MazeRunner User Guide for Community Edition - … · USER GUIDE © Cymmetria ... ArcSight or an API-based integration Quick start ... console: © Cymmetria MazeRunner 2017 – Community

March 28, 2017

MazeRunner

COMMUNITY EDITION

USER GUIDE

© Cymmetria MazeRunner 2017 – Community Edition 1.5.0 2 www.cymmetria.com

Supported environments (all must have nested virtualization enabled – follow the links below to learn more)

VMware Player (7 or higher)

VMware Workstation (11 or higher)

ESXi server (5.1 or higher)

KVM hypervisor

Not supported: VirtualBox, Microsoft Hyper-V, Xen

Requirements

Minimum requirements for installation:

500GB minimum storage

4GB of RAM (add 2GB for each additional nested decoy)

2 x CPU @ 2 GHz (add another CPU core for each additional nested decoy)

VMware hypervisor (Player 7 or higher; Workstation 11 or higher; ESXi server 5.1 or higher) or KVM

hypervisor, with nested virtualization enabled

Additional requirements

Nested virtualization

Promiscuous mode

For deployment automation:

o Read-only domain user for importing endpoints from Active Directory

o Local admin user on endpoints –OR– orchestration tool able to run EXE, MSI or shell scripts

For Responder: Read-only credentials for Splunk, ArcSight or an API-based integration

Quick start

1. First choose which hypervisor you will use to run your MazeRunner™ virtual machine. Cymmetria®

suggests using a VMware Player hypervisor, as this is the most straightforward option and involves

the least number of steps (it is also free). Other hypervisors are supported as well.

2. Enable nested virtualization on your hypervisor. Please refer to Installation and setup on page 8 for

more information.

3. MazeRunner uses DHCP by default. For advanced networking setup or VLAN support, please refer to

MazeRunner network configuration on page 65.

4. Use MazeRunner's deception story wizard to create a deception campaign. Using MazeRunner on

page 34 will walk you through all aspects of product usage.

5. On the Endpoints screen, you can import endpoints to MazeRunner from Active Directory or CIDR

blocks, and then deploy breadcrumbs to them. See Importing endpoints on page 50 and Deploying

breadcrumbs on page 58 for details on how to do this.

6. Once the breadcrumbs are deployed, your deception campaign is ready. You can review the

Dashboard and the Investigation screen for alerts on attackers accessing your decoys.

7. If you encounter any difficulties while working through this guide, please refer to FAQ /

Troubleshooting (on page 103) for help.


CONTENTS

Introduction – What is MazeRunner? ................................................................................................................................... 6

Legal notices ..................................................................................................................................................................... 6

How is the Community Edition different from the Enterprise Edition? ............................................................................ 7

Installation and setup ........................................................................................................................................................... 8

Virtual appliance (VMware Player) ................................................................................................................................... 8

Virtual appliance (VMware Workstation) ....................................................................................................................... 10

Virtual appliance (VMware ESXi) .................................................................................................................................... 13

Enabling nested virtualization using vCenter .............................................................................................................. 22

Enabling nested virtualization using VMware Workstation (version 11 and up)........................................................ 25

Enabling nested virtualization using SSH .................................................................................................................... 26

Powering on your virtual machine .............................................................................................................................. 29

Virtual appliance (KVM) .................................................................................................................................................. 31

Using MazeRunner .............................................................................................................................................................. 34

First use ........................................................................................................................................................................... 34

Creating a deception campaign ...................................................................................................................................... 39

Supported operating systems ..................................................................................................................................... 40

Types of decoys ........................................................................................................................................................... 40

Types of services ......................................................................................................................................................... 41

Types of breadcrumbs ................................................................................................................................................ 42

Creating a deception campaign (using the deception story wizard) .......................................................................... 43

Creating a basic deception campaign manually.......................................................................................................... 46

Importing endpoints ....................................................................................................................................................... 50

Importing endpoints from Active Directory ................................................................................................................ 50

Importing endpoints from CIDR blocks ....................................................................................................................... 56

Post-import ................................................................................................................................................................. 57

Deploying breadcrumbs .................................................................................................................................................. 58

Deploying breadcrumbs from the Endpoints screen .................................................................................................. 58

Deploying breadcrumbs from the Campaign screen .................................................................................................. 61

Scheduling a campaign refresh ....................................................................................................................................... 62

Integrating with a syslog / SIEM ..................................................................................................................................... 64

Advanced usage .................................................................................................................................................................. 65

MazeRunner network configuration ............................................................................................................................... 65

Static IP ....................................................................................................................................................................... 65


VLAN support .............................................................................................................................................................. 66

Non-promiscuous mode ............................................................................................................................................. 67

SSL certificate .............................................................................................................................................................. 69

SOC .................................................................................................................................................................................. 72

Responder ................................................................................................................................................................... 73

ActiveSOC™ – Enterprise Edition only ........................................................................................................................ 77

ActiveSOC™ and Responder activity feed ................................................................................................................... 80

Changing alerting policy .................................................................................................................................................. 81

Integrating with ThreatConnect...................................................................................................................................... 84

Product reference ............................................................................................................................................................... 88

Product interface ............................................................................................................................................................ 88

Task manager .................................................................................................................................................................. 88

Notification center .......................................................................................................................................................... 89

Deception story wizard ................................................................................................................................................... 90

System menu .................................................................................................................................................................. 90

Configure .................................................................................................................................................................... 90

Diagnostics .................................................................................................................................................................. 92

Manage users .............................................................................................................................................................. 93

Manage API keys ......................................................................................................................................................... 93

Change password ........................................................................................................................................................ 94

Access log .................................................................................................................................................................... 94

Send logs to Cymmetria .............................................................................................................................................. 94

System update ............................................................................................................................................................ 95

Endpoints screen ............................................................................................................................................................ 96

Filter options ............................................................................................................................................................... 97

Bulk actions ................................................................................................................................................................. 98

Dashboard ..................................................................................................................................................................... 100

Investigation screen ...................................................................................................................................................... 100

FAQ / Troubleshooting...................................................................................................................................................... 103

Decoys not working ...................................................................................................................................................... 103

Problem resolving endpoint name ............................................................................................................................... 103

Nested virtualization support ....................................................................................................................................... 104

Deploying breadcrumbs automatically to Linux machines ........................................................................................... 104

Creating users ............................................................................................................................................................... 105

Service is inactive/unable to deploy breadcrumbs ....................................................................................................... 105


Running Internet-facing decoys .................................................................................................................................... 105

Creating a web application service ............................................................................................................................... 106

Creating a Git service .................................................................................................................................................... 107

Problems during OVA import ........................................................................................................................................ 108

Problems deploying an OVA decoy on ESXi .................................................................................................................. 109

Automatic deployment to endpoints failed .................................................................................................................. 109

Error: Could not resolve hostname ........................................................................................................................... 109

Error: Incorrect credentials ....................................................................................................................................... 109

Error: SMB TCP ports (139, 445) are unreachable .................................................................................................... 109

Error: Deployment timeout ...................................................................................................................................... 110

Error: Deployment failed .......................................................................................................................................... 110

Error: Invalid configuration for deployment ............................................................................................................. 110

Error: No active deployment group found ................................................................................................................ 110

Error: No breadcrumbs supported on the endpoint's operating system were found in the deployment group ..... 110


INTRODUCTION – WHAT IS MAZERUNNER?

MazeRunner is a platform for creating effective deception stories. Attackers making lateral movement will

first collect information on their next targets. At that time, they will find breadcrumbs deployed by

MazeRunner that point to decoys. Once the attackers connect to the decoys, they are led to believe that

they have successfully gained access to a target machine. Having gained a false sense of security, attackers

reveal their attack tools and methods, which defenders are then able to document and analyze.

Finally, MazeRunner communicates with an organization's existing defense infrastructure, exporting threat

information that allows for the creation of attack signatures.

For a more detailed overview of MazeRunner, please read our product whitepaper, which can be

downloaded for free from our website.

LEGAL NOTICES

Thank you for your interest in the free MazeRunner Community Edition!

If you are installing MazeRunner Community Edition for your own private use in a non-commercial

and non-production environment, you are not limited in the amount of "decoys" and "endpoints"

you may deploy.

If you are installing MazeRunner Community Edition on behalf of an organization, you may use the

product solely for internal testing and evaluation of the software and its performance in a non-

production environment. The software is not limited to any number of "decoys" and "endpoints" for

the first 30 days, but its use is limited to 1 "decoy" and 10 "endpoints" following this 30 day period.

Please consult the full text of the license for additional details, as the full terms of the license govern. For

more information or to give feedback, contact [email protected] or visit our website.

http://l.cymmetria.com/mazerunner-product-whitepaper

https://cymmetria.com/legal/1.5.0/eula/eula

mailto:[email protected]

https://community.cymmetria.com/feedback


HOW IS THE COMMUNITY EDITION DIFFERENT FROM THE ENTERPRISE EDITION?

Cymmetria supports the cybersecurity community it calls home and believes strongly in giving back to that

community. This is why we decided to release a free Community Edition of our enterprise software platform.

The MazeRunner Community Edition is publicly available for private initiatives and research endeavors at no

cost or commitment to purchase. The platform is fully customizable and integrates seamlessly with existing

IT and security tools, allowing users to implement deception elements across the network. It is flexible and

does not burden existing organizational systems.

Community Enterprise

Linux decoys

Windows decoys ×

User-provided decoy image ×

Linux breadcrumbs

Windows breadcrumbs

Deception stories using business cases

Commercial use First 30 days only*

Large-scale deployment support ×

API

Remote deployment to endpoints through MazeRunner

Deception campaign auto-regeneration

Alerting through syslog and email

STIX/TAXII integration

Domain integration

Alerting of attempts to use deceptive credentials obtained using Responder.py

ActiveSOC™ ×

Get MazeRunner Download machine Contact us

*See Legal notices.

https://community.cymmetria.com/

https://cymmetria.com/contact-cymmetria/


INSTALLATION AND SETUP

This section will guide you through the installation and setup of Cymmetria's MazeRunner solution. It

includes information on MazeRunner's platform and deployment.

VIRTUAL APPLIANCE (VMWARE PLAYER)

To begin, make sure you have VMware Player installed on your computer. Then, navigate to the directory in

which the MazeRunner OVA file is stored and proceed according to the following instructions:

1. To import MazeRunner into VMware Player, double-click on the OVA file (if you have multiple

hypervisors installed on your computer, you will need to right-click on the OVA file, select "Open

with", and then select "VMware Player"). You will need to provide a name and local storage path for

the new virtual machine, and then click "Import":

2. Before powering on your new virtual machine, you must enable nested virtualization support in

order to run MazeRunner with nested decoys. To do this:

a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings…":

b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI"

and "Virtualize CPU performance counters" boxes are checked, then click "OK":


c. Nested virtualization is now enabled.

3. Now you can power on your virtual machine by clicking "Play virtual machine":

4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the

console:


Save this IP address; you will need to use it in subsequent sections of this guide.

That's it! MazeRunner is now ready for use.

By default, MazeRunner obtains its network configuration through DHCP. If you would like to change

MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page

65 of this guide.

Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this

guide.

VIRTUAL APPLIANCE (VMWARE WORKSTATION)

To begin, make sure you have VMware Workstation installed on your computer. Then, navigate to the

directory in which the MazeRunner OVA file is stored and proceed according to the following instructions:

1. To import MazeRunner into VMware Workstation, double-click on the OVA file. You will need to

provide a name and local storage path for the new virtual machine, and then click "Import":


2. Before powering on your new virtual machine, you must enable nested virtualization support in

order to run MazeRunner with nested decoys. To do this:

a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings…":

b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI"

and "Virtualize CPU performance counters" boxes are checked, then click "OK":


c. Nested virtualization is now enabled.

3. Now you can power on your virtual machine by clicking "Power on this virtual machine":

4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the

console:






65 of this guide.


guide.

VIRTUAL APPLIANCE (VMWARE ESXI)

To begin, open your vSphere Client and connect to your ESXi server by entering your username and

password. From the File drop-down menu, choose "Deploy OVF Template" and open the MazeRunner OVA

file supplied.

Move through the stages of deploying the OVF Template:

1. Choose a name for your virtual machine (for example, "Cymmetria MazeRunner").

2. Choose your specific datacenter as the Host / Cluster on which to run the deployed template.

3. Select a destination for storing the virtual machine files.

4. Use the default values that appear in the Disk Format section.

5. Notice that the source network is shown as "bridged". Click "Next" to review all parameters and

finish the virtual machine creation:


After your virtual machine has finished being deployed (this will take some time), select your virtual machine

from the side bar on the left-hand side of the screen, then navigate to Home > Inventory > Hosts and

Clusters:

Now you will need to configure the network. Decoys can connect to the MazeRunner network in two ways:

using promiscuous mode or without using promiscuous mode. Cymmetria recommends running

MazeRunner in promiscuous mode, as it greatly simplifies decoy usage and system setup. It is possible to use

MazeRunner in non-promiscuous mode, but it will take more time and effort, and more issues may arise

during campaign creation.


Using MazeRunner with promiscuous mode

Open the Configuration tab and choose "Networking" by clicking on the link located in the Hardware box to

the left:

To make the nested virtual machines accessible from the network, enable promiscuous mode for the Virtual

Machine Port Group, where your virtual machine is connected (in our example, “Maze”). To do this, go to

“Properties”, select your virtual machine's port group, and then click “Edit”:

Go to the Security tab and make sure both “Promiscuous Mode” and “Forged Transmits” are enabled

("Accept"). Click "OK":


Why do we need promiscuous mode and forged transmits? In order for the nested virtual machines to

receive data packets, we need to enable these functions. If you do not enable promiscuous mode and forged

transmits, you will only be able to use OVA decoys, which are not nested.

Using MazeRunner without promiscuous mode

Make sure your virtual machine is turned off, then right-click on your virtual machine and select "Edit

Settings…":


Each decoy needs its own interface. For each decoy you would like to set up on MazeRunner, follow these

steps:

1. On the Hardware tab, click "Add…":

2. Choose "Ethernet Adapter" as the device type you would like to add to your virtual machine, then

click "Next":


3. Choose your network connection from the drop-down list, then click "Next":

4. Review the options you selected and click "Finish" to add the hardware:


5. You will now see the hardware you added on the Hardware tab. Click "OK" to finish:

NOTE: You will also need to enable non-promiscuous mode within MazeRunner; see Non-promiscuous mode

on page 67 for more information.

Now you can configure VLAN support, if you wish to do so. Later, you will also need to configure VLAN

support within MazeRunner; see VLAN support on page 66 for more information.

To configure VLAN support, you need to make sure that your port group is configured to accept VLAN

tagging. Follow these steps:

1. In your vSphere control panel, access the Properties menu of the switch to which MazeRunner is

connected by navigating to Configuration > Networking > Properties…:


2. Under the Ports tab, select the appropriate switch name and click "Edit…":

3. Under the General tab, select "All (4095)" as the VLAN ID:


4. To make sure that the network adapter "sees" the VLAN network, expand the Networks list under

the Status area in Configuration > Networking > Properties > Network Adapters:

Now you must enable nested virtualization support, in order to run MazeRunner with nested decoys. There

are three common methods used to enable nested virtualization in ESXi products:

1. using vCenter

2. using VMware Workstation

3. using SSH

To find out which of these three methods you will need to use, you must look at which VMware hypervisor

you are running. To do this, open vSphere Client and go to Help > About VMware vSphere:


If you see the following pop-up window, it means you are using vCenter:

If you see the following pop-up window, it means you are using ESXi:

If you are using vCenter, see the instructions provided in the section entitled Enabling nested virtualization

using vCenter, below. If you are using ESXi, you have two options for enabling nested virtualization: via

VMware Workstation or SSH (see the relevant sections on page 25 and 26 of this guide).

ENABLING NESTED VIRTUALIZATION USING VCENTER

The following steps will guide you through enabling nested virtualization using vCenter.

1. Open vSphere Web Client in your web browser by navigating to the IP address of your vCenter server

(using HTTPS), and log in with the same credentials you used to log in to your vSphere client:


2. Make sure your virtual machine is turned off, then select "VMs and Templates" from the Home

menu:

3. Right-click on your virtual machine and select "Edit Settings…":


4. Expand the CPU drop-down options, check the Hardware virtualization and Performance counters

checkboxes, and click "OK":

Nested virtualization is now enabled. Please continue to the Powering on your virtual machine section of this

guide.


ENABLING NESTED VIRTUALIZATION USING VMWARE WORKSTATION (VERSION 11 AND UP)

The following steps will guide you through enabling nested virtualization using VMware Workstation (version

11 and up).

1. Open VMware Workstation and navigate to File > Connect to Server…:

2. Enter your login details (your ESXi credentials) and navigate to your MazeRunner virtual machine.

Make sure the virtual machine is turned off, and then right-click on it and select "Settings…" (you

may have to double-click on your virtual machine name before right-clicking):

3. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI" and

"Virtualize CPU performance counters" boxes are checked, then click "OK":



guide.

ENABLING NESTED VIRTUALIZATION USING SSH

The following steps will guide you through enabling nested virtualization using SSH.

1. In your vSphere client, under the Configuration tab, choose "Security Profile" from the Software box

on the bottom left of the screen, and then click "Properties":

2. Enable the ESXi Shell by selecting it from the list of labels, and then clicking on Options → Start →

OK:


3. Follow the same steps to enable the SSH service:

4. Once finished, click "OK".


5. Log in to the ESXi Shell via an SSH client (PuTTY, for example), using your ESXi root user's credentials.

To do this:

a. Open PuTTY. In PuTTY, click "Open" to open a new SSH console:

b. In the SSH console, enter your username and password. Your shell should look like this:

6. Navigate to the MazeRunner virtual machine directory, located in

/vmfs/volumes/<datastore_name>/<virtual_machine_name>/. For example:

7. Make sure your MazeRunner virtual machine is turned off. Then, use your editor of choice to edit

the .vmx file (for example, "MazeRunner_release.vmx") in this directory by adding the following flags

to the end of the file:


vhv.enable = "TRUE"

vpmc.enable = "TRUE”


guide.

POWERING ON YOUR VIRTUAL MACHINE

Once you have enabled nested virtualization, you can power on your new virtual machine. To do this, open

vSphere Client and navigate to Home > Inventory > VMs and Templates:

Use the search bar to find your virtual machine, select it, and then click "Power on the virtual machine":


Switch to the Console tab to see the virtual machine powering on. Once it finishes booting, you will see its

assigned IP address displayed on the console:





65 of this guide.


guide.


VIRTUAL APPLIANCE (KVM)

To begin, open a terminal, navigate to the directory in which the MazeRunner DSK file is stored (in QCOW2

format), and proceed according to the following instructions:

1. Enable promiscuous mode – Check if promiscuous mode is enabled on the network interface to

which MazeRunner's virtual machine bridge will be connected (if you know that it is already enabled,

you can skip to step 3 of this section now):

a. Run the command 'netstat -i'.

b. If the network interface to which you are going to connect the virtual machine bridge has 'P'

in its flag (as shown in Figure A), promiscuous mode is already enabled and you can skip to

step 3 of this section now:

Figure A. netstat -i command output with promiscuous mode off/on.

2. If promiscuous mode is off, you will need to enable it according to the following instructions

(depending on which OS you are using). To enable promiscuous mode:

a. On Red Hat/CentOs:

i. Open /etc/sysconfig/network-scripts/ifcfg-X (replace X with the name of the network

interface to which MazeRunner's virtual machine bridge will be connected).

ii. Add the line 'PROMISC=yes' to the end of the file.

b. On Ubuntu/Debian:

i. Open the "interfaces" file located in /etc/network.

ii. Add the following lines under the configuration for the network interface to which

MazeRunner's virtual machine bridge will be connected:

up ifconfig $IFACE up

up ip link set $IFACE promisc on

down ip link set $IFACE promisc off

down ifconfig $IFACE down


3. Import the MazeRunner image (DSK file) using the following command (run as root):

virt-install -n <name> -r <amount_of_RAM> --os-type=linux --os-variant= ubuntu14.04 --disk

MazeRunnerVirt.dsk,bus=virtio -w bridge=<name_of_network_bridge>,model=virtio --vnc --

noautoconsole --import --cpu=host

For example:

virt-install -n MazeRunner -r 16384 --os-type=linux --os-variant=ubuntu14.04 --disk

MazeRunnerVirt.dsk,bus=virtio -w bridge=virbr0,model=virtio --vnc --noautoconsole --import --

cpu=host

*NOTE: On some older virt-install versions, the os-variant argument for "ubuntu14.04" was

"ubuntutrusty". You can check the available variants on your system using the command 'osinfo-

query os'.

Parameters Detailed:

-n [an internal name for your virtual machine]

-r [the amount of RAM, in MB, for your virtual machine]

--os-type [the type of OS – Linux or Windows]

--os-variant [the distribution or version – for a full list, run command 'man virt-

install']

--disk [specifies media to use as storage for the guest, with various options]

-w [the network configuration]

--vnc [configures the graphics card to use VNC, allowing you to use virt-viewer or

virt-manager to see the desktop]

--noautoconsole [configures the installer to NOT automatically try to open virt-

viewer to view the console in order to complete the installation – this is helpful

if you are working on a remote system through SSH]

4. Check that the virtual machine was created successfully (we will use Virtual Machine Manager to do

this in our example):

a. Open Virtual Machine Manager and find the name you gave to the MazeRunner virtual

machine in step 3:

b. Click on the Open button and wait for the MazeRunner virtual machine to boot. Once it

finishes booting, you will see its assigned IP address displayed on the console:


c. Save this IP address; you will need to use it in subsequent sections of this guide.




65 of this guide.


guide.


USING MAZERUNNER

Congratulations! You have completed the installation and setup of MazeRunner Community Edition. You are

now ready to start using the MazeRunner platform. Use the information in the following sections to get

acquainted with, and start using, MazeRunner.

FIRST USE

Whether you are using a VMware Player, VMware Workstation, VMware ESXi or KVM hypervisor, your

MazeRunner virtual machine was assigned an IP address at the end of the installation and setup process. Use

this IP address to access the virtual machine from a web browser (make sure to use an HTTPS connection; for

example, https://<IP_address>). You will be taken to MazeRunner's signup screen:

Proceed according to the following instructions in order to complete initial signup:

1. Enter your email address and the activation key you received from Cymmetria (if you have not

received an activation key, contact [email protected]):



2. Choose an admin password, and a password for usern (usern is a network configuration user that is

used for accessing the Cymmetria management server; please assign usern a password that is

different from your admin password):

3. System time zone is automatically set to UTC; you may change this by selecting a different time zone

from the drop-down list. You can also set the HTTP proxy server and NTP server:

4. Be sure to read and understand Cymmetria's end-user license agreement and privacy policy; you will

need to agree to the terms of both in order to continue:

https://www.cymmetria.com/legal/1.1.0/eula/eula

https://www.cymmetria.com/legal/1.1.0/eula/privacy-policy


5. Click "Continue" to proceed to the second screen. Here, choose from one of the three configuration

options available, then click "Continue":

NOTE: If you choose "Enable decoy VLAN support", you will need to select a VLAN trunk interface

and then click "Add VLAN". A pop-up window will appear and you will need to create a VLAN entry.

See step 4 of VLAN Support in the MazeRunner Network Configuration section of this guide for

further instructions on how to do this:


6. On the next screen you will see MazeRunner diagnostics running. If the diagnostic tests finish

successfully, you will see a green check mark next to each test. You can then click the "Launch

MazeRunner" button to finish setup and launch MazeRunner:

a. If a test was unsuccessful, you will see a red X and an error message with further

instructions on how to proceed. After resolving the issue (if you choose to do so), click

the "Run MazeRunner diagnostics" button to re-run the tests:


NOTE: You can choose to ignore failed tests and launch MazeRunner by clicking the

"Launch MazeRunner anyway" button:

b. If at any time you would like to go back to the previous screen to change your

configuration choice, simply click the "Review configuration" button at the bottom right

of the screen (you will then need to run diagnostics again in order to complete the

setup).

Once finished, you will be redirected to MazeRunner's main screen:

Please read the notice that appears on your screen, and consult the full terms of the license. You will need to

click "Agree" to continue:

https://cymmetria.com/legal/1.5.0/eula/eula


You are now ready to start creating deception campaigns.

NOTE: For all future uses of MazeRunner, you will simply need to log in to your account using your username

and password:

CREATING A DECEPTION CAMPAIGN

A deception campaign consists of three elements:

1. Decoys – Decoys are virtual machines (servers or other devices) running Windows1 or Linux systems.

They look and act like production machines. When a decoy is accessed, there is no doubt that this is

the work of an attacker. Decoys are most easily reached by following a breadcrumb found on an

endpoint.

2. Services – Each decoy server runs live services (e.g., SMB, SSH, OpenVPN servers, etc.). Each

breadcrumb leads to a specific service on a decoy machine.

3. Breadcrumbs – These are passive elements of data (e.g., browser cookies, SSH credentials, network

shares, OpenVPN scripts, etc.), placed on an organization's endpoints to be found by attackers

during the reconnaissance phase. Breadcrumbs are placed in a natural manner that is compatible

with a user’s habits, so they blend into the environment and do not raise suspicion. Breadcrumbs

and decoys can be used separately or as part of an end-to-end deception story.

By dividing deception campaigns into three basic components, MazeRunner allows you to easily create a

more elaborate deception network.

MazeRunner allows you to create a deception campaign manually or use Cymmetria's deception story wizard

to help create your campaign. See the relevant sections below for detailed instructions on both of these

options.

1 Windows decoys are only available in MazeRunner Enterprise Edition.


SUPPORTED OPERATING SYSTEMS

MazeRunner Community Edition decoys and breadcrumbs currently support the following operating

systems:

Decoys

Linux (Ubuntu 14.04)

Breadcrumbs

Windows: Windows XP SP3 up to and including Windows 10

Linux:

o Ubuntu 12.04 and above

o CentOS, Redhat, and Debian

Enterprise Edition note: In addition to the above-listed operating systems, MazeRunner Enterprise Edition

decoys support Windows (7, Server 2008, Server 2012).

TYPES OF DECOYS

You can choose from the following two virtual machine types when manually creating a decoy in

MazeRunner:

Nested (KVM)

Cymmetria recommends using nested virtualization for your decoys (when possible), as it makes decoy

management easier and more centralized. If you choose to use nested decoys, no additional actions are

required to create or manage a decoy – simply select “Nested” from the VM type drop-down list when

creating a new decoy.

NOTE: If you change MazeRunner’s IP address, you will need to recreate the decoy. See this FAQ for

instructions on how to do so.

For information on how to create a decoy, see Creating a basic deception campaign manually on page 46.

Standalone (OVA)

If you decide to create a standalone decoy (instead of a decoy that uses nested virtualization), you will need

to download the decoy's OVA file. Do this by clicking “Download” in the Actions column on the Decoys sub

screen of the Campaign screen.


After downloading the decoy's OVA file, upload it to your chosen hypervisor. Once the file has been

uploaded to your hypervisor, make sure that you configure the virtual machine to have network access to

MazeRunner.

NOTE: If you change MazeRunner’s IP address, you will need to manually recreate the decoy. To do this, you

will need to delete the decoy and create a new one.

For information on how to create a decoy, see Creating a basic deception campaign manually on page 46.

TYPES OF SERVICES

The following is a list of services and the breadcrumb types they support:

Git

Description: Source-code management

Supported breadcrumb type(s): Git credentials

Web application

Description: HTTP server with a pre-set web application such as MediaWiki, SugarCRM or phpMyAdmin, or a

custom, user-controlled website

Supported breadcrumb type(s): Cookie (only when phpMyAdmin is enabled)

OpenVPN

Description: VPN service

Supported breadcrumb type(s): OpenVPN

SSH

Description: Remote shell service

Supported breadcrumb type(s): SSH with private key, SSH with password

MySQL

Description: Database service

Supported breadcrumb type(s): MySQL


SMB

Description: File-sharing service

Supported breadcrumb type(s): Responder - Pass the Hash, Credentials, Network share

Enterprise Edition note: In addition to the above-listed services, MazeRunner Enterprise Edition includes an

RDP service (a remote desktop service for Windows decoys that supports RDP and Credentials breadcrumbs)

and a Network monitor service (supports two types of alerting mechanisms: one for unrecognized machines;

one for detecting ARP poisoning around the decoy).

TYPES OF BREADCRUMBS

The following is a list of breadcrumbs and the endpoints on which they are supported:

Breadcrumb type: Git credentials

Supported on: Windows and Linux endpoints

Breadcrumb type: Responder - Pass the Hash

Supported on: Windows endpoints

Breadcrumb type: Cookie


Breadcrumb type: OpenVPN


Breadcrumb type: SSH with private key

Supported on: Linux endpoints

Breadcrumb type: SSH with password


Breadcrumb type: MySQL

Supported on: Linux endpoints


Breadcrumb type: Credentials


Breadcrumb type: Network share

Supported on: Windows and Linux endpoints

Enterprise Edition note: In addition to the above-listed breadcrumb types, MazeRunner Enterprise Edition

includes an RDP breadcrumb that is supported on Windows endpoints.

CREATING A DECEPTION CAMPAIGN (USING THE DECEPTION STORY WIZARD)

Using MazeRunner's deception story wizard, you can build a deception campaign with the help of templates

that have been prepared by Cymmetria's security team. Alternatively, you also have the choice to build your

own customized deception stories without the help of the wizard. See Creating a deception campaign

manually for more information.

On first use of MazeRunner, the wizard will open automatically as your home screen. During all subsequent

uses of MazeRunner, you can navigate to the wizard by clicking the wand icon located on MazeRunner's top

right navigation bar:

In the wizard, you will see a variety of prepared deception stories (for example, "Linux backup server",

"Internal website", and "VPN server"). Each story includes a short description to help you decide which one

you would like to use.

Enterprise Edition note: Only Linux-based stories are available in the Community Edition. Notice that there

are three Windows-based stories that are grayed out; these are available in MazeRunner's Enterprise

Edition.

Each template already has default values defined for you (you may change some of these values if you wish,

but do not have to). NOTE: If you do not wish to change any of the default values provided, you can simply

click the "Next" button through all of the below story creation stages until the story is created (except where

otherwise noted).

Use the Back button at the bottom of the screen within each stage of the wizard to go back and make

changes to previous selections. You can also click the Cancel button on the top right-hand side of the screen


at any time; this will delete any deception elements defined in previous stages and take you to the Campaign

screen.

To use the wizard, follow these steps:

1. Choose a deception story, then click "Next":

2. Customize the details of your decoy, such as name, hostname, DNS address2, and VM type. NOTE:

You cannot change the OS type. You can also choose to manually configure network settings,

including static IP, gateway, DNS server, and subnet mask. When you are ready, click "Next":

3. Now you can customize your story's services and breadcrumbs. A set of services will appear by

default, as defined by the template, on the left side of the screen. Each service, when selected, will

show its details, including the breadcrumbs attached to it. You cannot add or remove services from

the template; however, you can edit some service fields. You can also edit breadcrumb fields if you

wish (you must edit the breadcrumb fields if you are using a "Responder" or "VPN server" story).

When you are ready, click "Next":

2 By default, breadcrumbs point to a decoy's IP address. You can set breadcrumbs to point to a DNS address instead. If

you choose to fill out this field, be sure to create a matching DNS entry in your name server.


4. Now it is time to deploy your deception story. First, you can assign breadcrumbs to one or more

deployment groups3 (this can also be done later, from the Breadcrumbs sub screen of the Campaign

screen). NOTE: Later on, we will use these same deployment groups when importing endpoints and

deploying breadcrumbs to them. When you are ready, click "Done":

5. Here's an example of what your screen will look like once your campaign has been created

successfully:

If you have chosen to use a Responder story, you will be redirected to System Configuration > SOC

instead:

3 Deployment groups are used to group several breadcrumbs together for ease of management and deployment. For

example, you can decide to group together a few breadcrumbs that will be deployed to all endpoints used by a specific

department in your organization. This will allow you to easily deploy these grouped breadcrumbs to this department's

endpoints using one of MazeRunner's manual or automatic deployment methods (see Deploying breadcrumbs on page

58 for more information). Cymmetria recommends the use of deployment groups in all of your deployments.


Before continuing to step 6, see the Responder section on page 77 for information on how to set up

the Responder feature.

6. You will need to activate each of your servers by using the On/Off buttons on the Decoys sub screen.

7. You can now view the details of your campaign by using the Decoys, Services, and Breadcrumbs tabs

(sub screens). On the Breadcrumbs sub screen, notice the column "Deployment groups". If you did

not assign your breadcrumbs to a deployment group during story creation in the wizard, you can do

so now. See step 6 of Create a new breadcrumb on page 48 for detailed instructions on how to do

so.

That’s it! Your deception campaign is up and running. Jump to Importing endpoints on page 50 or Deploying

breadcrumbs on page 58 to continue learning about the MazeRunner platform.

CREATING A BASIC DECEPTION CAMPAIGN MANUALLY

The following is a step-by-step guide for manually creating the basic elements of a deception campaign.

Alternatively, you can use MazeRunner's deception story wizard to build a deception campaign with the help

of templates that have been prepared by Cymmetria's security team. See Creating a deception campaign

(using the deception story wizard) on page 43 for more information.

CREATE A NEW DECOY

In this stage, you will create a decoy server.

1. Go to the Campaign screen (if you are in the deception story wizard, choose "Manual story" or click

the Cancel button on the top right-hand side of the screen; this will take you to the Campaign

screen). On the Decoys sub screen, click the Add decoy button.

2. Fill in the required information. For example, to start an Ubuntu server, include a meaningful name

such as "HR_Server", a hostname such as "hrsrvr01", and choose Nested as the VM type. If you


would like to configure a static IP, check the box labeled "Manually configure network settings" and

fill out the Static IP field. Notice that you have the option to add a DNS address.4

3. Click "Create" in order to create the decoy.

4. Power on the server using the On/Off button, which is located between the Status and IP columns.

5. That's it! Here is an example of what your screen will look like once the server has finished booting:

Enterprise Edition note: Notice that Windows decoys are grayed out in the Operating system drop-down list.

Windows decoys are only available in MazeRunner Enterprise Edition.

CREATE A NEW SERVICE

In this stage you will add services (SMB, SSH, OpenVPN, etc.) to your decoy. For the purposes of this

example, let's assume that you want to create a deception story for your HR department.



screen). On the Services sub screen, click the Add service button.

2. Enter an appropriate name (e.g., "Personnel_Files") and select the desired service type (e.g., SMB

service).

3. Add necessary data (for example, if you chose an SMB service, you will need a name for its shared

folder and a ZIP file for the content). Click "Create".

4. Choose the new service and connect it to the decoy (in this case, the decoy named "HR_Server" that

we created in the previous section). Do this by clicking on the Connect to decoy button and selecting

"HR_Server" from the drop-down list:

4 By default, breadcrumbs point to a decoy's IP address. You can set breadcrumbs to point to a DNS address instead. If

you choose to fill out this field, be sure to create a matching DNS entry in your name server.


5. That's it! Here is an example of what your screen will look like once the connection has finished

configuring (you can monitor its status on the Decoys sub screen):

CREATE A NEW BREADCRUMB

In this stage you will create the bait and connect it to the previously created decoy and service.



screen). On the Breadcrumbs sub screen, click "Add breadcrumb".

2. Select an appropriate name, and then select the breadcrumb type5 (make sure it matches the service

you have defined). For example, you could select a network share breadcrumb and name it

"Personnel_Files_BC". You can also assign the breadcrumb to a deployment group here, but for now

we will leave this blank; we will talk about deployment groups in step 6, below.

3. After filling in all of the fields (according to the breadcrumb type you chose), click "Create". NOTE:

Some types of breadcrumbs will require you to create a user (you will need to enter a username and

password). Alternatively, you can choose "Randomize username and password from breadcrumb

pool"; MazeRunner has a list of common usernames and passwords that it uses to supply these.

4. Connect this breadcrumb to a service by clicking the Connect to service button and selecting a

service from the drop-down list:

5 Note that the Responder breadcrumb relates to the Responder feature (a feature used with your SOC interface). For

more information on this type of breadcrumb and this feature, see the section entitled SOC on page 72.


5. Once the connection has finished configuring (you can monitor its status on the Decoys sub screen),

the breadcrumb will show as "Active":

6. Notice the Add deployment group button next to the Add breadcrumb button.6 NOTE: Deployment

groups will be used later when importing endpoints and deploying breadcrumbs to them; see

Importing endpoints on page 50 and Deploying breadcrumbs on page 58 for more information.

To create a new deployment group:

a. Click the Add deployment group button, enter a name for your deployment group (e.g., "IT"

or "all users"), and click "Create":

b. Now you can add breadcrumbs to this group. To do so, type "IT" in the Deployment groups

column on the right-hand side of the screen, and select the new group from the drop-down

list that appears. You can see that your breadcrumb now belongs to the IT deployment

group:

6 Deployment groups are used to group several breadcrumbs together for ease of management and deployment. For

example, you can decide to group together a few breadcrumbs that will be deployed to all endpoints used by a specific

department in your organization. This will allow you to easily deploy these grouped breadcrumbs to this department's

endpoints using one of MazeRunner's manual or automatic deployment methods (see Deploying breadcrumbs on page

58 for more information). Cymmetria recommends the use of deployment groups in all of your deployments.


NOTE: You can assign a single breadcrumb to multiple deployment groups.

7. Now you are ready to deploy your breadcrumb or deployment group. To save time and resources,

you can automate breadcrumb deployment (Cymmetria recommends this option). You can also

deploy breadcrumbs manually from the Breadcrumbs sub screen. See Deploying breadcrumbs on

page 58 for information on breadcrumb deployment options.

That’s it! Your deception campaign is up and running. Jump to Importing endpoints to continue learning

about the MazeRunner platform.

IMPORTING ENDPOINTS

To enable automatic breadcrumb deployment (discussed in the next section), which will simplify campaign

creation, MazeRunner allows you to import endpoints from Active Directory or from CIDR blocks. Note that

these two methods are not mutually exclusive: if you import from Active Directory and then import from a

CIDR block, MazeRunner will check to see if each endpoint already exists in the system; if so, the block will

not be imported a second time.

IMPORTING ENDPOINTS FROM ACTIVE DIRECTORY

In order to import endpoints from Active Directory, you will need to add an Active Directory domain.

Navigate to the Endpoints screen and click "Import endpoints", and then the link to "System Menu >

Configure > Active Directory":


This will take you to the Active Directory sub screen in System Configuration. NOTE: This screen can also be

reached by navigating to System Menu > Configure > Active Directory from the System Menu:

To specify the Active Directory server from which you would like to import endpoints, follow these steps:

1. Click the Add domain button and enter the domain details (domain name, domain controller

address, port, username, password, and base DN).

2. Test your connection by clicking "Test connection". If the test connection is successful, click "Add" to

continue:

NOTE: Some Active Directories do not allow connection without SSL. If you receive an error when trying to

connect, check the "Use SSL" checkbox to use secure LDAP on port 636:


Now you need to import the Active Directory. To do this, follow these steps from the Active Directory sub

screen:

1. Click the View Active Directory button. Select the domain you would like to import and click "Import

from Active Directory":

You can see the import's progress in the task manager's Running tab:

Once the process is complete, you will see a red dot on the task manager icon, and the import

details on the Complete tab:

2. You will now see your Active Directory details on the screen. To the right of each organizational unit

(OU), notice that there are two numbers: one labeled "Self" and one labeled "Total". The number

next to "Self" indicates the number of endpoints in that particular OU; the number next to "Total"

indicates the total number of endpoints under that OU, including those of other OUs:


3. Now you need to import endpoints from your Active Directory organizational units. You may select

specific endpoints to import by clicking the checkbox next to an OU's name (which selects only the

endpoints in that particular OU), or click "Select all":

Before importing, you must assign the endpoints you would like to import to specific deployment

groups. Notice that two new functions appear on the right side of your screen when you select any

OU: "Assign to group" and "Clear assignment". After you have clicked the checkbox next to an OU's

name, click "Assign to group" and select the desired deployment group from the drop-down list. You

can choose from an existing deployment group that you previously created, import your endpoints

without assigning them to a deployment group (you will need to assign them later) or create a new

deployment group to assign the endpoints to:


This will assign all endpoints on that particular OU to the selected deployment group. You will see

the name of the deployment group to which an OU's endpoints have been assigned, to the right of

the OU name and endpoint count. You can assign all endpoints to one deployment group, or to

different deployment groups:

If you would like to change to which deployment group your endpoints have been assigned, mark

the checkbox next to an OU's name and re-assign to another deployment group by using the "Assign

to group" function. You can use the "Clear assignment" function to clear the assignment for selected

endpoints.

NOTE: Only endpoints that have been assigned to a deployment group will be imported. Remember

that, if you would like to import endpoints and assign them to a deployment group later, simply

chose "Import without assigning" from the Assign to group drop-down options:

4. If for some reason you would like to remove the data from an Active Directory domain that you have

previously imported to MazeRunner, simply click "Delete retrieved data":


5. Once you are ready, click "Start importing assigned endpoints daily":

NOTE: Once you click this button, your selected endpoints will continue to import (i.e., refresh) daily,

at the time you originally clicked the button. For example, if you click "Start importing assigned

endpoints daily" at 2:00pm, the selected endpoints will import daily at 2:00pm7. If you would like to

stop this daily import, simply click "Stop importing assigned endpoints daily".

You can check the status of your import in the task manager's Running tab. You will see a notification (red

dot on the task manager icon) once the import is complete, at which time you can view import details on the

task manager's Complete tab:

7 If an endpoint already exists in MazeRunner and has already been assigned to a deployment group, the endpoint will

be refreshed/updated, but its deployment group will not be changed.


IMPORTING ENDPOINTS FROM CIDR BLOCKS

As an alternative to importing endpoints from Active Directory, MazeRunner allows you to import endpoints

from CIDR blocks.

To import endpoints from CIDR blocks, complete the following steps:

1. Navigate to the Endpoints screen and click "Import endpoints", and then click on the CIDR blocks

tab:

2. Click on the Add mapping button to add CIDR blocks and assign them to deployment groups. NOTE:

You cannot enter overlapping CIDR blocks.

3. Enter the CIDR block from which you would like to import, then use the Deployment group drop-

down to assign the endpoints in this CIDR block to a deployment group. You can import your block

without assigning it to a deployment group (you will need to assign it later), choose from an

existing deployment group that you previously created, or create a new deployment group to

assign the block to:

4. Click "Create" to finish.

If you would like to make changes to the information you entered, you can do so using the "Edit" and

"Delete" functions, located in the Actions column. After importing multiple CIDR blocks, you can use the

"On/Off" button in the Status column of each block to skip certain CIDR blocks, but import others, during

your daily import.

When you are ready, click "Start importing endpoints from CIDR blocks daily":


NOTE: Once you click this button, your selected endpoints will continue to import (i.e., refresh) daily, at the

time you originally clicked the button. For example, if you click "Start importing endpoints from CIDR blocks

daily" at 2:00pm, the selected endpoints will import daily at 2:00pm8. If you would like to stop this daily

import, simply click "Stop importing endpoints from CIDR blocks daily".

You can check the status of your import in the task manager's Running tab. You will see a notification (red

dot on the task manager icon) once the import is complete, at which time you can view import details on the

task manager's Complete tab:

POST-IMPORT

Navigate back to MazeRunner's Endpoints screen; all of the endpoints you imported are now shown here.

Notice the endpoint status chart at the top of the screen. Right after importing endpoints for the first time,

100% of your endpoints will be "clean", since you have not yet deployed any breadcrumbs to them:

For a full explanation of the different endpoints statuses, as well as information on the various actions that

can be taken on your endpoints, see the section entitled Endpoints screen.

For now, let's look at how to deploy breadcrumbs to your endpoints (next section).

8 If an endpoint already exists in MazeRunner and has already been assigned to a deployment group, the endpoint will

be refreshed/updated, but its deployment group will not be changed.


DEPLOYING BREADCRUMBS

To save time and resources, you can automate breadcrumb deployment using the Endpoints screen

(Cymmetria recommends this option). You can also deploy breadcrumbs manually from the Breadcrumbs

sub screen of the Campaign screen.

DEPLOYING BREADCRUMBS FROM THE ENDPOINTS SCREEN

From the Endpoints screen, you can deploy breadcrumbs to your endpoints manually or automatically. To

set up automatic breadcrumb deployment, complete the following steps:

1. Click "Deploy campaign" and choose from the first two deployment methods in the drop-down list:

2. Enter your local admin credentials (username, password, and endpoint IP or hostname9). NOTE: If

the user is a domain user (versus a local user on an endpoint), you will need to fill in the optional

domain name.

3. Click "Test credentials" to ensure you have entered everything correctly. If something is not right,

proceed according to the error message shown on your screen.

4. Choose a run mode and select the deployment groups you would like to deploy, then click "Deploy":

9 This is the IP or hostname of an endpoint on which the credentials will be tested. It is only used for this test, and is not

mandatory for the deployment.


NOTE: You will not be able to select and deploy a group if at least one of the following is applicable:

1. There are no endpoints in the group.

2. One or more of the breadcrumbs in the group is inactive.

3. There are no breadcrumbs in the group.

If any of the above is applicable, make sure that your decoy(s) are turned on (check the Decoy sub

screen of the Campaign screen), that you have assigned breadcrumbs to groups (check the

Breadcrumbs sub screen of the Campaign screen), and that you have assigned endpoints to groups

(check the Endpoints screen).

Cymmetria recommends deploying breadcrumbs automatically. Manual deployment is useful if automatic

deployment is impossible, or if you would like to use other orchestration software such as Chef, McAfee ePO

or Tanium.

To deploy breadcrumbs manually, complete the following steps:

1. Click "Deploy campaign" and choose "Manual" from the Deployment method drop-down list:


2. Choose your preferred deployment option and download the relevant installation files by clicking on

the appropriate download button. If you are deploying to a Windows OS, you have three

deployment options from which to choose:

1. Deployment Package – A ZIP file containing a folder for each breadcrumb group. Each

folder contains both an install and uninstall shell script for that deployment group.

2. Executable – A ZIP file containing a folder for each breadcrumb group. Each folder

contains both an installer and uninstaller (in EXE format) for each breadcrumb group.

3. Windows Installer – A ZIP file containing a folder for each breadcrumb group. Each

folder contains both an install and uninstall file (in MSI format) for each breadcrumb

group.

If you are deploying to a Linux OS, you must choose the "Deployment package" option.

3. You will need to unpack the ZIP file and run the installation files contained in each breadcrumb group

folder (as administrator or root) on the endpoint, in order to place the breadcrumb(s). Note that the

script/executable, once executed, will delete itself and all accompanying files in order to leave no

trace of which breadcrumbs have been deployed. Remember to remove the ZIP file from the endpoint

(after saving the uninstall files in a safe location for later use) once you are finished.

After deploying manually, a beacon10 will be sent from the endpoint to update MazeRunner about the status

of the deployment.

Now that you have deployed breadcrumbs to your endpoints, you can expand each endpoint by clicking the

+ icon to see details about the breadcrumbs on that endpoint:

NOTE: It might take the endpoint status a few more minutes to update, due to the time it takes the

breadcrumb to install, and possible network delays.

10

The beacon is part of the breadcrumb installer (and uninstaller) that communicates with MazeRunner. It relays the

status of the endpoint and reports on the success or failure of breadcrumb installation. For the beacon to work, the

MazeRunner management server must be accessible to endpoints, meaning that endpoints should be able to connect

to it over HTTPS (port 443).


DEPLOYING BREADCRUMBS FROM THE CAMPAIGN SCREEN

You can manually deploy individual breadcrumbs or deployment groups from the Breadcrumbs sub screen of

the Campaign screen. The process for both is identical, except for the first step.

To deploy your breadcrumbs to your endpoint from the Breadcrumbs sub screen, follow these steps:

1. In order to deploy a single breadcrumb to your endpoint, click "Deploy" on the breadcrumb you

selected:

To deploy a deployment group, select the group from the All Breadcrumbs drop-down list and click

"Deploy group":

2. Both of these actions will generate an installer (the uninstaller is also located here) that you can then

deploy to endpoints. For Windows, the installer is either a ZIP file containing shell scripts

(PowerShell), an executable (EXE) or a Windows installer (MSI); for Linux, it is always a ZIP file

containing shell scripts (BASH):

3. Download the appropriate installer for your operating system by making your selection and then

clicking "Windows" or "Linux". You will need to unpack and run this installer (as administrator or

root) on the endpoint, in order to place the breadcrumb(s). Note that the installer, once executed,

will delete itself and all accompanying files in order to leave no trace of which breadcrumbs have


been deployed. If you downloaded a ZIP file, remember to remove it from the endpoint (after saving

the uninstall files in a safe location for later use) once you are finished.

You can now validate the deployment on the Endpoints screen (see relevant section on page 96).

SCHEDULING A CAMPAIGN REFRESH

You can schedule breadcrumb deployment at regular intervals by configuring a campaign refresh schedule;

this can be done from the Campaign and Deployment sub screen of System Configuration. Scheduling a

campaign refresh will cause the following to happen:

1. If there are new endpoints in a deployment group (new endpoints may have arrived via the Active

Directory or CIDR blocks automatic importation feature, for example), the refresh feature will deploy

to them.

2. Breadcrumbs with randomized credentials will have the credentials changed to new random values,

to update the deception campaign.

To schedule a campaign refresh, navigate to System Menu > Configure > Campaign and Deployment:

You can define your campaign refresh schedule by choosing to refresh your campaign automatically, and

setting the interval (in hours, days or weeks) at which to refresh. The campaign will refresh each time the

interval of time you set passes; the starting point is the moment the configuration is saved:


You can also define your deployment settings. Choose an install method, run method (executable or native

script), and deployment path:

Lastly, enter the local admin credentials to use in the deployment. You can test these credentials using the

relevant field and the Test credentials button:

NOTE: If you do not configure local admin credentials for endpoints, or if they change, you will receive an

error message at the next designated refresh interval. Please make sure these credentials are configured

correctly, otherwise your campaign refresh will fail.

Be sure to save your configuration when you are finished.


INTEGRATING WITH A SYSLOG / SIEM

Integrating with a syslog/SIEM can be done from the Outputs sub screen in System Configuration. Navigate

to System Menu > Configure > Outputs:

Here you can define settings for syslog (UDP/TCP port and address), email, reporting, and ThreatConnect

(enable TAXII server). Integrating with a syslog/SIEM works especially well with Splunk and ArcSight.


ADVANCED USAGE

Now that you have a handle on basic configuration and usage, you are ready to learn about the advanced

configuration options available to MazeRunner users.

MAZERUNNER NETWORK CONFIGURATION

This section includes information on configuring static IP, and enabling VLAN support and non-promiscuous

mode.

STATIC IP

By default, MazeRunner automatically obtains its network configuration through DHCP. If you would like to

change MazeRunner's network configuration, follow these steps:

1. Open the server's console. The console can be accessed using your hypervisor UI.

2. Log in as "usern":

a. Enter 'usern' as the MazeRunner login. For example:

b. Enter the password 'Password1!'11 and then enter ‘static’. For example:

Enter the details relevant to your network (IP address, netmask, default gateway, nameserver IP address,

DNS search domains). If you do not know your network details, contact your IT administrator. You will also

need to choose the main network interface for MazeRunner management.

NOTE: During automated deployment, the nameserver (DNS server) and the DNS search domains will be

used to look up endpoint names.

11

You will be prompted to change this password on first use of MazeRunner.


VLAN SUPPORT

VLAN support can be enabled by following the steps outlined below (make sure you have already completed

the steps outlined for configuring VLAN support, on page 19 of this guide):

1. In MazeRunner, click on the gear icon on the top right navigation bar to access the System Menu,

and select "Configure":

2. On the Networking tab, check the "Enable decoy VLAN support", and then click "Save configuration".

NOTE: You can change the VLAN trunk interface field before saving:

3. Next, click the Add VLAN button:

4. Enter a VLAN ID (for example, "2"). NOTE: VLAN ID must use numbers, not letters or other

characters. If you are using static IP in your network, please assign the Cymmetria management

server a static IP address and a subnet mask in the spaces provided. If you have a separate DNS

server for this VLAN, be sure to add its address in the DNS field. To deploy breadcrumbs to endpoints


in different subnets, enter CIDR blocks (separated by commas) in the Routing CIDR blocks field. A

gateway must be set if you plan to route specific CIDR blocks. When you are finished, click "Create":

That's it! VLAN support is now configured. NOTE: When you define a new decoy in MazeRunner (when

building your deception campaign either manually or with the help of the wizard; see page 39 for details),

you will need to select your VLAN ID from the drop-down list:

NON-PROMISCUOUS MODE

If you did not enable promiscuous mode during installation and setup, you will only be able to use OVA

decoys. If you would like to use nested decoys, you must enable non-promiscuous mode by selecting the Run

MazeRunner in non-promiscuous mode option from the Networking tab of the System Configuration screen.


To enable non-promiscuous mode, follow these steps:

1. Make sure you have completed the steps outlined for using MazeRunner without promiscuous

mode, on page 16 of this guide.

2. Also make sure you have chosen the main network interface for MazeRunner management:

NOTE: If you already configured static IP, please reference the section entitled Static IP.



4. On the Networking tab, select the Run MazeRunner in non-promiscuous mode option, and then

click "Save configuration":


That's it! You have now enabled non-promiscuous mode. NOTE: When you define a new nested decoy in

MazeRunner (when building your deception campaign either manually or with the help of the wizard; see

page 39 for details), you will need to select an interface from the drop-down list:

NOTE: You can create only one decoy for each interface.

SSL CERTIFICATE

You can view MazeRunner's current server certificate and download the certification authority (CA)

certificate. Additionally, you can replace the server certificate with a new certificate signed by your trusted

CA. If you would like to update the details of your certificate, you can also replace the server certificate with

a new certificate signed by MazeRunner.

To carry out any of these actions, click on the gear icon on the top right navigation bar to access the System

Menu, and select "Configure":

On the SSL Certificate tab (the tab on the far right), you will see several options. To download the current CA

certificate, simply click the Download SSL CA certificate button:


To replace the current server certificate with one signed by your trusted CA, click "Create certificate request"

and fill in your information. Click "Download" to download the certificate signing request (CSR):

After downloading, sign the certificate with your trusted CA. NOTE: You will also need the CA's certificate for

the next step.

When available, upload the certificate signed by your trusted CA (PEM encoded certificate) and the CA's

certificate (PEM encoded CA certificate) by clicking "Upload", choosing the appropriate files, and clicking

"Create and use":


If you would like to update the details of your certificate, you can replace the server certificate with a new

certificate signed by MazeRunner. To do this, follow these steps:

1. Click "Create certificate signed by MazeRunner" and fill in your information.

2. Click "Create and use" to replace the certificate. NOTE: After submitting this form, you will have to

restart your browser to use MazeRunner. All OVA and EC2 decoys will need to be recreated

manually:


SOC

You can connect MazeRunner to your SOC (e.g., via MazeRunner API, ArcSight Data Platform, ArcSight ESM

or Splunk), in order to use the ActiveSOC12 and Responder features, which are discussed in the next sections.

To add a SOC interface, follow these steps:

1. Click the Add button next to “SOC interfaces”:

2. Select an interface type from the drop-down options:

3. Fill in the required information according to the SOC interface you chose. If you chose ArcSight or

Splunk, you will need to test the connection by clicking “Test connection”:

4. Click “Save” to finish.

You will now see the details of the SOC interface you added in the SOC interfaces table. To edit or delete an

interface, use the links located in the Actions column on the right-hand side of the screen.

12

The ActiveSOC feature is only available in MazeRunner Enterprise Edition.


RESPONDER

MazeRunner’s Responder (Pass-the-Hash) feature allows MazeRunner to periodically broadcast deceptive

credentials from endpoints. Attackers listening in on the network using the Responder.py tool (or a similar

tool) will capture these broadcasts and will potentially use these deceptive credentials. The Responder

feature gives you more deception options, as its alerting is based on SOC events in addition to decoy access

(it is essentially a “standalone” breadcrumb).

To use the Responder feature, first make sure you have added a SOC interface. See the section entitled SOC

for instructions on how to do so. NOTE: Make sure that the DC of the domain(s) you want to monitor sends

its Windows event logs to the SOC interface you configured.

Next, you might need to map custom Responder fields mapping13. MazeRunner will query the SOC interfaces

you configured to find evidence of someone using the Responder breadcrumbs that were deployed by

MazeRunner. When MazeRunner is querying your SOC interface, it uses the following default field names in

the query (according to your interface type):

Field name Splunk ArcSight Data Platform

Username Account_Name destinationUserName

Domain Account_Domain destinationNtDomain

Event_code EventCode externalId

Endpoint_hostname Workstation_Name destinationHostName

Endpoint_ip Source_Network_Address destinationAddress

NOTE: ArcSight ESM is not supported for use with the Responder feature.

If any of these fields is serialized differently in your SOC interface, you will need to add custom mapping for

these fields. To do this, follow these steps:

1. Click the Add button next to “Map Responder fields”:

13

If you would like to use an API SOC interface with the Responder feature, you must map the interface's fields.


2. From the drop-down list, choose the SOC interface you would like to map (you can have more than

one mapping for each SOC interface). Then, fill out the remaining mandatory fields and click “Add”:

Now you can turn on the Responder. NOTE: If you try to turn on the Responder before adding a SOC interface, you will be prompted to add a SOC interface.

To turn on the Responder, follow these steps:

1. Click the Turn on button next to “Responder”:

2. Enter your local/domain admin credentials to remotely access endpoints (if you are using a domain

user, enter a domain name), and then click “Save”:


Now create a Responder breadcrumb. To do so, follow these steps:

1. Go to the Breadcrumbs sub screen of the Campaign screen and click “Add breadcrumb”:

2. Select “Responder - Pass the Hash” as the breadcrumb type and fill in all of the fields, including the

Deployment groups field14, then click “Create”. NOTE: Domain name is the name of the domain that

you want to monitor for Pass-the-Hash attacks:

After the Responder breadcrumb is assigned to a deployment group, MazeRunner will begin to deploy on

endpoints in that deployment group one by one. Every time MazeRunner deploys on an endpoint, the

Responder breadcrumb’s credentials are broadcasted.

MazeRunner aims to maximize the likelihood of an attacker intercepting deceptive credentials. In order to do

this, the Responder breadcrumb will broadcast (each time from a different endpoint) a maximum of 1,000

times during a 24-hour period. The interval between each broadcast ranges from 86 seconds (more than

1,000 endpoints) to 24 hours (for a single endpoint). If you have more than 1,000 endpoints in a deployment

group, then each day a random subset of 1,000 endpoints will be selected from all of the endpoints in that

group.

14

You must assign Responder breadcrumbs to a deployment group.


In order to check that the Responder deployment and alerting are working properly, complete the following

steps:

1. To check that the deployment worked, go to System Configuration > SOC and click the Show activity

button next to the Responder section:

In the Event column, check that there is at least one entry with the status "deployment successful".

If after approximately 10 minutes you do not see an entry, please make sure that the Responder

feature is turned on and that it is configured correctly. If you see an entry with a "deployment failed"

status, please refer to this FAQ.

2. To check that alerting is working, select a server in your domain (the domain being monitored in the

SOC interface you configured earlier) that has a network share, and run the following net use

command:

net use \\<server_address> /user:<breadcrumb_domain>\<breadcrumb_username>

<breadcrumb_password>

Within approximately 10 minutes, you should see a Network Credential Interaction alert on MazeRunner’s

Investigation screen. If you do not see an alert, please check your SOC configuration (the SOC interface you

added as well as the Responder fields mapping you set up).

Now, whenever MazeRunner deploys the Responder breadcrumb to one of your endpoints, if there is an

attacker in your network who is using Responder.py (or a similar tool), the attacker will record the

Responder breadcrumb credentials. If the attacker then uses these credentials on a machine in one of your

monitored domains, MazeRunner will raise an alert and you will see the details on the Investigation screen.

For more information about the Responder activity feed, see the ActiveSOC and Responder activity feed

section on page 80.


ACTIVESOC™ – ENTERPRISE EDITION ONLY

Enterprise Edition note: This feature is currently available to MazeRunner Enterprise customers only. The

following documentation is provided here to give Community Edition users an explanation of how the

feature works.

ActiveSOC allows MazeRunner to deploy breadcrumbs to endpoints in your organization based on events

observed by your SOC. Using ActiveSOC, you can set up specific rules that, when verified, will cause

MazeRunner to assign an endpoint to a deployment group (as defined by your rule) and deploy that group’s

breadcrumbs to the endpoint. MazeRunner achieves this through integration with your SIEM or through the

MazeRunner API. By automatically deploying deception tailored to specific suspicious behavior (e.g.,

privilege escalation or abnormal traffic), ActiveSOC is able to create new intelligence out of “below-the-

threshold” events, and also validate events that might otherwise be ignored by analysts.

Before turning on ActiveSOC, you will need to add a SOC interface. See the section entitled SOC for

information on how to do this.

Once you have added a SOC interface, complete the following steps to turn on ActiveSOC:

1. Click the Turn on button next to “ActiveSOC”:

2. Enter your local admin credentials to remotely access endpoints (if you are using a domain user,

enter a domain name), and then click “Save”:


Rules

Enterprise Edition note: This feature is currently available to MazeRunner Enterprise customers only. This

form is made available to Community Edition users solely as an example of how the ActiveSOC feature is

configured, and rules configured here cannot be saved.

Add rules to define the response to specific SOC events15. The rules will define how to identify the relevant

endpoint, how to filter the specific event, and to which deployment group to assign it and for how long.

To add a rule, follow these steps:

1. Click the Add button next to “Rules”. Enter a name for your rule and choose the SOC interface to

which you would like it to apply (each rule will be defined for a specific SOC interface):

2. Define how to identify the endpoint in this type of event. Select the field from where your SIEM’s

target data is extracted (IP address or Hostname), fill in a field name, and if you would like, fill in a

DNS suffix (for example, hostname "myhost" and DNS suffix "mydomain.local" will become

"myhost.mydomain.local"):

3. For ArcSight ESM, each rule must have a query. The query is the name (ArcSight ESM QueryViewer)

predefined on your ArcSight ESM, from which MazeRunner will receive the events. All other rule

conditions will apply to the events received from that query. It's important to note that the

15

Events could include, for example:

A user logging in from an unusual location

A privilege escalation alert (someone logged in as admin)

A computer connecting to an IP that doesn’t exist and then reaching a decoy

Someone attempting to access a web page/app that doesn’t exist


frequency of retrieval is dependent on the frequency of the query as defined in ArcSight ESM and

not controlled from within MazeRunner:

4. Add conditions for your event (field name and value). Be as specific as you can (there is no limit to

the number of conditions you can add per event):

5. Choose the deployment group to which you would like to deploy when this rule is verified, and the

deployment duration (how long to keep the breadcrumbs on the endpoint). For example, if you

enter ‘4’ here, the breadcrumbs will be deleted from the endpoint after 4 hours:

6. When you are finished, click “Add”.

You will now see the details of the rule you added in the Rules table. In the Rank column of the Rules table,

note that there are two arrows; these are used to set priority for a rule. Clicking the up/down arrows will

move the location of rules in the table, thereby changing their rank (a rule with a rank of 0 has the highest

priority).

Notice the “On/Off” button in the Actions columns on the right-hand of the screen. Use this button to

activate and deactivate specific rules at certain times. You can also delete and edit your rules from this

column.

That’s it! From now on, if a rule you set is verified, MazeRunner will assign the endpoint to a deployment

group (as defined by your rule) and deploy that group’s breadcrumbs to the endpoint. When this happens, a


new record will be created in the ActiveSOC activity feed and a new endpoint will appear on the Endpoints

screen. The breadcrumbs that were deployed will be removed from the endpoint after the period of time

you defined in your rule.

For more information about the ActiveSOC activity feed, see the ActiveSOC and Responder activity feed

section below.

ACTIVESOC™ AND RESPONDER ACTIVITY FEED

The ActiveSOC and Responder activity feed can be accessed by clicking the Show activity button, located to

the right of the "Responder" section:

Here you can monitor all ActiveSOC16 and Responder activity and export the information to CSV:

You can filter and search your activity feed using the funnel icons. To do so, click on a funnel icon to the right

of a column title, choose your filter criteria from the available options, then click "apply":

NOTE: If filtering by endpoint or deployment group, you will need to enter the endpoint IP address and the

deployment group name, respectively.

16

The ActiveSOC feature is only available in MazeRunner Enterprise Edition.


To clear your filter results, click again on the funnel icon to the right of the column title and then click

"clear".

To clean your feed (delete all entries), click "Clean feed":

CHANGING ALERTING POLICY

Changing your alerting policy can be done from the Alerting Policy sub screen in System Configuration.

Navigate to System Menu > Configure > Alerting Policy:

Here you can define the system-wide policy for handling events. For each event, you can define whether it

will be ignored, recorded in MazeRunner, or recorded in MazeRunner AND sent to the syslog server. You do

this by setting system-wide rules to be performed for specific types of events. You can also define user rules

that override any system rules.

System-wide rules: These are the built-in rules that define which action should be taken for each

event type. You can choose from "Ignore", "Mute" (default setting), and "Alert":

Ignore – The event is not seen anywhere.

Mute – The event is only seen on the Investigation screen; however, you can check the box

marked "Send muted alerts" on the Outputs sub screen to set MazeRunner to send muted

alerts via syslog as well.

Alert – The event is seen on both the Investigation screen and the Dashboard, and an alert is

sent via syslog and email.


User rules: Here you can define rules that will override the system rules. To do this, follow these

steps:

1. Click "Add rule" to open the rule creation form:

2. To which decoy(s) and service(s) would you like this rule to apply? Make your selections

from the drop-down lists.

3. You can choose to set a rule for actions originating from a specific IP address. To do this, fill

in the IP address in the field provided. Please note that IP addresses are matched exactly.

4. You can also choose to set a rule for a specific file located on a decoy (e.g., "/bin/netcat" or

"myshare/important.txt"). To do this, fill in the relevant filename in the field provided. The

filename specified will apply to SMB alerts, code execution alerts, and unsigned code

execution alerts. Please note that the filename is matched exactly (SMB alerts will contain

the share name, there is a distinction between / and \, and names are case sensitive).

5. To which type of alert should this rule apply? Choose one from the drop-down list. NOTE:

You will need to create a separate rule for each type of alert:


6. What would you like to happen? Choose an action ("Ignore", "Mute", "Alert" or "Shut down

decoy") from the drop-down list. If you choose "Shut down decoy", any decoy(s) related to

that alert will be automatically shut down when the alert is processed. IMPORTANT: Shutting

down the decoy is independent of the action you set for each event type ("Ignore", "Mute",

"Alert"); an alert may be ignored by another rule and still shut down the decoy.

7. Once you have finished defining your new rule, click "Create".


INTEGRATING WITH THREATCONNECT

This section will show you how to set up ThreatConnect for use with MazeRunner. Before proceeding, please

install and set up MazeRunner according to the guidelines provided for virtual appliance (VMware Player,

VMware Workstation, VMware ESXi or KVM).

To set up ThreatConnect integration, follow these steps:

1. Open ThreatConnect. In ThreatConnect, navigate to the Dashboard and select the TAXII feed you

would like to connect to MazeRunner (you can connect any valid TAXII feed; if you are unsure of

which feed to connect, please check with your ThreatConnect contact). In this example, our feed is

called "Cymmetria TAXII Source":

2. The Dashboard screen will refresh and you will see that a new section, called "Source", has appeared

on your screen. Click on the gear icon to go to your TAXII feed's Source Config:

3. In Source Config, go to the Data tab:


4. Click "+ NEW INBOUND" to create a new inbound TAXII Exchange:

5. You will now need to configure the new inbound TAXII exchange. Notice that a configuration window

has popped up on your screen:


Enter a name for the new inbound TAXII exchange. For the URL, you will need to enter the TAXII

server URL found in MazeRunner's System configuration settings. To do this:

a) Open MazeRunner in your browser by navigating to your virtual machine's IP address

(using HTTPS). Click on the gear icon located in the top right-hand corner of the screen,


b) On the Outputs tab, you will find "ThreatConnect Settings". Check the box next to

"Enable TAXII server", click the purple Save configuration button, and then copy the link

found in the "TAXII server URL" field:

c) Go back into ThreatConnect and paste this URL into the space provided, then click

"Next".


6. On the Login tab, click on "TEST CONNECTION" and the Available Services section will expand. Click

on the POLL service that appears, and you will see that the MazeRunner URL you entered in step 5

will appear at the top of the screen. Enter "Guest" as both the Username and Password (you will not

need to use these credentials again; they are only required by ThreatConnect in order to proceed to

the next step), then click "Next":

7. On the Feed tab, click "Check for available feeds" and select the feed that is shown (called

"alerts_feed"), then click "Next":

8. Click "Next" until you reach the Confirm tab, and then click "SAVE".


PRODUCT REFERENCE

The following sections provide an overview of the MazeRunner platform, including its user interface and

additional functionalities.

PRODUCT INTERFACE

MazeRunner has a user-friendly interface. You can use the top navigation bar to move between the main

parts of the product:

● Dashboard – Your deception battle map, where you control and review your campaigns.

● Campaign screen – Here you create the different components of your deception campaign.

● Endpoints screen – From this screen you can view and manage your endpoints, as well as deploy

breadcrumbs.

● Investigation screen – Used for viewing your campaign's events and alerts. Here you can see every

move an attacker has made.

Alternatively, you may manage the platform using the MazeRunner API. Almost everything that can be done

using the MazeRunner interface can also be achieved by using the API. For details, see our online API

documentation.

TASK MANAGER

The task manager, accessed from the speech bubble

icon with the clock symbol that is located on the top

right navigation bar, displays MazeRunner tasks and

their statuses. By clicking the icon, you can view the

status of tasks that are currently running (on the Running tab), and see a list of completed tasks (on the

Complete tab). NOTE: Stopped and failed tasks can be seen on the Complete tab alongside successful tasks.

If you would like to stop a task that has already been started, you can do so from the Running tab. To stop a

task that is currently in progress, click the Stop button to the right of the task's status bar:

Once you do this, the task will move to the Complete tab and it's status will appear as "Stopped":

https://community.cymmetria.com/api/



NOTE: If you stop a task (for example, a breadcrumb deployment) before it has completed, you will need to

navigate to the Endpoints screen, filter out all the endpoints with a Deployment Failed status, and clean the

endpoints on which breadcrumbs have already managed to deploy before you stopped the deployment. For

more information on how to do this, see Filter options and Bulk actions in the Endpoints screen section on

page 96.

If a task fails, you will see this detailed in the task's status bar on the Complete tab:

To check failed deployments, you will need to go to the Endpoints screen, filter out all the endpoints with a

Deployment Failed status, and expand the endpoint rows to check why they failed. For more information on

how to do this, see Filter options on page 97.

NOTIFICATION CENTER

The notification center, accessed from the speech bubble

icon on the top right navigation bar, displays alerts and

notifications regarding your MazeRunner activity. This

includes campaign import status, any issues that need your

attention, and more.


DECEPTION STORY WIZARD

This tool, accessed from the wand icon on the top right navigation bar, assists you in building your deception

campaign. The wizard allows you to choose from templates that have been prepared by Cymmetria's

security team. Alternatively, you can build your own customized deception stories without the help of the

wizard.

For more information on how to build deception stories using the wizard, see the section entitled Creating a

deception campaign (using the deception story wizard) on page 43.

SYSTEM MENU

This menu, accessed from the gear icon on the top right navigation bar, allows you to

configure MazeRunner, run diagnostics, manage users, manage API keys, change

password, import/export campaigns, view your access log, send logs to Cymmetria, and

update the system.

CONFIGURE

The System Configuration screen, which can be reached by clicking "Configure", contains

seven sub screens:

1. General – Here you can enter a virus database URL, choose to send anonymous data to Cymmetria,

automatically download updates, set the time zone, enable endpoints tracking (send beacon17),

view/change the NTP server URL, enter HTTP proxy server details (e.g., https://<IP>:<PORT>), set the

number of hours of inactivity before logout, and restore the default configuration for General,

Outputs, and Networking:

17

The beacon is part of the breadcrumb installer (and uninstaller) that communicates with MazeRunner. It relays the

status of the endpoint and reports on the success or failure of breadcrumb installation. For the beacon to work, the

MazeRunner management server must be accessible to endpoints, meaning that endpoints should be able to connect

to it over HTTPS (port 443).


2. Outputs – Here you can define settings for syslog (UDP/TCP port and address), email, reporting, and

ThreatConnect (enable TAXII server). See Integrating with a syslog / SIEM on page 64 for more

information.

3. Networking – Here you can add a decoy MAC address prefix and set MazeRunner's networking

configuration. You can choose to use the default configuration, run MazeRunner in non-promiscuous

mode or enable VLAN support for decoys and view/change the VLAN trunk interface:

4. Access control – Here you can enable access control to MazeRunner's management interface by

limiting access to specific IP addresses. To add an IP address to your access control whitelist, click

"Add rule", enter the IP address, and then click "Create":

CAUTION! If this is not done properly, you risk losing your own access to

MazeRunner. Please ensure the validity of the information you enter here. If

something goes wrong, please contact Cymmetria support.

5. Alerting policy – Here you can define the system-wide policy for handling events. See Changing

alerting policy on page 81 for more details.



6. Campaign and deployment – Here you can define your campaign refresh schedule, deployment

settings, and local admin credentials for endpoints (as well as test those credentials). See Scheduling

a campaign refresh on page 62 for detailed instructions.

7. Active Directory – Here you can import domains from an Active Directory for use when managing

your endpoints and automating breadcrumb deployment. Please see Importing endpoints from

Active Directory on page 50 for more information.

8. SOC – Here you can connect SOC interfaces to MazeRunner, in order to use the ActiveSOC and

Responder features. See SOC on page 72 for more information.

9. SSL Certificate – Here you can view the current server certificate and download the CA certificate.

You can also replace the certificate with a new certificate signed by MazeRunner or signed by a

certification authority (CA). See SSL Certificate on page 69 for more information.

DIAGNOSTICS

MazeRunner diagnostics, which can be reached by clicking "Diagnostics", allows you to run diagnostics to

review the current configuration of MazeRunner. Simply click "Run MazeRunner diagnostics":

If a test was unsuccessful, you will see a red X and an error message with further instructions on how to

proceed:


MANAGE USERS

User management, which can be reached by clicking "Manage Users", allows you to add and delete users

to/from MazeRunner. To add a new user:

1. Click "Add user". Define a unique username and password, then click "Create":

2. Users can be removed at any time by clicking "Delete" in the Actions column on the right-hand side

of the screen.

MANAGE API KEYS

Almost everything that can be done using the MazeRunner interface can also be achieved by using the API.

On the Manage API keys screen, you can create API keys to allow users to access the MazeRunner API. To do

so, follow these steps:

1. Click "Create API key", enter a description (this is an internal description), and click "Create":

2. Your new API key details (description, key ID, and secret key) will appear on the screen. NOTE: Be

sure to record the secret key, as this is the only time you will see it.

3. API keys can be removed at any time by clicking "Delete" in the Actions column on the right-hand

side of the screen.

In order to ensure you are communicating with MazeRunner, click "Download SSL CA certificate" and add

this to your API script. For more details on the MazeRunner API, see our online API documentation.



CHANGE PASSWORD

If you would like to change your password, you can do so here. Simply enter your old password and your

desired new password, and then click "Update":

ACCESS LOG

The access log records the date and time each user accesses MazeRunner, and from which IP address:

SEND LOGS TO CYMMETRIA

Sending logs to Cymmetria will allow us to better investigate issues related to your specific MazeRunner

instance. You can send logs automatically by entering your email address in the field provided and then

clicking "Send logs automatically":


SYSTEM UPDATE

Use the System Update wizard to check for MazeRunner updates or upload and install an update file you

received from Cymmetria. When you select "System Update" from the System Menu, the MazeRunner

Update window will open and display the current system status (either that MazeRunner is up-to-date or

prompting you to check for updates).

To check for updates, click "Check for updates":

If an update is available, you will be prompted to download and install it. The system will reboot after

installation is complete.

To upload and install an update file you received from Cymmetria, click "Upload and install an update file".

Once you click this button, the update file will upload and then automatically begin to install. NOTE: During

installation, you will not be able to use MazeRunner; the system will reboot after installation is complete:

If your update fails, please contact Cymmetria support and we will be happy to help you.

IMPORTANT: If your MazeRunner server is connected to the Internet, it will automatically check for version

updates once a week and will prompt you with a notification if there is a new version to download. Also,

when a new version of MazeRunner is released, Cymmetria will notify you by email. This way, if your

MazeRunner is not connected to the Internet, you can manually update the system by using the MazeRunner

Update wizard to upload an update file.



ENDPOINTS SCREEN

This screen shows you endpoints and the breadcrumbs they contain, along with their status, details, and

possible actions that can be taken:

Notice the endpoint status chart at the top of the screen. An endpoint's status is defined as follows:

Clean – The endpoint contains no breadcrumbs (usually when the endpoint has recently been

imported and no action has been taken on it)

Deployment Failed – Breadcrumb deployment to the endpoint was unsuccessful (a detailed error

message will be shown when you expand the endpoint row)

Inactive – The endpoint contains breadcrumbs, but a subset of those breadcrumbs are inactive

Active – Breadcrumbs have been deployed to the endpoint successfully, and are active

NOTE: You can redeploy breadcrumbs to endpoints that had issues by choosing the relevant Run mode in the

breadcrumb deployment form (see Deploying breadcrumbs for more information):

After you have deployed breadcrumbs to your endpoints, you will be able to expand each endpoint by

clicking the + icon to see details about the breadcrumbs on that endpoint.


You have already learned how to import endpoints from Active Directory and from CIDR blocks, and how to

deploy breadcrumbs to those endpoints; now let's look at what else you can do with your endpoints from

the Endpoints screen.

FILTER OPTIONS

There are several filter options available on the Endpoints screen. You can use the Search bar and the Filter /

Refresh endpoints button, and/or the funnel icon to the right of certain column titles (Status, Deployment

groups, First install date, Last update, and Last logon).

To filter using the Search bar:

1. Type your search criteria into the Search bar and then click "Filter / Refresh endpoints". You can

search using letters and numbers pertaining to an endpoint's hostname, IP address or operating

system (e.g., searching 'ultim' would return a result showing all endpoints running a Windows 7

Ultimate N operating system):

2. To clear your filter results and return to the main screen (where all endpoints are visible), simply

delete the criteria you entered into the Search bar, then click "Filter / Refresh endpoints".

To filter using the funnel icon to the right of column titles:

1. Click on the funnel icon to the right of a column title, choose your filter criteria from the available

options, then click "apply":


2. To clear your filter results and return to the main screen (where all endpoints are visible), click again

on the funnel icon to the right of the column title and then click "clear".

BULK ACTIONS

Using the checkboxes next to each endpoint, you can take bulk actions on selected endpoints. You can

delete or clean endpoints, and re-assign them to a different deployment group.

To delete an endpoint and its related breadcrumbs (remove from database completely):

1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the left

of the endpoint hostname. This will cause the bulk action buttons to appear:

2. Click the "Delete selected" button; when prompted to confirm the action, click "Yes":

3. Once the action has been completed successfully, you will see a green confirmation message appear

next to the notification center at the top right-hand corner of your screen.

To clean an endpoint (connect remotely and remove breadcrumbs on that endpoint):




2. Click the "Clean selected" button. You will need to choose your preferred deployment method

(executable or native script) and enter your local admin credentials, then click "Clean":


next to the notification center at the top right-hand corner of your screen.

To re-assign an endpoint to a different deployment group:



2. Click the "Re-assign to group" button. From the drop-down list, choose the deployment group to

which you would like to re-assign the selected endpoint, then click "Assign":


next to the notification center at the top right-hand corner of your screen. NOTE: An endpoint and

its breadcrumbs must belong to the same deployment group. Therefore, if the endpoint you re-

assigned contains breadcrumbs from a different deployment group, your endpoint will become

inactive and you will see an error message when you expand the endpoint row. You will need to

clean the endpoint and redeploy its breadcrumbs either manually or automatically to resolve this.


DASHBOARD

The Dashboard is where you can view your deception campaign:

Scrolling down below the campaign display, you will see alerts that require your attention. Each of these

events can be expanded to display more information regarding the alert. Notice that, if MazeRunner has

raised an alert on a machine, that machine will turn red.

To see all events and alerts in the system you can go to the Investigation screen.

INVESTIGATION SCREEN

This screen will show you the deception campaign events and alerts. Each time an attacker carries out an

action on a decoy machine, an event is created. Not every event warrants an alert; for example, events such

as port scans and protocol connections are documented without raising alerts. The following are examples of

common types of events documented by MazeRunner:

1. Port access – An indication that an attacker has probed a decoy. This type of event usually precedes

an actual attack.

2. Interaction event – An attacker might try to interact with one of the services on a decoy; this type of

event will notify the user of such attempts. For example, an SSH Interaction event would indicate

that an attacker has in some way interacted with a decoy's SSH service.

3. Code execution – An indication that an attacker has executed a program on a decoy.

4. Unsigned code execution – An indication that an attacker has added and executed a program on a

decoy. This is different than a regular code execution, where the program is already located on the

decoy.

DON'T FORGET: You can configure which action you would like to be taken for different events on the

Alerting Policy sub screen of System Configuration.

By clicking the + icon, you can expand each entry on the Investigation screen to see more information about

the event:


You can filter your results to show only the events that interest you; you can also search by keyword:

By checking the box next to "Alerts only" (and then clicking "Filter / Refresh events"), you can filter out

events and only show alerts:

By selecting the checkbox to the right of the + icon, you can delete an event by clicking the Delete all

selected button that appears:


If you configured it as such on the Outputs sub screen of System Configuration, all alerts will go to a syslog

server that may be monitored by your SIEM (e.g., Splunk). To export event and alert information in CSV

format, click "Export to CSV" on the bottom left side of the screen:

That's it! You now know how to use MazeRunner's platform to create and monitor a basic deception

campaign.

We're here to help. If you have any questions, please contact us at [email protected].



FAQ / TROUBLESHOOTING

This section contains known issues that customers have encountered during MazeRunner installation, setup,

and use.

DECOYS NOT WORKING

Q: My decoys aren't working. What's wrong?

A: Decoys sometimes get stuck in booting or configuring status. This can be caused by various issues (e.g.,

your MazeRunner IP address has been changed). To rectify this issue, go to the Decoys sub screen of the

Campaign screen and click "Recreate" (located in the Actions column on the right-hand side of the screen):

This will delete your decoy and recreate it, exactly as it was (i.e., you will not lose any current connections to

services and breadcrumbs).

If this does not solve the problem, please verify that your virtual appliance meets the minimum

requirements for running MazeRunner. Pay particular attention to the amount of RAM required per decoy.

If you have already tried recreating your decoys and are sure that your virtual appliance meets the minimum

requirements for running MazeRunner, yet the problem persists, please contact Cymmetria support so that

we can investigate the issue.

PROBLEM RESOLVING ENDPOINT NAME

Q: When testing the connection to an endpoint prior to automated deployment, I received the message

"Could not resolve endpoint name".

A: Follow these two steps:

1. Please verify that you are providing the full hostname of the endpoint, including the domain. For

example, "myendpoint.mydomain.local" vs. "myendpoint".

2. Please verify that the endpoint hostname you are providing is listed in your DNS server, or

alternatively that you correctly configured the DNS server during MazeRunner network

configuration.



NESTED VIRTUALIZATION SUPPORT

Q: Why do I see a "Nested Virtualizaton not supported" message on the Decoys tab?

A: This message indicates that you did not enable support of virtualization (this support is not always turned

on by default in a VMware environment). If you ignore this message and create a decoy anyway, you will see

a "Creation error" message under "Status":

See environment-specific instructions for enabling nested virtualization on VMware Player, VMware

Workstation, VMware ESXi or KVM.

DEPLOYING BREADCRUMBS AUTOMATICALLY TO LINUX MACHINES

Q: How do I deploy breadcrumbs automatically to Linux machines?

A: You can use the MazeRunner API. Cymmetria's Python SDK also has a fully functional sample script that

deploys remotely to Linux machines, which you can use as is or extend to fit your purposes.

Additionally, in various cloud environments, some users prefer to install breadcrumbs on the base image

that will be cloned by the load-balancer.



CREATING USERS

Q: How do I add a user to a service when creating my campaign?

A: Users are added during breadcrumb creation. Depending on the type of service you created, you will need

to enter a username and password when creating the corresponding breadcrumb (you can also choose to

randomize a username and password from Cymmetria's breadcrumb pool):

You then need to ensure that the breadcrumb is connected to a service that is connected to an active decoy.

See Creating a basic deception campaign manually on page 46 for instructions on adding, connecting, and

activating breadcrumbs, services, and decoys.

SERVICE IS INACTIVE/UNABLE TO DEPLOY BREADCRUMBS

Q: My service is showing as "Inactive"/I am not able to click on my breadcrumb's "Deploy" link.

A: You need to connect your service to a decoy, and make sure that the decoy is powered on. You will then

be able to deploy breadcrumbs. See Creating a basic deception campaign manually on page 46 for

instructions on adding, connecting, and activating breadcrumbs, services, and decoys.

RUNNING INTERNET-FACING DECOYS

Q: I'm receiving a lot of alerts. Can I run Internet-facing decoys?

A: Yes, you can run Internet-facing decoys; however, these decoys will be scanned often and will generate a

large amount of alerts (that are generally not high-interest alerts). The best way to use the MazeRunner

platform is to run decoys inside of your organizational network. If however, you decide to run Internet-facing

decoys, we recommend you change your alerting policy to generate alerts only on critical events (such as

code execution), and to "ignore" others. To set your alerting policy to ignore less-critical alerts, follow these

steps:




2. On the Alerting Policy tab, you will see a "System-wide rules" section. In the Action column, click on

the purple Alert button next to an event type and select "Ignore" from the drop-down options:

CREATING A WEB APPLICATION SERVICE

Q: Can I create a service using my own web application?

A: Yes. When adding a service to your campaign, MazeRunner allows you to use your own customized web

application. Currently, MazeRunner supports MediaWiki, SugarCRM, and phpMyAdmin. To add a web

application, follow these steps:

1. Create a ZIP file of your web application.

2. Navigate to the Services tab on MazeRunner's Campaign screen, and click "Add service".

3. Choose "Web application" from the Service type drop-down list:


4. Upload your own ZIP file by clicking "Choose File", then click "Create":

You have now created a new service using your own web application. For information on how to connect

this service to a decoy, and how to add breadcrumbs, see Creating a basic deception campaign manually on

page 46.

CREATING A GIT SERVICE

Q: Can I create a Git repository service?

A: Yes. You can create a Git source code repository with GitLab web UI. This can be done by adding a Git

service to your campaign. To add a Git service, follow these steps:

1. Create a ZIP file to house your repository files. MazeRunner will accept a ZIP file for your Git service

in one of two formats:

a. ZIP file – all the files in the ZIP folder will be committed as an initial commit and load to the

remote Git service.

b. ZIP file with a Git folder – the folder will load as a repository, including commit history, to the

Git service. NOTE: The Git folder must be on the root ZIP hierarchy.

2. Navigate to the Services tab on MazeRunner's Campaign screen, and click "Add service".

3. Choose "Git" from the Service type drop-down list:


4. Upload your ZIP file by clicking "Choose File", then click "Create":

You have now created a new Git service. For information on how to connect this service to a decoy, and how

to add breadcrumbs, see Creating a basic deception campaign manually on page 46.

PROBLEMS DURING OVA IMPORT

Q: I received a warning during OVA import saying that the OVA file did not pass OVF specification

conformance or virtual hardware compliance checks.

A: We are aware of this warning, and it is safe to click "Retry" and import the OVA file as is.


PROBLEMS DEPLOYING AN OVA DECOY ON ESXI

Q: I receive an error message when trying to deploy an OVA decoy on ESXi.

A: You may be using an older version of ESXi. MazeRunner OVA decoys are compatible with ESXi version 5.1

and higher, so if you are using an older version, you will need to update your ESXi.

AUTOMATIC DEPLOYMENT TO ENDPOINTS FAILED

Deployment to endpoints can fail for various reasons. See below an explanation of the error messages you

might have received, and instructions on how to solve the problem.

ERROR: COULD NOT RESOLVE HOSTNAME

Q: I received the error message "Could not resolve hostname". What does this mean?

A: MazeRunner was not able to resolve the hostname of the endpoint to which you are trying to deploy.

Please make sure that your DNS server is configured correctly and that the endpoint's hostname has not

changed.

ERROR: INCORRECT CREDENTIALS

Q: I received the error message "Incorrect credentials ". What does this mean?

A: MazeRunner failed to log in to the endpoint using the credentials supplied by the user. Please make sure

that the credentials are valid and that they belong to an admin account (this can be the local admin on the

endpoint).

ERROR: SMB TCP PORTS (139, 445) ARE UNREACHABLE

Q: I received the error message "SMB TCP ports (139, 445) are unreachable". What does this mean?

A: MazeRunner failed to connect to the endpoints via the standard SMB ports. Please make sure that your

firewall allows connecting to these ports (either your organization's firewall or the endpoint's local firewall),

and that the endpoint accepts connection via these ports (this can be checked using the PsExec tool from the

Sysinternals Suite).


ERROR: DEPLOYMENT TIMEOUT

Q: I received the error message "Deployment timeout". What does this mean?

A: MazeRunner failed to complete the breadcrumb deployment within a reasonable time limit. This error

usually indicates that the first connection to the endpoint succeeded, but the endpoint lost connectivity

(either due to the endpoint shutting down/rebooting or some network malfunction). Please try to deploy

again.

ERROR: DEPLOYMENT FAILED

Q: I received the error message "Deployment failed". What does this mean?

A: MazeRunner failed to deploy on the endpoint due to one of the following reasons:

1. MazeRunner failed to install its deployment service. Please make sure that you don't have a policy or

software running on the endpoint that blocks MazeRunner's service installation.

2. MazeRunner failed to clean the endpoint of all previous breadcrumbs. Trying to clean an endpoint

without ever installing a breadcrumb on it will cause this error.

3. MazeRunner encountered an internal error. Please consult with Cymmetria for further

troubleshooting.

ERROR: INVALID CONFIGURATION FOR DEPLOYMENT

Q: I received the error message "Invalid configuration for deployment". What does this mean?

A: MazeRunner did not have all of the necessary parameters for deployment. Please review your

deployment configuration (see this section for more information).

ERROR: NO ACTIVE DEPLOYMENT GROUP FOUND

Q: I received the error message "No active deployment group found". What does this mean?

A: MazeRunner could not deploy the selected breadcrumbs because the deployment group is not active.

Please make sure that all of your decoys, services, and breadcrumbs are active.

ERROR: NO BREADCRUMBS SUPPORTED ON THE ENDPOINT'S OPERATING SYSTEM WERE

FOUND IN THE DEPLOYMENT GROUP

Q: I received the error message "No breadcrumbs supported on the endpoint's operating system were

found in the deployment group". What does this mean?

A: MazeRunner could not deploy to the endpoint because none of the breadcrumbs found in the

deployment group are supported on the selected endpoint's operating system. You can either re-assign the

endpoint to a different deployment group that includes breadcrumbs supported on its operating system, or

add breadcrumbs that are supported on the endpoint's operating system to the current deployment group.


Documents

MazeRunner User Guide for Community Edition - … · USER GUIDE © Cymmetria ... ArcSight or an API-based integration Quick start ... console: © Cymmetria MazeRunner 2017 – Community