TAR.GZ file containing shell scripts

(Python):

4. You will need to unpack and run this installer (as administrator or root) on the endpoint, in order to

place the breadcrumb(s). Note that the script/executable, once executed, will delete itself and all

accompanying files in order to leave no trace of which breadcrumbs have been deployed. Remember

to remove the ZIP or TAR.GZ file from the endpoint (after saving the uninstall files in a safe location

for later use) once you are finished.

You can now validate the deployment on the Endpoints screen (see relevant section on page 105).

PERIODIC BREADCRUMB DEPLOYMENT & CAMPAIGN REFRESH

You can schedule breadcrumb deployment at regular intervals by enabling MazeRunner's Periodic

deployment feature. This can be done using the toggle button from the Campaign and Deployment sub

screen of Settings (Settings > Campaign and Deployment):


Set the interval (in hours, days or weeks) at which you would like to automatically deploy, and choose a

deployment mode. If there are new endpoints in a deployment group (new endpoints may have arrived via

the Active Directory or CIDR blocks automatic importation feature, for example), the refresh feature will

deploy to them.

In addition to redeploying breadcrumbs at the fixed interval you set, you can also refresh the deception

campaign every fixed number of automatic deployments. When a refresh frequency is set, breadcrumbs with

randomized credentials will have the credentials changed to new random values in order to update the

deception campaign. Set the refresh frequency value to 0 to disable campaign refreshing:

You can also define your remote deployment settings. Choose a run method (executable or native script) and

deployment path:

Lastly, enter the local admin credentials to use in the deployment (these credentials will be saved and used

for future deployments). You can test these credentials using the relevant field and the Test credentials

button:

Be sure to save your configuration when you are finished. NOTE: If you do not configure local admin

credentials for endpoints, or if they change, you will receive an error message at the next designated

deployment interval. Please make sure these credentials are configured correctly, otherwise your periodic

deployment will fail.


Notice the sections labeled "Endpoint Forensic Puller" and "Automatic Hackback". See Forensic Puller on

page 67 and Automatic Hackback on page 72 for more information about these features.

INTEGRATING WITH A SYSLOG/SIEM

Integrating with a syslog/SIEM can be done from the Integrations screen. See Integrations on page 98 for

detailed information.


ADVANCED USAGE

Now that you have a handle on basic configuration and usage, you are ready to learn about the advanced

configuration options available to MazeRunner users.

MAZERUNNER NETWORK CONFIGURATION

This section includes information on configuring static IP, and enabling VLAN support and non-promiscuous

mode.

STATIC IP

By default, MazeRunner automatically obtains its network configuration through DHCP. If you would like to

change MazeRunner's network configuration, follow these steps:

1. Open the server's console. The console can be accessed using your hypervisor UI.

2. Log in as "usern":

a. Enter 'usern' as the MazeRunner login. For example:

b. Enter the password 'Password1!'11 and then enter ‘static’. For example:

Enter the details relevant to your network (IP address, netmask, default gateway, nameserver IP address,

DNS search domains). If you do not know your network details, contact your IT administrator. You will also

need to choose the main network interface for MazeRunner management.

NOTE: During automated deployment, the nameserver (DNS server) and the DNS search domains will be

used to look up endpoint names.

11

You will be prompted to change this password on first use of MazeRunner.


VLAN SUPPORT

VLAN support can be enabled by following the steps outlined below (make sure you have already completed

the steps outlined for configuring VLAN support, on page 21 of this guide):

1. In MazeRunner, navigate to Settings > Networking, select "Enable decoy VLAN support", and then

click "Save configuration". NOTE: You can change the VLAN trunk interface field before saving:

2. Next, click the Add VLAN button and enter a VLAN ID (for example, "2"). NOTE: VLAN ID must use

numbers, not letters or other characters. If you are using static IP in your network, please assign the

Cymmetria management server a static IP address and a subnet mask in the spaces provided. If you

have a separate DNS server for this VLAN, be sure to add its address in the DNS field. To deploy

breadcrumbs to endpoints in different subnets, enter CIDR blocks (separated by commas) in the

Routing CIDR blocks field. A gateway must be set if you plan to route specific CIDR blocks. When you

are finished, click "Save":

That's it! VLAN support is now configured. NOTE: When you define a new decoy in MazeRunner (when

building your deception campaign either manually or with the help of the wizard; see page 41 for details),

you will need to select your VLAN ID from the drop-down list.


NON-PROMISCUOUS MODE

If you did not enable promiscuous mode for MazeRunner's VM during installation and setup, you must

enable non-promiscuous mode by selecting the "Run MazeRunner in non-promiscuous mode" option from

the Networking tab of the Settings screen, or during MazeRunner's initial setup. NOTE: You will need to add

additional network interfaces to your MazeRunner VM. Each decoy will use one interface (for example, for

three decoys you would need four network interfaces overall: one for MazeRunner and one for each of the

three decoys).

To enable non-promiscuous mode, follow these steps:

1. Make sure you have completed the steps outlined for using MazeRunner without promiscuous

mode, on page 18 of this guide.

2. Also make sure you have chosen the main network interface for MazeRunner management:

NOTE: If you already configured static IP, please reference the section entitled Static IP on page 63.

3. In MazeRunner, navigate to Settings > Networking, select the Run MazeRunner in non-promiscuous

mode option, and then click "Save configuration":

That's it! You have now enabled non-promiscuous mode. NOTE: When you define a new nested decoy in

MazeRunner (when building your deception campaign either manually or with the help of the wizard; see

page 41 for details), you will need to select an interface from the drop-down list. You can create only one

decoy for each interface.


SSL CERTIFICATE

You can view MazeRunner's current server certificate and download the certification authority (CA)

certificate. Additionally, you can replace the server certificate with a new certificate signed by your trusted

CA. If you would like to update the details of your certificate, you can also replace the server certificate with

a new certificate signed by MazeRunner.

To carry out any of these actions, navigate to Settings > SSL Certificate. On the SSL Certificate tab, you will

see several options. To download the current CA certificate, simply click the Download CA certificate button.

To replace the current server certificate with one signed by your trusted CA, click "Generate certificate

signing request" and fill in your information. Click "Download CSR" to download the certificate signing

request (CSR):

After downloading, sign the certificate with your trusted CA. NOTE: You will also need the CA's certificate for

the next step.

When available, upload the certificate signed by your trusted CA (PEM encoded certificate) and the CA's

certificate (PEM encoded CA certificate) by clicking "Load signed CSR", choosing the appropriate files, and

then clicking "Load and use":


If you would like to update the details of your certificate, you can replace the server certificate with a new

certificate signed by MazeRunner. To do this, follow these steps:

1. Click the Generate certificate button under "Signed by MazeRunner" and fill in your information.

2. Click "Generate and use" to replace the certificate. NOTE: After submitting this form, you will need

to restart your browser to use MazeRunner. All OVA and EC2 decoys will need to be recreated

manually:

FORENSIC PULLER

Forensic Puller enriches MazeRunner alerts by pulling forensic information from the endpoint that triggered

the alert. It uses remote local admin access and PsExec to pull alert data from specific endpoints, providing a

more complete forensic picture.


To enable the Forensic Puller, follow these steps:

1. Navigate to Settings > Campaign and Deployment.

2. Activating the feature requires local admin credentials. Fill in your credentials under "Local admin

credentials for endpoints".

3. Under “Endpoint Forensic Puller”, click the toggle button to the right of “Enable MazeRunner to

automatically collect forensic data from alerted endpoints” to enable the feature.

Forensic Puller will run on all events that have not been configured to be ignored in your alerting policy. For

more information on the event generated by the Forensic Puller, see “Forensic data” under Types of events

on page 119.

NOTE: If MazeRunner storage is 70% full, the Forensic Puller will stop retrieving forensic data until storage

usage drops below 70%. You will receive a notification (in the UI as well as by email) if this happens.

RELAY – ENTERPRISE EDITION ONLY

Enterprise Edition note: This feature is currently available to MazeRunner Enterprise customers only. The

following documentation is provided here to give Community Edition users an explanation of how the

feature works.

You can connect multiple MazeRunner instances to one master MazeRunner machine. This allows you to

view and investigate the events and the Dashboards of all the MazeRunner instances, from the master

MazeRunner machine. NOTE: Campaign and deception management is done by connecting directly to the

relevant MazeRunner machine.

To configure Relay, follow these steps:

1. Navigate to Settings > Relay.

2. To activate the Relay feature, use the toggle button next to "Turn on MazeRunner relay".

3. If you would like to use the current machine as the master machine, keep the toggle button next to

"Run MazeRunner in slave mode" set to "Off":

a. To connect MazeRunner instances to the master machine, download the relay package from

the master and upload it to the instances you would like to connect:


On the master instance, you will see a table under "Connected MazeRunners" that will list all of the

slaves connected to this master. Here you can see information about each slave machine, as well as

edit and delete a machine using the icons in the Actions column. NOTE: Deleting a slave from the

"Connected MazeRunners" table will delete all of its alerts on the master machine. If the slave is still

associated with the master, the slave will reappear in the table once the data finishes pushing. To

completely remove a slave instance from the master machine, you will need to disconnect the slave

instance (this is done from the slave machine; see 4.b.ii. below).

4. If you would like to use the current machine as a slave machine, set the toggle button next to "Run

MazeRunner in slave mode" to "On":

a. To connect this slave machine to the master machine, download the relay package from the

master machine and upload it to this machine:

b. Once the package has finished uploading, details of the master machine will appear on the

screen.

i. Use the Test connection button to check whether the slave instance has access to

the master machine, and if so, whether they are compatible for the Relay feature

(whether both instances are running the same version of MazeRunner).

ii. You can disconnect the slave instance by clicking the Disconnect button.

Disconnecting will return the machine to the state it was in before a relay package

was uploaded. NOTE: This will not delete any existing data about this slave instance

that has already been sent to the master; this needs to be done separately (see

number 3, above).

c. If changes are made to your network or master MazeRunner machine, you will need to

upload a new relay package to the slave machine(s).


NOTE: If you update the relay package, all the alerts that failed sending during/before the update will be

resent once the master is accessible again from the slave. Alternatively, if you disconnect a slave instance

from the master, all the alerts that appeared in the slave before disconnecting and failed sending to the

master will never be resent.

Additional notes about Relay:

Deleting or archiving alerts in the slave If a user deletes or archives alerts in the slave, it does not affect the state of the alerts in the master

Deleting or archiving alerts in the master If a user deletes or archives alerts in the master it does not affect the state of the alerts in the slave

Rule policy differences between master and slave 1. Ignored events in the slave will not be sent to the master

2. Once an event from the slave is sent to the master, it is classified in the master according to the master machine's rule policy (not the slave's). This does not affect the classification of the same event in the slave (e.g., the event can be muted in the slave and set to raise an alert in the master).

3. A master instance cannot shut down decoys on a slave instance even if the rule policy requires it; such a rule must be configured on the slave instance

Deleting a decoy in the slave Deleting a decoy from the salve will delete all of the related alerts in the master and the slave

Custom services in Relay Alerts generated in the slave due to a custom service that exists only in the slave will NOT appear in the master MazeRunner (the user would need to configure the same custom services in both MazeRunner instances)

Forensic Puller in Relay Each instance of MazeRunner will only run Forensic Puller on its own alerts/endpoints. For example, if an alert appears in the slave, the master will never run Forensic Puller (even if the Forensic Puller is enabled in the master; the master will only run Forensic Puller on its own alerts/endpoints).

NOTE: Even if you try to run Forensic Puller on events manually from the Investigation screen (using the Bulk action), it will not work; Forensic Puller will only run on that machine's events and the others will fail.


Integrations in Relay Data originating from integrations connected to the slave will not be sent to the master

RDP Session Recorded alerts in Relay RDP Session Recorded alerts/events will only be pushed to the master after the timeout for the recording was exceeded (i.e., the RDP recording will NOT be sent while it is still recording)

DASHBOARD IN RELAY MODE

The Dashboard displays content from one MazeRunner instance. You can change which MazeRunner

instance is displayed using the filter at the top right of the Dashboard screen:

By default, the Dashboard of the master instance is shown every time the Dashboard page is opened.

When viewing the Dashboard of a slave instance from the master UI, some of the data is displayed

differently from how it is usually displayed. For example, when viewing a deployment group belonging to a

slave instance, events originating from an endpoint in that group will appear as alerts from unassigned

endpoints.

Events appear according to their status in the master instance, and you will see a reminder of this at the top

of your Dashboard:

INVESTIGATION SCREEN IN RELAY MODE

By default, the Investigation screen will display events and alerts from all MazeRunner instances (note that

attack stories will only include events from one MazeRunner instance, even if events have the same

originating endpoint).


You can filter the data you see on the Investigation screen by MazeRunner instance, using the drop-down at

the top left of the screen:

When viewing a slave instance from the master MazeRunner:

1. In the Investigation table, a new field labeled "Originating MazeRunner name" is seen in an event's

expanded view, under "Source information". "Decoy name" will display the decoy name followed by

the name of the MazeRunner instance (e.g., An alert with a decoy named "Backup server 123" that

runs on MazeRunner slave instance "MazeRunner AZ" will have this value: "Backup server 123

(MazeRunner AZ)":

2. Attack story and alert IDs are assigned to the entities in the master MazeRunner; they may have a

different value in the originating MazeRunner instance.

NOTE: In Relay mode, reports from the master MazeRunner instance will include all of the events and stories

on the master (including those originating from slave instances). The reports from the master will not include

campaign data about the slave MazeRunner instances. See Email and Reporting on page 86 for more

information about reports.

AUTOMATIC HACKBACK – ENTERPRISE EDITION ONLY



feature works.

Enterprises can do a lot of threat hunting within the law, including engaging live attackers on their own

networks with direct response and active countermeasures. Automatic Hackback gives you the ability to

engage in these steps legally and allows you to operate within the legal boundaries necessary to investigate

and take action when interfacing with live adversaries, and compromised hosts and tools, within the

confines of your network environment. This feature allows you to automatically and remotely execute a


process on an endpoint in response to events. For detailed information about the feature, see this post on

Cymmetria's blog (the post includes a link to a separate, in-depth legal analysis).

To enable Automatic Hackback, follow these steps:

1. Navigate to Settings > Campaign and Deployment.

2. Under “Automatic Hackback”, click the toggle button to the right of “Enable MazeRunner to

automatically deploy and execute an executable file on alerted endpoints” to enable the feature.

NOTE: This feature is governed by special provisions in the license agreement for MazeRunner. It is solely

and exclusively your responsibility to ensure that you do not upload or use MazeRunner to deploy any scripts

or executables in violation of any applicable laws, regulations or industry standards, or which might result in

such violation, and you assume all liability and risks associated with this feature. You must read and agree to

the special provisions governing the use of this feature in order to enable it. Please be sure you fully

understand the potential consequences of the use of this feature before continuing; this might include

consulting with your own legal counsel to determine policies and procedures:

Once the feature has been activated, you will need to upload an executable package for the feature to use.

Click the Choose file button and select a ZIP package to be deployed to the endpoint (the package must

include a 'run.exe' file in its root):

The feature will start working only after MazeRunner validates the package. If the package validation fails,

the feature will be deactivated and you will receive a notification.

https://cymmetria.com/blog/fortune-500s-perform-legal-hackback/

https://cymmetria.com/blog/fortune-500s-perform-legal-hackback/


ACTIVESOC – ENTERPRISE EDITION ONLY

Enterprise Edition note: ActiveSOC and all related features, with the exception of the Responder Monitor

deployment feature, is currently available to MazeRunner Enterprise customers only. The following

documentation is provided here to give Community Edition users an explanation of how ActiveSOC and its

related features work.

ActiveSOC allows you to automate incident response. Through integration with the SIEM, ActiveSOC allows

you to deploy deception elements to your network, based on rules you define and corresponding events

observed by the SOC. The Responder Monitor, which can be configured as part of the ActiveSOC feature,

monitors the SOC for use of credentials stolen using the Responder.py tool.

ACTIVESOC AND RESPONDER MONITOR ACTIVITY FEED

Here you can monitor all ActiveSOC and Responder Monitor activity and export the information to CSV:

You can filter and search your activity feed using the funnel icons. To do so, click on a funnel icon to the right

of a column title, choose your filter criteria from the available options, and then click "Apply Filter":

NOTE: If filtering by endpoint or deployment group, you will need to enter the endpoint IP address and the

deployment group name, respectively.

To clear your filter results, click again on the funnel icon to the right of the column title and then click

"clear".

To clean your feed (delete all entries), click the Clean feed button at the top of the screen.


SOC INTERFACES

You can connect MazeRunner to your SOC (e.g., via MazeRunner API, ArcSight Data Platform, ArcSight ESM

or Splunk), in order to use the ActiveSOC and Responder Monitor features, which are discussed in the next

sections.

To add a SOC interface, follow these steps:

1. Click the Add button next to “SOC interfaces”.

2. Select an interface type from the drop-down options:

3. Fill in the required information according to the SOC interface you chose. If you chose ArcSight or

Splunk, you will need to test the connection by clicking “Test connection”, and then click “Save” to

finish:

You will now see the details of the SOC interface you added in the SOC interfaces table. To edit or delete an

interface, use the links located in the Actions column on the right-hand side of the screen.

NOTE: It may take some time for a SOC interface to fully load. You can see the progress of this task in the

task manager. Autocomplete for SOC field names will only be partial until the SOC interface is fully loaded.


ACTIVESOC

The ActiveSOC feature allows MazeRunner to deploy breadcrumbs to endpoints in your organization based

on events observed by your SOC. Using ActiveSOC, you can set up specific rules that, when verified, will

cause MazeRunner to assign an endpoint to a deployment group (as defined by your rule) and deploy that

group’s breadcrumbs to the endpoint. MazeRunner achieves this through integration with your SIEM or

through the MazeRunner API. By automatically deploying deception tailored to specific suspicious behavior

(e.g., privilege escalation or abnormal traffic), ActiveSOC is able to create new intelligence out of “below-the-

threshold” events, and also validate events that might otherwise be ignored by analysts.

Before turning on the ActiveSOC feature, you will need to add a SOC interface. See the section entitled SOC

Interfaces on page 75 for information on how to do this.

Once you have added a SOC interface, use the toggle button next to “ActiveSOC” to turn on the feature:

NOTE: This feature requires local admin credentials for endpoints, which can be configured in Settings >

Campaign and Deployment.

Rules

Add rules to define the response to specific SOC events12. The rules will define how to identify the relevant

endpoint, how to filter the specific event, and to which deployment group to assign it and for how long.

To add a rule, follow these steps:

1. Click the Add button next to “Rules”. Enter a name for your rule and choose the SOC interface to

which you would like it to apply (each rule will be defined for a specific SOC interface):

12

Events could include, for example:

A user logging in from an unusual location

A privilege escalation alert (someone logged in as admin)

A computer connecting to an IP that doesn’t exist and then reaching a decoy

Someone attempting to access a web page/app that doesn’t exist


2. Define how to identify the endpoint in this type of event. Select the field from where your SIEM’s

target data is extracted (IP address or Hostname), fill in a field name, and if you would like, fill in a

DNS suffix (for example, hostname "myhost" and DNS suffix "mydomain.local" will become

"myhost.mydomain.local") or an IP range (CIDR):

3. For ArcSight ESM, each rule must have a query. The query is the name (ArcSight ESM QueryViewer)

predefined on your ArcSight ESM, from which MazeRunner will receive the events. All other rule

conditions will apply to the events received from that query. It's important to note that the

frequency of retrieval is dependent on the frequency of the query as defined in ArcSight ESM and

not controlled from within MazeRunner:

4. Add conditions for your event (field name and value). Be as specific as you can (there is no limit to

the number of conditions you can add per event):

5. Choose the deployment group to which you would like to deploy when this rule is verified, and the

deployment duration (how long to keep the breadcrumbs on the endpoint). For example, if you

enter ‘4’ here, the breadcrumbs will be deleted from the endpoint after 4 hours. When you are

finished, click "Save":


You will now see the details of the rule you added in the Rules table. In the Rank column of the Rules table,

note that there are two arrows; these are used to set priority for a rule. Clicking the up/down arrows will

move the location of rules in the table, thereby changing their rank (a rule with a rank of 0 has the highest

priority).

Notice the “On/Off” button in the Actions columns on the right-hand of the screen. Use this button to

activate and deactivate specific rules at certain times. You can also delete and edit your rules from this

column.

That’s it! From now on, if a rule you set is verified, MazeRunner will assign the endpoint to a deployment

group (as defined by your rule) and deploy that group’s breadcrumbs to the endpoint. When this happens, a

new record will be created in the Activity Feed and a new endpoint will appear on the Endpoints screen. The

breadcrumbs that were deployed will be removed from the endpoint after the period of time you defined in

your rule.

For more information about the ActiveSOC activity feed, see the ActiveSOC and Responder Monitor activity

feed section on page 74.

RESPONDER MONITOR

MazeRunner’s Responder Monitor (Pass-the-Hash) feature allows MazeRunner to periodically broadcast

deceptive credentials from endpoints and decoys. Attackers listening in on the network using the

Responder.py tool (or a similar tool) will capture these broadcasts and will potentially use these deceptive

credentials. The Responder Monitor feature gives you more deception options, as its alerting is based on

detected NBNS poisoning and stolen hashed credentials, and the use of these credentials on the network. To

use the Responder Monitor feature, you have two options:

1. Activate monitoring from a decoy via a Responder Monitor service.

Allows monitoring for use of Responder.py tool on the network subnet of the decoy.

Place the decoy in the same network subnet that you wish to defend.

Allows you to choose a hostname for MazeRunner to query. NOTE: If this hostname actually

exists in the network, make sure to also configure its IP in order to prevent false positives.

2. Activate monitoring from a specific endpoint via the Responder Monitor deployment feature.

Allows monitoring for use of Responder.py tool on the network subnet of endpoints.


By choosing endpoints from each network subnet, you can effectively monitor your entire

network for the use of Responder.py tool.

Cymmetria recommends creating a separate deployment group for each Responder Monitor

breadcrumb, and assigning a single endpoint from each network subnet to one of these

groups.

MazeRunner will query the hostname of the decoy to which the Responder Monitor

breadcrumb is connected.

To start working with the Responder Monitor feature, you first need to create a Responder Monitor

breadcrumb and connect it to a Responder Monitor service (and then connect to an active decoy). You can

do this easily using the Deception story wizard:

1. Navigate to the wizard (click "New story" from the Campaign screen) and select the Responder

Monitor story:

2. In step 3 ("Set up breadcrumbs"), you must enter a domain name, username, and password (the

domain name is the name of the domain that you want to monitor for Pass-the-Hash attacks):


3. You must assign Responder Monitor breadcrumbs to a deployment group. In the 4th and final step

("Deploy"), use the Assign to group drop-down to assign your breadcrumb to a deployment group

before clicking "Next" to finish.

Responder Monitor deployment

This feature allows deploying Responder Monitor breadcrumbs automatically and periodically. When

deployed, the breadcrumb identifies and alerts on NBNS spoofing and the use of Responder.py tool on the

endpoint's subnet. The username, domain, and password will be fed to the attacker from the endpoint.

To use the Responder Monitor deployment feature, navigate to ActiveSOC > Responder Monitor and use the

toggle button to the right of “Responder Monitor deployment” to activate the feature:

NOTE: This feature requires local admin credentials for endpoints, which can be configured in Settings >

Campaign and Deployment.

MazeRunner will begin to deploy to endpoints in the deployment group you configured in the final step of

the Responder Monitor story creation in the wizard. NOTE: Responder Monitor alerting only works when the

Responder Monitor breadcrumb is deployed via the Responder Monitor deployment feature described

above.

Every time MazeRunner deploys on an endpoint, the Responder Monitor breadcrumb tries to detect NBNS

poisoning of the connected decoy hostname; if it detects this, it broadcasts the deceptive credentials and

reports if Responder.py tool was used to steal these credentials.

MazeRunner aims to maximize the likelihood of an attacker intercepting deceptive credentials. In order to do

this, the Responder Monitor breadcrumb will broadcast (each time from a different endpoint) every X

minutes (where X is the detection interval you defined during breadcrumb creation, or a random interval

between 1-10 minutes that is regenerated for each endpoint deployment).

Responder Monitor SOC integration

To use the Responder Monitor SOC integration (allows detection of Pass-the-Hash attacks), first make sure

that:

1. You have added a SOC interface (see the section entitled SOC Interfaces on page 75 for instructions

on how to do so). NOTE: Make sure that the assets you want to monitor send their Windows event

logs to the SOC interface you configured, and that their audit policy for login attempts is enabled for

failed login attempts.


2. Once you have added a SOC interface, enable the Responder Monitor SOC integration using the

toggle button to the right of "Responder Monitor SOC integration".

Next, you might need to map custom Responder Monitor fields mapping13. MazeRunner will query the SOC

interfaces you configured to find evidence of someone using the Responder Monitor breadcrumbs that were

deployed by MazeRunner. When MazeRunner is querying your SOC interface, it uses the following default

field names in the query (according to your interface type):

Field name Splunk ArcSight Data Platform

Username Account_Name destinationUserName

Domain Account_Domain destinationNtDomain

Event_code EventCode externalId

Endpoint_hostname Workstation_Name destinationHostName

Endpoint_ip Source_Network_Address destinationAddress

NOTE: ArcSight ESM is not supported for use with the Responder Monitor feature.

If any of these fields is serialized differently in your SOC interface, you will need to add custom mapping for

these fields. To do this, follow these steps:

1. Click the Add button next to “Map Responder Monitor fields”:

2. From the drop-down list, choose the SOC interface you would like to map (you can have more than

one mapping for each SOC interface). Then, fill out the remaining mandatory fields and click “Save”:

13

If you would like to use an API SOC interface with the Responder Monitor feature, you must map the interface's

fields.


Validating Responder Monitor configuration

In order to check that the Responder Monitor deployment and alerting are working properly, complete the

following steps:

1. To check that the deployment worked, navigate to ActiveSOC > Activity Feed. In the Event column,

check that there is at least one entry with the status "Deployment successful". If after approximately

10 minutes you do not see an entry, please make sure that the Responder Monitor deployment

feature is turned on and that it is configured correctly. If you see an entry with a "Deployment

failed" status, please refer to this FAQ (page 134).

2. There are three types of events ("NBNS poisoning", "Credentials stolen by attacker", and

"Credentials used by attacker"). To verify that you have configured the Responder Monitor SOC

integration feature correctly, there are two tests you can carry out:

1. Select a server in your domain (the domain being monitored in the SOC interface you

configured earlier) that has a network share, and run the following net use command from a

different machine (e.g., your Windows laptop):

net use \\<server_address> /user:<breadcrumb_domain>\<breadcrumb_username>

<breadcrumb_password>

Within approximately 10 minutes, you should see a Network Credential Interaction alert on

MazeRunner’s Investigation screen. If you do not see an alert, please check your SOC

configuration (the SOC interface you added as well as the Responder Monitor fields mapping

you set up).

Now, whenever MazeRunner deploys the Responder Monitor breadcrumb to one of your

endpoints, if there is an attacker in your network who is using Responder.py (or a similar

tool), the attacker will record the Responder Monitor breadcrumb credentials. If the attacker


then uses these credentials on a machine in one of your monitored domains, MazeRunner

will raise an alert and you will see the details on the Investigation screen.

2. Run Responder.py on one of your network segments and make sure it poisons the hostname

of the decoy on which the Responder Monitor service is running. Import an endpoint from

that network segment to MazeRunner (you can do this by using MazeRunner's "Import by

CIDR blocks" feature) and make sure that this endpoint is the only endpoint in the

Responder Monitor's deployment group. Wait for the deployment to finish on the endpoint

(you will see this status in your activity feed). Notice that the Responder.py tool captured

the hash credentials of the Responder Monitor breadcrumb and that you see "NBNS

poisoning" and "Credentials stolen by attacker" alerts on MazeRunner's Investigation screen.

For more information about the activity feed, see the ActiveSOC and Responder Monitor activity feed

section on page 74.

CHANGING ALERTING POLICY

Changing your alerting policy can be done from the Alerting Policy sub screen in Settings. Navigate to

Settings > Alerting Policy:

Here you can define the system-wide policy for handling events. For each event, you can define whether it

will be ignored, recorded in MazeRunner, or recorded in MazeRunner AND sent to the syslog server. You do

this by setting system-wide rules to be performed for specific types of events. You can also define user rules

that override any system rules.

System-wide rules: These are the built-in rules that define which action should be taken for each

event type. You can choose from "Ignore", "Mute" (default setting), and "Alert":

Ignore – The event is not seen anywhere.

Mute – The event is only seen on the Investigation screen; however, you can choose to

"Send muted events" via syslog or Cuckoo, using the toggle button on the Syslog and Cuckoo

sub screens of MazeRunner's Integrations screen.

Alert – The event is seen on both the Investigation screen and the Dashboard, and an alert is

sent via syslog and email.


User rules: Here you can define rules that will override the system rules. To do this, follow these

steps:

1. Click "Add rule" to open the rule creation form:

2. To which type of event should this rule apply? Choose one from the drop-down list. NOTE:

You will need to create a separate rule for each type of alert, or a single rule that will match

all alert types.

3. To which decoy(s) and service(s) would you like this rule to apply? Make your selections

from the drop-down lists.

4. You can choose to set a rule for actions originating from a specific IP address. To do this, fill

in the IP address in the field provided. Please note that IP addresses are matched exactly.

5. You can also choose to set a rule for a specific file located on a decoy (e.g., "/bin/netcat" or

"myshare/important.txt"). To do this, fill in the relevant filename in the field provided. The

filename specified will apply to SMB alerts, code execution alerts, and unsigned code

execution alerts. Please note that the filename is matched exactly (SMB alerts will contain

the share name, there is a distinction between / and \, and names are case sensitive).

6. What would you like to happen? Choose an action ("Ignore", "Mute", "Alert" or "Shut down

decoy") from the drop-down list. If you choose "Shut down decoy", any decoy(s) related to

that event will be automatically shut down when the event is processed. IMPORTANT:

Shutting down the decoy is independent of the action you set for each event type ("Ignore",

"Mute", "Alert"); an event may be ignored by another rule and still shut down the decoy.

7. Once you have finished defining your new rule, click "Save".


PRODUCT REFERENCE

The following sections provide an overview of the MazeRunner platform, including its user interface and

additional functionalities.

PRODUCT INTERFACE

MazeRunner has a user-friendly interface. You can use the top navigation bar to move between the main

parts of the product:

● Dashboard – Your deception battle map, where you control and review your campaigns.

● Campaign screen – Here you create the different components of your deception campaign.

● Endpoints screen – From this screen you can view and manage your endpoints, as well as deploy

breadcrumbs.

● Investigation screen – Used for viewing your campaign's events and alerts. Here you can see every

move an attacker has made.

● ActiveSOC – Connect MazeRunner to your SOC in order to use MazeRunner's ActiveSOC and

Responder Monitor features14.

● Integrations – Here you can configure integrations with security tools and software (e.g., syslog,

ThreatConnect, AWS).

Alternatively, you may manage the platform using the MazeRunner API. Almost everything that can be done

using the MazeRunner interface can also be achieved by using the API. For details, see our online API

documentation.

SETTINGS

Configure MazeRunner, run diagnostics, manage users and API keys,

view your access log, and more. The Settings screen, which can be

reached by clicking the gear icon on the top right navigation bar,

contains twelve sub screens for configuring MazeRunner.

GENERAL

Here you can enter a virus database URL, choose to share intelligence back with the community,

automatically download updates, set the time zone, enable endpoints tracking (send beacon15), view/change

14

ActiveSOC and all related features, with the exception of the Responder Monitor deployment feature, is currently

available to MazeRunner Enterprise customers only.

15 The beacon is part of the breadcrumb installer (and uninstaller) that communicates with MazeRunner. It relays the

status of the endpoint and reports on the success or failure of breadcrumb installation. For the beacon to work, the




the NTP server domain address, set the number of hours of inactivity before logout, and restore the default

configuration for General and Email and Reporting.

You can also allow MazeRunner to access the web through a proxy server that requires authentication with a

username and password. To do so, enter an HTTP proxy server URL (e.g., https://<IP>:<PORT>), and activate

the Authenticate using credentials feature by clicking the toggle button and entering a username and

password.

Lastly, you can restart or shut down MazeRunner using the power option buttons located at the bottom of

this screen. NOTE: If you shut down MazeRunner from here, it will shut down the entire system; you will

need physical access to the server (if you are using a physical appliance) or access to the ESXi (if you are

using a virtual appliance on the ESXi) in order to turn MazeRunner on again.

EMAIL AND REPORTING

Here you can define settings for email and reporting:

MazeRunner provides three reports:

1. MazeRunner status report – Generate a report about the current state of MazeRunner. Includes

general statistics about investigation, a list of unresolved attack stories, deception campaign state

(list of decoys), and deployment state (endpoint screen statistics and a list of deployment groups).

2. Time range report – Generate a report about events and alerts within a given time range. Includes

event summary and statistics, an attack story summary, a list of all attack stories, and an annex

(accessed ports, mentioned hosts, and usernames used).

3. Attack story report – Generate a report for a single attack story.

MazeRunner management server must be accessible to endpoints, meaning that endpoints should be able to connect

to it over HTTPS (port 443).


The first two reports are accessible from Settings > Email and reporting, as well as at the top right-hand side

of the Investigation screen. Simply click the corresponding buttons on either of these screens, select a time

range if necessary, and download the desired reports (PDF format).

The attack story report can be downloaded from individual expanded attack stories, in the attack story

section on the Investigation screen. Simply click the download icon, choose a date range, and click

"Download":

NETWORKING

Here you can add a decoy MAC address prefix and set MazeRunner's networking configuration. You can

choose to use the default configuration, run MazeRunner in non-promiscuous mode or enable VLAN support

for decoys and view/change the VLAN trunk interface:

ACCESS CONTROL

Here you can enable access control to MazeRunner's management interface by limiting access to specific IP

addresses. To add an IP address to your access control whitelist, click "Add rule", enter the IP address, and

then click "Save":


CAUTION! If this is not done properly, you risk losing your own access to MazeRunner. Please

ensure the validity of the information you enter here. If something goes wrong, please contact

Cymmetria support.

ALERTING POLICY

Here you can define the system-wide policy for handling events. See Changing alerting policy on page 83 for

more details.

CAMPAIGN AND DEPLOYMENT

Here you can enable periodic breadcrumb deployment, MazeRunner's endpoint Forensic Puller, and

Automatic Hackback16, as well as define your campaign refresh frequency, remote deployment settings, and

local admin credentials for endpoints (and test those credentials). See Periodic breadcrumb deployment &

campaign refresh on page 60, Forensic Puller on page 67, and Automatic Hackback on page 72 for detailed

instructions.

CUSTOM SERVICES – ENTERPRISE EDITION ONLY



feature works.

Custom services are services that are not part of MazeRunner by default. You can upload a custom service

that you have created or received from another source. Once uploaded, you will be able to add the service

to your deception campaign.

16

This feature is currently available to MazeRunner Enterprise customers only.



To add a new custom service, navigate to Settings > Custom services, click "Add custom service", and upload

a ZIP file containing your custom service. NOTE: Each custom service file that is uploaded to MazeRunner

must contain a name and description.

The custom service's label and description can be edited from the custom services table, using the edit icon

in the Actions column. To delete a custom service, use the delete icon in the same column of the table. Note

that when you delete a custom service, all related events as well as all instances of the service in your

deception campaign will be deleted.

GOLDEN IMAGES – ENTERPRISE EDITION ONLY



feature works.

MazeRunner allows you to add new base images for decoys, in order to keep decoys consistent with your

organization's production machines. You can configure these images in Settings > Golden image.

To add an image, follow these steps:

1. Click "Add golden image", fill in a name, and click "Next".

2. Upload your image. You can stop an upload by clicking "Stop upload":

3. Once your image has finished uploading, click "Done" to finish. You will now see your image and its

details listed on the main screen (your image's status may show as "Onboarding" for several hours):

Now, when you manually create a decoy from the Campaign screen, you can select your new image from the

Operating system drop-down:


A few notes on support for golden images:

Supported image type: VMware OVA images only

Supported OS types: Windows 7 and above

Code Execution alerts are not supported

ACTIVE DIRECTORY

Here you can import domains from an Active Directory for use when managing your endpoints and

automating breadcrumb deployment. You can also view information on Active Directory sources and CIDR

blocks you have added. Please see Importing endpoints from Active Directory on page 49 for more

information.

RELAY – ENTERPRISE EDITION ONLY

Here you can configure MazeRunner's Relay feature, which allows connecting multiple MazeRunner

instances and monitoring them from one MazeRunner machine. See Relay on page 68 for more information.

SSL CERTIFICATE

Here you can view the current server certificate and download the CA certificate. You can also replace the

certificate with a new certificate signed by MazeRunner or signed by a certification authority (CA). See SSL

Certificate on page 66 for more information.

API KEYS

Almost everything that can be done using the MazeRunner interface can also be achieved by using the API.

Some examples include:

Inspecting and managing alerts

Creating and editing deception campaigns


Implementing new breadcrumb deployment mechanisms

Integrating MazeRunner with 3rd party systems

On the API Keys sub screen, you can add API keys to allow users to access the MazeRunner API. To do so,

follow these steps:

1. Click "Add API key", enter a description (this is an internal description), and click "Save":

2. Your new API key details (description, key ID, and secret key) will appear on the screen. NOTE: Be

sure to record the secret key, as this is the only time you will see it. Click "Done" to finish.

3. API keys can be removed at any time by clicking the trash icon in the Actions column on the right-

hand side of the screen.

In order to ensure you are communicating with MazeRunner, click "Download CA certificate" and add this to

your API script.

For more details on the MazeRunner API, see our online API documentation.

USER MANAGEMENT

User management allows admins to create and delete users and assign them user roles, as well as view

MazeRunner's access log, which records the date and time each user accesses MazeRunner, and from which

IP address.

To create a new user and assign that user a role, navigate to Settings > User Management and follow these

steps:

1. Click "Add user". Define a unique username and password, assign the user a role (see Role-based

access control, below), then click "Save":

2. Users can be edited at any time by clicking the pencil icon in the Actions column on the right-hand

side of the screen.



ROLE-BASED ACCESS CONTROL

MazeRunner allows you to assign different levels of access to individual users. Certain features and/or

screens within MazeRunner will be disabled for users with insufficient permissions to view or edit those

features/screens. MazeRunner offers the following levels of access: Administrator (only an administrator

user can create, edit or delete other users), Deception Manager, Incident Response Analyst, and Read-only.

The following table details some specific actions each level of access can take within MazeRunner:

Administrator Deception

Manager

Incident

Response

Analyst

Read-only

Create, edit or delete other users

Create an API key

View the User Management page

Change the deception campaign

Change endpoints

Change settings partial

Change integrations

Acknowledge or stop background tasks and

notifications

Edit/archive events and alerts

Change password, send logs to Cymmetria, view

active tasks and notifications, view the About

screen, send feedback

View most MazeRunner screens and features

(unless otherwise indicated)

Additional notes about user roles:

When upgrading to MazeRunner version 1.9.0 or above from an older version of MazeRunner (1.8.0

and below) that has multiple users, all users will become admin users (one time only). If you wish to

assign lower access to some users, you will need to do so after upgrading. For all future upgrades,

user roles will persist.

For each role, the limits of what the user can do are defined on a screen-by-screen basis. If a user

does not have the necessary permissions to edit an object, for example, control buttons (such as

“Save” or “Delete”) will be disabled, and a tooltip stating "Insufficient permissions" will appear. In

other instances, a banner will appear near the page title stating that some settings are disabled for

non-admin users.


DIAGNOSTICS

MazeRunner diagnostics allows you to run diagnostics to review the current configuration of MazeRunner.

Simply click "Run MazeRunner diagnostics":

If a test was unsuccessful, you will see a red X and an error message with further instructions on how to

proceed.

TASK MANAGER

The task manager, accessed from the check mark icon that is

located on the top right navigation bar, displays MazeRunner

tasks and their statuses. By clicking the icon, you can view the

status of tasks that are currently running (on the Running tab),

and see a list of completed tasks (on the Complete tab). NOTE: Stopped and failed tasks can be seen on the

Complete tab alongside successful tasks.

If you would like to stop a task that has already been started, you can do so from the Running tab. To stop a

task that is currently in progress, click the Stop icon to the right of the task's name:

Once you do this, the task will move to the Complete tab and its status will appear as "Stopped":


NOTE: If you stop a task (for example, a breadcrumb deployment) before it has completed, you will need to

navigate to the Endpoints screen, filter out all the endpoints with a Deployment Failed status, and clean the

endpoints on which breadcrumbs have already managed to deploy before you stopped the deployment. For

more information on how to do this, see Filter & sort options and Bulk actions in the Endpoints screen

section on page 105.

If a task fails, you will see this detailed in the task's status bar on the Complete tab:

To check failed deployments, you will need to go to the Endpoints screen, filter out all the endpoints with a

Deployment Failed status, and expand the endpoint rows to check why they failed. For more information on

how to do this, see Filter & sort options on page 106.

NOTIFICATION CENTER

The notification center, accessed from the globe icon on the top right

navigation bar, displays alerts and notifications regarding your

MazeRunner activity. This includes campaign import status, any issues

that need your attention, and more.

STABILITY ALERT EMAILS

To make sure you do not miss important notifications, MazeRunner will send an email alert for some types

of notifications in addition to displaying them in the notification center.

Email settings can be configured by navigating to Settings > Email and Reporting.


DECEPTION STORY WIZARD

This tool, accessed from the New story button on the Campaign

screen, assists you in building your deception campaign. The wizard

allows you to choose from templates that have been prepared by

Cymmetria's security team. Alternatively, you can build your own

customized deception stories without the help of the wizard.

For more information on how to build deception stories using the wizard, see the section entitled Creating a

deception campaign (using the Deception story wizard) on page 42.

USER MENU

This menu, accessed from the user menu icon on the top right navigation bar, allows you

to change your password, update the system, access MazeRunner's user manual, send

logs to Cymmetria, and open a support ticket (or send feedback).

CHANGE PASSWORD

If you would like to change your password, you can do so here. Simply enter your old password and your

desired new password, and then click "Update":

SYSTEM UPDATE

Use the System Update wizard to check for MazeRunner updates or upload and install an update file you

received from Cymmetria. When you select "Update" from the System Menu, the System update window

will open and display the current system status (either that MazeRunner is up-to-date, or prompting you to

check for updates).

To check for updates, click "Check online for updates":


If an update is available, you will be prompted to download and install it. The system will reboot after

installation is complete.

To upload and install an update file you received from Cymmetria, click "Upload and install an update file".

Once you click this button, the update file will upload and then automatically begin to install. NOTE: During

installation, you will not be able to use MazeRunner; the system will reboot after installation is complete:

If your update fails, please contact Cymmetria support and we will be happy to help you.

IMPORTANT: If your MazeRunner server is connected to the Internet, it will automatically check for version

updates once a week and will prompt you with a notification if there is a new version to download. Also,

when a new version of MazeRunner is released, Cymmetria will notify you by email. This way, if your

MazeRunner is not connected to the Internet, you can manually update the system by using the MazeRunner

Update wizard to upload an update file.

SEND LOGS TO CYMMETRIA

Sending logs to Cymmetria will allow us to better investigate issues related to your specific MazeRunner

instance. You can send logs automatically by entering your email address in the field provided and then

clicking "Send logs":



HELP FEATURES

The MazeRunner UI includes several types of help features to guide you in your use of the product.

HELP ICON

A help icon ? is located at the top right of the services and breadcrumbs forms (click “Create service” or

“Create breadcrumb” from the Services or Breadcrumbs sub screens of the Campaign screen). Clicking the

help icon will provide a description of all available services, or a description of available breadcrumbs and

how they affect endpoints. When in help mode, the help icon will change to a back icon < that, when clicked,

will take you back to the creation form:

DECEPTION ELEMENT DESCRIPTIONS

A short description is located at the top of the services and breadcrumbs creation forms, to provide a

general description of what these elements are:


TOOLTIPS

Tooltips are located throughout MazeRunner in various places, such as on hover over certain icons and

buttons. When you hover your mouse cursor/pointer over a relevant item, a tooltip will appear in order to

provide further information about the item:

INTEGRATIONS

MazeRunner has bi-directional integrations, meaning it either uses other security tools to trigger deception

in MazeRunner (e.g., playbooks) or it sends threat intelligence data from MazeRunner to other solutions,

such as ThreatConnect. You can also integrate MazeRunner's intelligence feed with your SIEM (e.g., Splunk,

ArcSight), or with your sandbox to send files gathered by MazeRunner for sandbox analysis.

CUCKOO SANDBOX

You can send malware samples to Cuckoo and have the results sent back to and displayed in MazeRunner.

You will be able to download the results (a ZIP file) from the alert details on MazeRunner's Investigation

screen. This integration can be used for Code Execution and Unsigned Code Execution alerts.

To configure a Cuckoo sandbox in MazeRunner, follow these steps:

1. Navigate to Integrations > Cuckoo sandbox and click "Add instance".

2. Give your instance a name (internal), and enter the internet address (either IP or full DNS address) of

your Cuckoo instance, as well as its API and display ports. Enable using HTTPS if you wish to do so.

3. Choose a status for your integration; there are three options:

1. Active – Automatic – Relevant events will automatically be fed to the integration.

2. Active – Manual – You will need to manually send relevant events to the integration, by

choosing to do so from the expanded alert view on MazeRunner's Investigation screen:

3. Turned off – Integration is currently inactive.


4. If you would like, enable "Send muted events" (send data from events set to "Mute" in the alerting

policy) using the toggle button.

5. Test your connection using the Test connection button, and then click "Save changes".

You can add additional instances by clicking the "Add instance" button at the top right-hand side of the

screen. To delete an instance, click the trash can icon for that particular instance.

NOTE: You can use the Resend event data button to resend event data that previously failed to send.

IBM BIGFIX

You can deploy breadcrumbs to endpoints in your organization using IBM BigFix. See the IBM BigFix sub

screen of Integrations in the MazeRunner UI for more information.

SCCM

You can deploy breadcrumbs to endpoints in your organization using SCCM. See the SCCM sub screen of

Integrations in the MazeRunner UI for more information.

TANIUM

You can deploy breadcrumbs to endpoints in your organization using Tanium. See the Tanium sub screen of


MCAFEE EPO

You can deploy breadcrumbs to endpoints in your organization using McAfee ePO. See the McAfee ePO sub

screen of Integrations in the MazeRunner UI for more information.

AWS

You can deploy MazeRunner in AWS. To do so, please contact Cymmetria to receive a version of

MazeRunner that is configured to work in AWS.



SYSLOG

MazeRunner supports several integrations for reporting alerts through syslog (Splunk, ArcSight,

Elasticsearch, and more). Here you can define settings for syslog (UDP/TCP port and address, output format,

and encryption).

Click "Add instance", name your instance, choose which protocol you would like to use (UDP or TCP), and fill

in the UDP/TCP address and port. Use the toggle buttons on this screen to enable using ArcSight CEF,

encrypting the TCP syslog with SSL, and sending muted events, and then click "Save changes":

You can add additional instances by clicking the "Add instance" button at the top right-hand side of the

screen. To delete an instance, click the trash can icon for that particular instance.

NOTE: You can use the Resend event data button to resend event data that previously failed to send.

THREATCONNECT

This section will show you how to set up ThreatConnect for use with MazeRunner.

To set up ThreatConnect integration, follow these steps:

1. Open ThreatConnect. In ThreatConnect, navigate to the Dashboard and select the TAXII feed you

would like to connect to MazeRunner (you can connect any valid TAXII feed; if you are unsure of

which feed to connect, please check with your ThreatConnect contact). In this example, our feed is

called "Cymmetria TAXII Source":


2. The Dashboard screen will refresh and you will see that a new section, called "Source", has appeared

on your screen. Click on the gear icon to go to your TAXII feed's Source Config:

3. In Source Config, go to the Data tab:


4. Click "+ NEW INBOUND" to create a new inbound TAXII Exchange:

5. You will now need to configure the new inbound TAXII exchange. Notice that a configuration window

has popped up on your screen:

Enter a name for the new inbound TAXII exchange. For the URL, you will need to enter the TAXII

server URL found in MazeRunner's Integrations settings. To do this:

a) Open MazeRunner in your browser by navigating to your virtual machine's IP address

(using HTTPS). In the MazeRunner UI, navigate to the Integrations screen and select

ThreatConnect from the left-hand side of the screen:


b) There you will find "TAXII settings". Use the toggle button next to "Enable TAXII server"

to enable the server, click the Submit button, and then copy the link found in the "TAXII

server URL" field.

c) Go back into ThreatConnect and paste this URL into the space provided, then click

"Next".

6. On the Login tab, click on "TEST CONNECTION" and the Available Services section will expand. Click

on the POLL service that appears, and you will see that the MazeRunner URL you entered in step 5

will appear at the top of the screen. Enter "Guest" as both the Username and Password (you will not

need to use these credentials again; they are only required by ThreatConnect in order to proceed to

the next step), then click "Next":

7. On the Feed tab, click "Check for available feeds" and select the feed that is shown (called

"alerts_feed"), then click "Next":


8. Click "Next" until you reach the Confirm tab, and then click "SAVE".

PHANTOM

You can use Phantom to deploy breadcrumbs to endpoints in your organization. See the Phantom sub screen

of Integrations in the MazeRunner UI for more information.

For help, please contact Cymmetria.

CHEF

You can deploy breadcrumbs to endpoints in your organization using Chef. See the Chef sub screen of




ENDPOINTS SCREEN

This screen shows you endpoints and the breadcrumbs they contain, along with their status, details, and

possible actions that can be taken:

Notice the endpoint status chart at the top of the screen. An endpoint's status is defined as follows:

Clean – The endpoint contains no breadcrumbs (usually when the endpoint has recently been

imported and no action has been taken on it)

Deployment Failed – Breadcrumb deployment to the endpoint was unsuccessful (a detailed error

message will be shown when you expand the endpoint row)

Inactive – The endpoint contains breadcrumbs, but a subset of those breadcrumbs are inactive

Active – Breadcrumbs have been deployed to the endpoint successfully, and are active

NOTE: You can redeploy breadcrumbs to endpoints that had issues by choosing the relevant Deployment

mode in the Deploy to endpoints form (see Deploying breadcrumbs on page 56 for more information):

After you have deployed breadcrumbs to your endpoints, you will be able to expand each endpoint by

clicking the + icon to see details about the breadcrumbs on that endpoint.

You have already learned how to import endpoints from Active Directory and from CIDR blocks (page 49 and

53), and how to deploy breadcrumbs to those endpoints (page 56); now let's look at what else you can do

with your endpoints from the Endpoints screen.


FILTER & SORT OPTIONS

There are several filter and sort options available on the Endpoints screen. You can use the search bar,

and/or the funnel icon to the right of certain column titles (Endpoint ID, Status, Status updated on,

Deployment groups, Origin, and Last connection attempt), and/or the arrow icon to the right of some

column titles (Endpoint hostname, Endpoint IP, Status updated on, and Last connection attempt).

To filter using the search bar:

1. Type your search criteria into the search bar and then click the magnifying glass icon or hit "Enter"

on your keyboard. You can search using letters and numbers pertaining to an endpoint's hostname,

IP address or operating system (e.g., searching '2016' would return a result showing all endpoints

running a Windows Server 2016 Standard operating system):

2. To clear your filter results and return to the main screen (where all endpoints are visible), simply

delete the criteria you entered into the search bar, then click the magnifying glass icon or hit "Enter"

on your keyboard.

To filter using the funnel icon to the right of column titles:

1. Click on the funnel icon to the right of a column title, choose your filter criteria from the available

options, then click "Apply filter":

2. To clear your filter results and return to the main screen (where all endpoints are visible), click again

on the funnel icon to the right of the column title and then click "Clear".

Use the arrow icons next to column titles to sort data numerically or alphabetically.

Refresh the page by using the Refresh button at the top left-hand side of the screen (this page does not

dynamically refresh).


BULK ACTIONS

Using the checkboxes next to each endpoint, you can take bulk actions on selected endpoints. You can

delete endpoints, clean breadcrumbs from endpoints, deploy breadcrumbs to select endpoints, re-assign

endpoints to a different deployment group, and run Forensic Puller on endpoints.

To delete an endpoint and its related breadcrumbs (remove from database completely):

1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the

left of the endpoint hostname. This will cause the bulk actions drop-down to appear:

2. Click "Delete endpoints"; when prompted to confirm the action, click "Delete".

3. Once the action has been completed successfully, you will see a green confirmation message appear

next to the notification center at the top right-hand corner of your screen.

To clean breadcrumbs from an endpoint (connect remotely and remove breadcrumbs on that endpoint):



2. Click "Clean breadcrumbs" and choose your preferred deployment method (executable or native

script). If you have previously configured local admin credentials for endpoints in Settings >

Campaign and Deployment, you will see these credentials here. You can change these credentials by

clicking "Change". If you choose to change the credentials, you can save the new credentials for

further use by using the toggle button that appears. NOTE: Saving the new credentials will overwrite

the existing (previously configured) credentials for all purposes:

3. When you are ready, click "Clean".


next to the notification center at the top right-hand corner of your screen.


To deploy breadcrumbs to select endpoints:



2. Click "Deploy breadcrumbs" and choose your preferred deployment method (executable or native

script). If you have previously configured local admin credentials for endpoints in Settings >

Campaign and Deployment, you will see these credentials here. You can change these credentials by

clicking "Change". If you choose to change the credentials, you can save the new credentials for

further use by using the toggle button that appears. NOTE: Saving the new credentials will overwrite

the existing (previously configured) credentials for all purposes:

3. When you are ready, click “Deploy”. NOTE: Unassigned endpoints will be skipped.

To re-assign an endpoint to a different deployment group:



2. Click "Assign to deployment group". From the drop-down list that appears, choose the deployment

group to which you would like to assign the selected endpoint, then click "Assign":



next to the notification center at the top right-hand corner of your screen. NOTE: An endpoint and

its breadcrumbs must belong to the same deployment group. Therefore, if the endpoint you re-

assigned contains breadcrumbs from a different deployment group, your endpoint will become

inactive and you will see an error message when you expand the endpoint row. You will need to

clean the endpoint and redeploy its breadcrumbs either manually or automatically to resolve this.

To run Forensic Puller on the selected endpoints:



2. Click "Run Forensic Puller", and when prompted, click “Run”.

DASHBOARD

The Dashboard provides a visualization of all active deception elements (i.e., an active map of your

deception campaign). Here you can see a visualization of your deception story and deployment to endpoints,

and can filter based on date range, alert type, and event status. The Dashboard gives you a bird's-eye view of

how MazeRunner is deployed on your network. To see all events and alerts in the system you can go to the

Investigation screen.

The map displays decoys (as boxes), deployment groups (as circles), and the connections (services,

breadcrumbs, endpoints) between them. Clicking on a decoy will focus the map around it and will show

metadata about that specific decoy (name, IP address, OS, decoy status, a list of the types of services running


on the decoy, and shortcuts to other MazeRunner screens where you can view more detailed information

related to that decoy). You can deselect a decoy by clicking anywhere outside of it.

Clicking on a deployment group will focus the map around it and will show metadata about that specific

deployment group (name, distribution of endpoints in the group by their status – Active, Inactive,

Deployment failed, and Clean, and shortcuts to other MazeRunner screens where you can view more

detailed information related to that deployment group). You can deselect a group by clicking anywhere

outside of it.

Many icons and numbers have tooltips for clarification; simply move your mouse cursor or pointer over an

icon to learn more:

The Dashboard's legend, which provides an explanation of individual features, can be accessed by clicking

the ? icon located beside the search bar on the top right-hand side of the Dashboard.


CAMPAIGN SCREEN

The Campaign screen is where you can view your deception campaign and its details. Using the Decoys,

Services, Breadcrumbs, and Deployment Groups sub screens, you can manually create and manage your

campaign's deception elements. For more information on how to do this, see Creating a basic deception

campaign manually on page 45.

Once you have added deception elements to your campaign, you will see them visualized on the top part of

the screen:

Each decoy displays its name and operating system. On hover over the information icon (the i on the right

side of the decoy), status and IP info will also be displayed. Clicking the information icon will show detailed

information about that particular decoy, on the Decoys sub screen.

Each service displays its name and type. On hover over the information icon, the service's status will also be

displayed. Clicking the information icon will show detailed information about that particular service, on the

Services sub screen.

Each breadcrumb displays its name and type. On hover over the information icon, the breadcrumb's status

will also be displayed. Clicking the information icon will show detailed information about that particular

breadcrumb, on the Breadcrumbs sub screen.

Each deployment group displays its name and the number of active endpoints out of the total number of

endpoints assigned to that group. Notice that the deployment groups shown in the above screenshot sit


below the rest of the deception elements; this is because no breadcrumbs have been assigned to them yet.

Once a breadcrumb is assigned to a deployment group, you will see the connection visualized along with the

other deception elements:

Color-coded lines show the various connections between deception elements. Note that each service can

only connect to one decoy, and each breadcrumb can be connected to one decoy (via multiple services).

In addition to the visualization on the top part of the screen, your deception elements will also appear on the

relevant sub screens on the bottom part of the screen. Here you can view additional details about each

deception element (status, details, connections to other deception elements, etc.) and edit each element:

The Decoys, Services, and Breadcrumbs sub screens can also be filtered to show only active or inactive

elements, using the "Showing" drop-down list located at the top left of the sub screens:

Additional information about each sub screen is explained in Creating a basic deception campaign manually

on page 45.

INVESTIGATION SCREEN

The Investigation screen is split into two sections: on the right-hand side of the screen is the Investigation

table, which shows deception campaign events (including alerts); on the left-hand side of the screen is the

attack story section, which contains a list of attack stories:


Each time an attacker carries out an action on a decoy machine, an event is created. Not every event

warrants an alert; for example, events such as port scans and protocol connections are documented without

raising alerts. The following are examples of common types of events documented by MazeRunner (for a full

list of event types and their descriptions, see Types of events on page 119):

1. Port access – An indication that an attacker has probed a decoy.

2. Interaction event – An attacker might try to interact with one of the services on a decoy; this type of

event will notify the user of such attempts. For example, an SSH Interaction event would indicate

that an attacker tried to log into SSH.

3. Code execution – An indication that an attacker has executed a program on a decoy.

4. Unsigned code execution – An indication that an attacker has added and executed a program on a

decoy. This is different than a regular code execution, where the program is already located on the

decoy.

DON'T FORGET: You can configure which action you would like to be taken for different events on the

Alerting Policy sub screen of Settings (see page 83).

ATTACK STORY SECTION

This section is expanded by default; it can be collapsed to the left (and expanded again) using the arrow

button on the top left side of the section:

Attack stories provide detailed information (what actually happened, where, and in which order) about

events that are related to one another, in order to help you contain and remediate attacks faster and more

accurately.


An attack story contains a list of events sharing common data; it contains general data and statistics derived

from the events. Each attack story is automatically assigned an ID by MazeRunner, and each event that

appears in the Investigation table (on the right-hand side of the Investigation screen) shows the ID of the

story it appears in.

There are two types of attack stories:

1. "Endpoint accessed a decoy" – The events that happened from a specific endpoint to a specific decoy

2. "Credentials theft detected" – All of the events regarding credential theft and usage from a specific

endpoint

NOTE: An event cannot be assigned to more than one attack story.

By default, attack stories appear collapsed in the attack stories section. The collapsed view shows Story ID,

Story type, Number of alerts and events, Most recent event, First event, Attacker IP, Attacker hostname, and

(only for "Endpoint accessed decoy" stories) Decoy name:

Clicking the Investigate button on the top right of the story will expand the story to show full details:

When an attack story is expanded, notice that the Investigation table on the right-hand side of the

Investigation screen automatically filters itself according to that story:


Clicking the X on the left side of the blue bar will cancel the filter and will collapse the expanded story on the

left-hand side of the Investigation screen.

When an attack story is expanded, you can download a detailed report about that attack story to further

investigate events (including alerts). Simply click the download icon, select a date range, and click

"Download". See Email and reporting on page 86 for more information.

INVESTIGATION TABLE

The Investigation table shows information about events. By clicking the + icon (or clicking anywhere on the

row), you can expand each entry in the Investigation table to see more information about the event:

If you have configured custom integrations (e.g., Cuckoo) with a status of "Active – Automatic", you will see

information for relevant events in that event's expanded entry data:


If you have configured custom integrations (e.g., Cuckoo) with a status of "Active – Manual", you can choose

to manually send that data to the integration by selecting the instance from the Send to drop-down:

While in an expanded entry, you can click “Create user rule” to create a rule that will apply to alerts that are

similar to the one you are currently viewing:

The Create user rule form that opens will auto-populate its fields based on information from the alert you

are viewing; if you wish to edit any of these fields, you can do so before clicking “Save”.


NOTE: The Investigation table does not refresh automatically so as not to disturb users who may be browsing

the table’s content. If new events occur while a user is viewing the Investigation screen, an animated bell

icon and message will appear, next to the Refresh button at the top of the table. Clicking the message or icon

(or the Refresh button) will refresh the table:

FILTER & SORT OPTIONS

There are several filter and sort options available on the Investigation screen, for both attack stories and

events (Investigation table).

Events are classified as "Unresolved" when they first appear on the Investigation screen. You can change

them to "Resolved" after you have reviewed them and have taken all necessary actions. Resolved events can

be seen as archived; they will not appear by default unless you specifically choose to filter the Investigation

screen to show them (only unresolved content is displayed by default). You can change your Investigation

screen's filter using the drop-down list at the top of the screen, and then click "Refresh":

This filter affects both the Investigation table as well as attack stories. An attack story with all of its events

resolved will be considered resolved; otherwise the story is unresolved.

NOTE: When upgrading from a version of MazeRunner that does not support the resolved/unresolved event

state, all of the existing events will be marked as unresolved.

Attack stories section

You can use the search bar and/or filter by date range.

To filter using the search bar (will search on all story fields, not events within stories; matched strings within

a story will be highlighted):


on your keyboard. You can search using letters and numbers.

2. To clear your filter results and return to the main screen (where all attack stories are visible), simply

delete the criteria you entered into the search bar, then click the magnifying glass icon or hit "Enter"

on your keyboard.


To filter by date range (stories that have events within the range will be displayed):

1. Click on the Date Range field, choose your "from" and "to" dates, then click "Save":

2. To clear your filter results and return to the main screen (where all attack stories are visible), return

the date to the current date.

NOTE: The counters and fields in the attack stories change according to the filter (e.g., If the filter for date

range is tighter, the number of total alerts will probably be lower).

Investigation table

Using the drop-down at the top of the table, you can choose to view muted events and alerts, or alerts only.

By default, you will see muted events and alerts only.

You can also use the search bar, and/or the funnel icon to the right of certain column titles (ID, Time, Type,

Decoy name, Username, Source), and/or the arrow icon to the right of some column titles (Time).

To filter using the search bar:


on your keyboard. You can search using letters and numbers pertaining to an event or alert.

2. To clear your filter results and return to the main screen (where all events are visible), simply delete

the criteria you entered into the search bar, then click the magnifying glass icon or hit "Enter" on

your keyboard.

To filter using the funnel icon to the right of column titles:

1. Click on the funnel icon to the right of a column title, choose your filter criteria from the available

options, then click "Apply Filter":


2. To clear your filter results and return to the main screen (where all endpoints are visible), click again

on the funnel icon to the right of the column title and then click "clear".

Use the arrow icons next to column titles to sort data numerically or alphabetically.

Refresh the page by using the Refresh button at the top left-hand side of the screen (this page does not

dynamically refresh).

BULK ACTIONS

By selecting the checkbox to the right of the + icon, you can take bulk actions on selected events. You can

delete an event, mark an event as Resolved or Unresolved, or run Forensic Puller on an event, using the

Action on selected alerts drop-down that appears after you select one or more checkboxes. NOTE: Events

marked as resolved will appear in the table as slightly faded, in comparison to unresolved events.

If you configured it as such on the Syslog sub screen of the Integrations screen, all alerts will go to a syslog

server that may be monitored by your SIEM (e.g., Splunk). Likewise, if you configured a different, relevant

integration (such as Cuckoo), your alerts will be sent there for processing.

To export event information in CSV format, click "Export to CSV" on the bottom left side of the screen.

That's it! You now know how to use MazeRunner's platform to create and monitor a basic deception

campaign.

We're here to help. If you have any questions, please contact us at [email protected].

TYPES OF EVENTS

MazeRunner provides the following types of events. Some events are configured to “Mute” by default;

others are configured to “Alert”. The alerting policy can be customized from Settings > Alerting policy.

Code execution

An indication that an attacker has executed a program on a decoy.

Unsigned code execution

An indication that an attacker has added and executed a program on a decoy. This is different than a regular

code execution, where the program is already located on the decoy. Currently supported on Linux decoys.



NBNS poisoning detected

An attacker poisoned an NBNS hostname query that MazeRunner issued, either from a decoy or an

endpoint.

HoneyDoc

A HoneyDoc deployed to an endpoint was opened. IMPORTANT: This alert may be triggered even if the

HoneyDoc file is taken from the endpoint and opened in a different location.

GitLab interaction

A Git operation was carried out on a decoy running an active Git service.

Network credential interaction

Specific network credentials were used on a decoy.

Credentials stolen by attacker

MazeRunner detected use of Responder.py tool and fed the attacker deceptive credentials.

OpenVPN interaction

An OpenVPN operation was carried out on a decoy running an active OpenVPN service.

SSH interaction

Someone connected or tried to connect to a decoy running an SSH service. Other interactions, such as failed

logins, etc., might also be recorded.

HTTP request

An HTTP request was made to a decoy running a web application service.

MySQL request

A MySQL operation was carried out on a decoy running an active MySQL service.


Port access

An indication that an attacker has probed a decoy. The alert will contain additional information about the

protocol (TCP/UDP) and the specific port access (e.g., 389). Please note that some ports are ignored by

default in order to minimize false positive alerts; you can change this policy in Settings > Alerting Policy (see

Changing alerting policy on page 83 for more information).

Share access

A file on an SMB share was accessed on a decoy running the SMB service.

Busybox Telnet authentication

An attacker connected to the Telnet port.

Busybox Telnet command execution

An attacker executed a command.

Mirai worm detected

The Mirai Worm Monitor service fingerprinted an attacker using Mirai.

Intel AMT authentication attempt

An attacker attempted to authenticate against the AMT service.

Intel AMT exploited

An attacker exploited a known AMT vulnerability to gain access to a decoy.

SMTP interaction

An attacker sent SMTP traffic to the SMTP service.

FTP interaction

There are multiple types of FTP interaction alerts:

Client connected – An attacker connected to the service

Client disconnected – An attacker disconnected from the service

User logged in – An attacker logged in to the service

User failed to log in – An attacker failed to log in to the service

User logged out – An attacker logged out from the service


User uploaded a file – An attacker uploaded a file

User downloaded a file – An attacker downloaded a file

User deleted a file – An attacker deleted a file

User listed directory content – An attacker listed directory content

User navigated to directory – An attacker changed working directory

User created a directory – An attacker created a directory

User deleted a directory – An attacker deleted a directory

Enterprise Edition note: In addition to the above-listed event types, MazeRunner Enterprise Edition includes

the following types of events: “Unrecognized machine”, “RDP session recorded”, “RDP interaction”, and

“Stolen credentials used by attacker”.

SUPPORTED OPERATING SYSTEMS

MazeRunner Community Edition decoys and breadcrumbs currently support the following operating

systems:

Decoys

Linux (Ubuntu 14.04)

Breadcrumbs

Windows: Windows 7 up to and including Windows 10 (including Windows Server 2008 R2 and up to

Server 2016)

Linux:

o Ubuntu 12.04 and above

o CentOS, Redhat, and Debian

Mac: OS X Yosemite 10.10 and up

Enterprise Edition note: In addition to the above-listed operating systems, MazeRunner Enterprise Edition

decoys support Windows (7, Server 2008, Server 2012). Enterprise Edition also allows the use of golden

images: MazeRunner allows you to upload and set up your own Windows images as decoys (Windows 7 and

above).


TYPES OF DECOYS

You can choose from the following two virtual machine types when manually creating a decoy in

MazeRunner:

Nested (KVM)

Cymmetria recommends using nested virtualization for your decoys (when possible), as it makes decoy

management easier and more centralized. If you choose to use nested decoys, no additional actions are

required to create or manage a decoy – simply select “Nested” from the VM type drop-down list when

creating a new decoy. NOTE: If you change MazeRunner’s IP address, you will need to recreate the decoy.

See this FAQ (page 128) for instructions on how to do so.

For information on how to create a decoy, see Creating a basic deception campaign manually on page 45.

Standalone (OVA)

If you decide to create a standalone decoy (instead of a decoy that uses nested virtualization), you will need

to download the decoy's OVA file. Do this by clicking the download icon in the Actions column on the Decoys

sub screen of the Campaign screen.

After downloading the decoy's OVA file, upload it to your chosen hypervisor. Once the file has been

uploaded to your hypervisor, make sure that you configure the virtual machine to have network access to

MazeRunner.

NOTE: If you change MazeRunner’s IP address, you will need to manually recreate the decoy. To do this, you

will need to delete the decoy and create a new one.

For information on how to create a decoy, see Creating a basic deception campaign manually on page 45.

TYPES OF SERVICES

The following is a list of services and the breadcrumb types they support:

Git

Description: Source-code management.

Supported breadcrumb type(s): Git credentials

Supported decoy type(s): Linux


HoneyDoc

Description: Monitors the use of HoneyDoc breadcrumbs. A shared folder will be created on the decoy for

this purpose.

Supported breadcrumb type(s): HoneyDoc

Supported decoy type(s): Windows and Linux

Intel AMT – Low Interaction

Description: Mimics Intel AMT interface to catch attackers that are interacting with it.

Supported breadcrumb type(s): N/A


Mirai Worm Monitor

Description: Monitors for attackers who use the Mirai open source botnet in order to attack open telnet

systems.



MySQL

Description: Database service.

Supported breadcrumb type(s): MySQL


OpenVPN

Description: Virtual private network (VPN) service.

Supported breadcrumb type(s): OpenVPN


SMB

Description: Creates a shared folder on the decoy.

Supported breadcrumb type(s): Credentials, Network share



Responder Monitor

Description: This service can, in addition to connecting to the Responder Monitor breadcrumb, monitor for

attackers performing NBNS spoofing and using Responder.py tool directly from the decoy. The username,

domain, and password will be fed to the attacker from the decoy. Activating MazeRunner's Responder

Monitor (ActiveSOC > Responder Monitor) allows raising alerts when stolen credentials are used in the

network.

Supported breadcrumb type(s): Responder Monitor


SMTP – Low Interaction

Description: A low-interaction SMTP server.



SSH

Description: Remote shell service.

Supported breadcrumb type(s): SSH with private key, SSH with password


Web Application

Description: HTTP server with a pre-set web application such as MediaWiki, SugarCRM or phpMyAdmin, or a

custom, user-controlled website.

Supported breadcrumb type(s): Cookie (only when phpMyAdmin is enabled)


FTP Server

Description: An empty FTP server.



Enterprise Edition note: In addition to the above-listed services, MazeRunner Enterprise Edition includes an

RDP service (a remote desktop service for Windows decoys that supports RDP and Credentials breadcrumbs)

and a Network Monitor service (supports two types of alerting mechanisms: one for unrecognized machines;

one for detecting ARP poisoning around the decoy).


TYPES OF BREADCRUMBS

The following is a list of breadcrumbs and the endpoints on which they are supported:

Cookie

Description: A Chrome browser cookie that leads to a web application service.

Supported on: Windows endpoints

Credentials

Description: Credentials are stored in the Credential Manager. These credentials can be used for

authentication with any Windows application that uses the Credential Manager.


Git Credentials

Description: Credentials to the Git service.

Supported on: Windows, Linux, and Mac endpoints

HoneyDoc

Description: A DOCX file to be deployed on an endpoint. Opening the file will raise an alert.


MySQL

Description: A MySQL service connection command.

Supported on: Linux and Mac endpoints

Network Share

Description: Connects the shared folder to Windows and Linux endpoints.

Supported on: Windows, Linux, and Mac endpoints

OpenVPN

Description: OpenVPN configuration files in commonly used locations.



Responder Monitor

Description: This breadcrumb is deployed automatically and periodically. When deployed, it identifies NBNS

spoofing and the use of Responder.py tool on the endpoint's subnet. The username, domain, and password

will be fed to the attacker from the endpoint. Activating MazeRunner's Responder Monitor (ActiveSOC >

Responder Monitor) allows raising alerts when stolen credentials are used in the network.


SSH with password

Description: SSH connection details are stored in the Registry.


SSH with private key

Description: An SSH connection command to the decoy is stored in the Bash history or as a command alias.

Supported on: Linux and Mac endpoints

Enterprise Edition note: In addition to the above-listed breadcrumb types, MazeRunner Enterprise Edition

includes an RDP breadcrumb that is supported on Windows endpoints.


FAQ/TROUBLESHOOTING

This section contains known issues that customers have encountered during MazeRunner installation, setup,

and use.

DECOYS NOT WORKING

Q: My decoys aren't working. What's wrong?

A: Decoys sometimes get stuck in booting or configuring status. This can be caused by various issues (e.g.,

your MazeRunner IP address has been changed). To rectify this issue, go to the Decoys sub screen of the

Campaign screen and click the Recreate icon (located in the Actions column on the right-hand side of the

screen):

This will delete your decoy and recreate it, exactly as it was (i.e., you will not lose any current connections to

services and breadcrumbs).

If this does not solve the problem, please verify that your virtual appliance meets the minimum

requirements for running MazeRunner (check requirements on page 2). Pay particular attention to the

amount of RAM required per decoy.

If you have already tried recreating your decoys and are sure that your virtual appliance meets the minimum

requirements for running MazeRunner, yet the problem persists, please contact Cymmetria support so that

we can investigate the issue.

PROBLEM RESOLVING ENDPOINT NAME

Q: When testing the connection to an endpoint prior to automated deployment, I received the message

"Could not resolve endpoint name".

A: Follow these two steps:

1. Please verify that you are providing the full hostname of the endpoint, including the domain. For

example, "myendpoint.mydomain.local" vs. "myendpoint".

2. Please verify that the endpoint hostname you are providing is listed in your DNS server, or

alternatively that you correctly configured the DNS server during MazeRunner network configuration

(see page 63 for more information).



NESTED VIRTUALIZATION SUPPORT

Q: Why do I see a "Nested Virtualization not supported" message under "Status" on the Decoys tab of the

Campaign screen?

A: This message indicates that you did not enable support of virtualization (this support is not always turned

on by default in a VMware environment). See environment-specific instructions for enabling nested

virtualization on VMware Player (page 33), VMware Workstation (page 33), VMware ESXi (page 15) or KVM

(page 33).

DEPLOYING BREADCRUMBS AUTOMATICALLY TO LINUX MACHINES

Q: How do I deploy breadcrumbs automatically to Linux machines?

A: You can use the MazeRunner API. Cymmetria's Python SDK also has a fully functional sample script that

deploys remotely to Linux machines, which you can use as is or extend to fit your purposes.

Additionally, in various cloud environments, some users prefer to install breadcrumbs on the base image

that will be cloned by the load-balancer.

ARCSIGHT CEF

Q: Do you support ArcSight CEF syslog format?

A: Yes, MazeRunner supports the use of Common Event Format (CEF) for syslog. This can be enabled on the

Integrations screen. See Syslog on page 100 for more details.

SERVICE IS INACTIVE/UNABLE TO DEPLOY BREADCRUMBS

Q: My service is showing as "Inactive"/I am not able to click on my breadcrumb's "Deploy" link.

A: You need to connect your service to a decoy, and make sure that the decoy is powered on. You will then

be able to deploy breadcrumbs. See Creating a basic deception campaign manually on page 45 for

instructions on adding, connecting, and activating breadcrumbs, services, and decoys.



CREATING USERS

Q: How do I add a user to a service when creating my campaign?

A: Users are added during breadcrumb creation. Depending on the type of service you created, you will need

to enter a username and password when creating the corresponding breadcrumb (you can also choose to

randomize credentials from Cymmetria's breadcrumb pool):

You then need to ensure that the breadcrumb is connected to a service that is connected to an active decoy.

See Creating a basic deception campaign manually on page 45 for instructions on adding, connecting, and

activating breadcrumbs, services, and decoys.

USERS AFFECTED DURING BREADCRUMB DEPLOYMENT

Q: When deploying breadcrumbs to an endpoint, which users are affected?

A: Some breadcrumbs allow you to explicitly control which users are affected; however, most Windows

endpoint breadcrumbs will install to the users that are logged in when the breadcrumbs were deployed. A

notable exception is the persistent network share breadcrumb, which is installed for all Windows users.

CLEARING UP HARD DRIVE SPACE

Q: What happens when I delete an event from MazeRunner?

A: Deleting an event will remove all of the event's associated data. This is particularly important to consider for events that have large attachments, such as "Code execution" events.


RUNNING INTERNET-FACING DECOYS

Q: I'm receiving a lot of alerts. Can I run Internet-facing decoys?

A: Yes, you can run Internet-facing decoys; however, these decoys will be scanned often and will generate a

large amount of alerts (that are generally not high-interest alerts). The best way to use MazeRunner is to run

decoys inside of your organizational network. If however, you decide to run Internet-facing decoys, we

recommend you change your alerting policy to generate alerts only on critical events (such as code

execution), and to "ignore" others.

To set your alerting policy to ignore less-critical alerts, navigate to Settings > Alerting Policy and you will see

a "System-wide rules" section. In the Action on event column, select "Ignore" from the drop-down options:

PROBLEMS DURING OVA IMPORT

Q: I received a warning during OVA import saying that the OVA file did not pass OVF specification

conformance or virtual hardware compliance checks.

A: We are aware of this warning, and it is safe to click "Retry" and import the OVA file as is.

MAZERUNNER STORAGE ALLOCATION

Q: How much storage space is used for MazeRunner operation?

A: Only half of the storage allocated for the MazeRunner VM is made available for MazeRunner operation

(the other half is used for updating MazeRunner).


CREATING A WEB APPLICATION SERVICE

Q: Can I create a service using my own web application?

A: Yes. When adding a service to your campaign, MazeRunner allows you to use your own customized web

application. Currently, MazeRunner supports MediaWiki, SugarCRM, and phpMyAdmin. To add a web

application, follow these steps:

1. Create a ZIP file of your web application.

2. Navigate to the Services tab on MazeRunner's Campaign screen, and click "Create service".

3. Choose "Web application" from the Service type drop-down list.

4. Upload your own ZIP file by clicking "Choose File", then click "Save".

You have now created a new service using your own web application. For information on how to connect

this service to a decoy, and how to add breadcrumbs, see Creating a basic deception campaign manually on

page 45.

PROBLEMS DEPLOYING AN OVA DECOY ON ESXI

Q: I receive an error message when trying to deploy an OVA decoy on ESXi.

A: You may be using an older version of ESXi. MazeRunner OVA decoys are compatible with ESXi version 5.1

and higher, so if you are using an older version, you will need to update your ESXi.

CREATING A GIT SERVICE

Q: Can I create a Git repository service?

A: Yes. You can create a Git source code repository with GitLab web UI. This can be done by adding a Git

service to your campaign. To add a Git service, follow these steps:

1. Create a ZIP file to house your repository files. MazeRunner will accept a ZIP file for your Git service

in one of two formats:

a. ZIP file – all the files in the ZIP folder will be committed as an initial commit and load to the

remote Git service.

b. ZIP file with a Git folder – the folder will load as a repository, including commit history, to the

Git service. NOTE: The Git folder must be on the root ZIP hierarchy.


2. Navigate to the Services tab on MazeRunner's Campaign screen, and click "Create service".

3. Choose "Git" from the Service type drop-down list.

4. Upload your ZIP file by clicking "Choose File", then click "Save".

You have now created a new Git service. For information on how to connect this service to a decoy, and how

to add breadcrumbs, see Creating a basic deception campaign manually on page 45.

AUTOMATIC DEPLOYMENT TO ENDPOINTS FAILED

Deployment to endpoints can fail for various reasons. See below an explanation of the error messages you

might have received, and instructions on how to solve the problem.

ERROR: COULD NOT RESOLVE HOSTNAME

Q: I received the error message "Could not resolve hostname". What does this mean?

A: MazeRunner was not able to resolve the hostname of the endpoint to which you are trying to deploy.

Please make sure that your DNS server is configured correctly and that the endpoint's hostname has not

changed.

ERROR: INCORRECT CREDENTIALS

Q: I received the error message "Incorrect credentials ". What does this mean?

A: MazeRunner failed to log in to the endpoint using the credentials supplied by the user. Please make sure

that the credentials are valid and that they belong to an admin account (this can be the local admin on the

endpoint).

ERROR: SMB TCP PORTS (139, 445) ARE UNREACHABLE

Q: I received the error message "SMB TCP ports (139, 445) are unreachable". What does this mean?

A: MazeRunner failed to connect to the endpoints via the standard SMB ports. Please make sure that your

firewall allows connecting to these ports (either your organization's firewall or the endpoint's local firewall),

and that the endpoint accepts connection via these ports (this can be checked using the PsExec tool from the

Sysinternals Suite).

ERROR: DEPLOYMENT TIMEOUT

Q: I received the error message "Deployment timeout". What does this mean?

A: MazeRunner failed to complete the breadcrumb deployment within a reasonable time limit. This error

usually indicates that the first connection to the endpoint succeeded, but the endpoint lost connectivity

(either due to the endpoint shutting down/rebooting or some network malfunction). Please try to deploy

again.


ERROR: INVALID CONFIGURATION FOR DEPLOYMENT

Q: I received the error message "Invalid configuration for deployment". What does this mean?

A: MazeRunner did not have all of the necessary parameters for deployment. Please review your

deployment configuration (see this section on page 56 for more information).

ERROR: DEPLOYMENT FAILED

Q: I received the error message "Deployment failed". What does this mean?

A: MazeRunner failed to deploy to the endpoint due to one of the following reasons:

1. MazeRunner failed to install its deployment service. Please make sure that you do not have a policy

or software running on the endpoint that blocks MazeRunner's service installation.

2. MazeRunner failed to clean the endpoint of all previous breadcrumbs. Trying to clean an endpoint

without ever installing a breadcrumb on it will cause this error.

3. MazeRunner encountered an internal error. Please consult with Cymmetria for further

troubleshooting.

ERROR: NO ACTIVE DEPLOYMENT GROUP FOUND

Q: I received the error message "No active deployment group found". What does this mean?

A: MazeRunner could not deploy the selected breadcrumbs because the deployment group is not active.

Please make sure that all of your decoys, services, and breadcrumbs are active.

ERROR: NO BREADCRUMBS SUPPORTED ON THE ENDPOINT'S OPERATING SYSTEM WERE

FOUND IN THE DEPLOYMENT GROUP

Q: I received the error message "No breadcrumbs supported on the endpoint's operating system were

found in the deployment group". What does this mean?

A: MazeRunner could not deploy to the endpoint because none of the breadcrumbs found in the

deployment group are supported on the selected endpoint's operating system. You can either re-assign the

endpoint to a different deployment group that includes breadcrumbs supported on its operating system, or

add breadcrumbs that are supported on the endpoint's operating system to the current deployment group.


Documents

MazeRunner User Guide for Community 1 - Cymmetria · © Cymmetria MazeRunner 2018 – Community 1.10 2 Supported environments (all must have nested virtualization enabled – follow