Sinon: Open-source automatic generative burn-in for Windows deception hosts

Sinon is an open-source, modular tool for the automatic burn-in of Windows-based deception hosts. It aims to reduce the difficulty of orchestrating deception hosts at scale while enabling diversity and randomness through generative capabilities.

Sinon is designed to automate the setup of deception hosts by performing various actions that simulate actual user activity. The goal is to create a realistic environment that can deceive potential intruders. Sinon’s modular and configurable nature allows for easy adjustments and randomization, making each deployment unique.

“I’ve been working on a textbook covering deception technologies and CTI since December 2023. At present, the book is over 500 pages, and I have released 30 open-source deception technology tools created during research, including some ports of old tools that were no longer compatible with modern environments – for the sake of preservation and analysis of capabilities,” James Brine, the creator of Sinon, told Help Net Security.

“Part of this research explored the MITRE Engage framework, which describes technical capabilities around setting up a decoy host so that it would fit within the overall narrative that the defenders were presenting, as the need to convince, persuade, and motivate an adversary is pivotal to being able to select and collect data to close the defined intelligence gap. MITRE Engage describes an overly manual approach to this, which I’ve seen employed by other organizations when building deception decoys. Automating decoy interaction and burn-in through the application of LLMs, we’re able to rapidly create and interact with decoy systems in a way that generates highly realistic environments with minimal effort and, in doing so, can provide diversity where needed. Rather than relying upon the same base image repeatedly,” Brine added.

“Sinon looks to automate the components of MITRE Engage Application diversity, artifact diversity, burn-in, email manipulation, information manipulation, network diversity, peripheral management, pocket litter, introduced vulnerabilities, personas, and lures,” Brine concluded.

Key features

• Host configuration diversity: Install applications through the package manager, customization (wallpaper, resolution, default browser), and adjust Wi-Fi networks and settings.
• Introduced vulnerabilities: Control update state, including specific update packages for OS and applications.
• Host interaction: Email, view websites, download files, print documents, schedule tasks, copy files from network shares.
• Randomness and timing: Randomness to config state selected and timing of interactions improves the realism and makes decoy detection more difficult.
• Lure creation and synchronization with Redis: SSH keys, credential pairs, API keys, etc. These can then be used for correlating activities in other environments, such as by attaching the generated SSH key to SSH-Honey-Gateway config and proxying any connection with that key to a high interaction honeypot.
• File system monitoring: Specify file paths to monitor for activity to identify interaction with lures and pocket litter.

Sinon is available for free on GitHub.

Must read:

• 20 free cybersecurity tools you might have missed
• 15 open-source cybersecurity tools you’ll wish you’d known earlier
• 20 essential open-source cybersecurity tools that save you time

I have read and agree to the terms & conditions

Leave this field empty if you're human: