Listen to this Post
One of the most innovative cyber defense mechanisms I’ve worked on is the Windows Fake File System Token. This tool turns every local file into a decoy, creating a powerful defense mechanism against unauthorized access. It’s simple to deploy and provides alerts only when a file is copied or opened, not when the path is enumerated. This ensures that defenders get actionable intelligence without unnecessary noise.
The tool leverages Windows ProjFS (Projected File System), a built-in feature, meaning no additional agents are required. It provides detailed alerts, including the process and PID (Process ID) of the entity accessing the file. You can even modify it to fake content and set up custom alerting based on access patterns.
This tool is particularly useful for creating defender asymmetry, where attackers are tricked into revealing their presence while defenders gain critical insights. It’s highly recommended to deploy a few of these decoys on both servers and workstations.
You Should Know:
To implement this tool, follow these steps:
- Install ProjFS: Ensure that ProjFS is enabled on your Windows system. You can do this by running the following PowerShell command:
Enable-WindowsOptionalFeature -Online -FeatureName "Client-ProjFS" -All
-
Create a Fake File System: Use the following script to generate a fake file system structure. This script creates a root directory and populates it with fake files and folders:
$rootDir = "C:\FakeFileSystem" New-Item -Path $rootDir -ItemType Directory 1..10 | ForEach-Object { $folderName = "Folder$<em>" New-Item -Path "$rootDir\$folderName" -ItemType Directory 1..5 | ForEach-Object { $fileName = "File$</em>.txt" New-Item -Path "$rootDir\$folderName\$fileName" -ItemType File } } -
Monitor File Access: Use Windows Event Viewer or a custom script to monitor access to the fake files. Here’s an example PowerShell script to log access:
$watcher = New-Object System.IO.FileSystemWatcher $watcher.Path = "C:\FakeFileSystem" $watcher.IncludeSubdirectories = $true $watcher.EnableRaisingEvents = $true</p></li> </ol> <p>Register-ObjectEvent $watcher "Created" -Action { $event = $EventArgs Write-Host "File accessed: $($event.FullPath)" }- Custom Alerts: Modify the script to send alerts via email or other notification systems when a file is accessed. Here’s an example using Send-MailMessage:
Send-MailMessage -From "[email protected]" -To "[email protected]" -Subject "File Access Alert" -Body "File accessed: $($event.FullPath)" -SmtpServer "smtp.yourdomain.com"
-
Leverage LLM for Advanced Decoys: Use Large Language Models (LLMs) to generate realistic file names, sizes, and access times. This makes the decoys even more convincing.
What Undercode Say:
The Windows Fake File System Token is a game-changer in cyber defense. By creating decoy files and monitoring access, defenders can detect and respond to threats more effectively. This tool leverages built-in Windows features, making it easy to deploy and manage. The ability to customize alerts and fake content adds another layer of sophistication, ensuring that defenders stay one step ahead of attackers.
Expected Output:
- Fake File System Created: A directory structure with fake files and folders.
- Access Logs: Detailed logs of file access, including process and PID.
- Custom Alerts: Notifications sent when decoy files are accessed.
- Defender Asymmetry: Attackers are tricked into revealing their presence, giving defenders the upper hand.
For more details, check out the original article:
This tool is a must-have for any organization looking to enhance its cyber defense capabilities.
References:
Reported By: Activity 7309631356941053952 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅Join Our Cyber World:
- Custom Alerts: Modify the script to send alerts via email or other notification systems when a file is accessed. Here’s an example using Send-MailMessage:
