Offensive Security: Cyber Threat Intelligence Enrichment With Counterintelligence and Counterattack

Cyber-attacks on financial institutions and corporations are on the rise, particularly during pandemics. These attacks are becoming more sophisticated. Reports of hacking activities against government and commercial sector organisations have garnered a lot of attention in the last several years. By design, the focus of Cyber Threat Intelligence (CTI) is exclusively defensive. This is because most of the CTI-derived analysis output is intended to prevent breaches or facilitate early detection. So, there is a need to have a new mechanism for unmasking the attacker. In this research, we demonstrate cyber threat intelligence enrichment with counterintelligence and counterattack combined with certain new methods to exploit the adversary’s vulnerability and fully control the attacker’s system. Attackers use a VPN to establish an anonymous connection. A VPN creates a secure “tunnelling” to the internet, with the VPN server acting as a middleman between the attacker and the web. This provides anonymity because the attacker’s IP address seems to be that of the VPN rather than his own, masking the IP address. So, hackers used this application to create persistence because it is automatically launched each time a computer is restarted. As a result, we are attempting to eliminate the persistence by removing it from the startup and registry. This research will help firms detect and identify an assault in its earliest phases, allowing them to respond accordingly. This project will develop new and innovative strategies to bypass VPNs and other security measures in order to obtain correct source information. Companies will be able to identify new methods by which their systems are penetrated and rapidly harden them. Using counterattack and counterintelligence, a proposed technique can bypass a VPN and get adversarial intel. The main goal of this research is to find the attacker’s footprints or tracks and find out why the attack was planned in the first place.


I. INTRODUCTION
Security breaches and attacks are becoming more common because of the ability of attackers to exploit weaknesses in people, processes, and technology. Cyber criminals have honed their tactics and methods (TTPs) to the point that they are almost impossible for law enforcement to identify and rectify. TTPs are less predictable, more persistent, The associate editor coordinating the review of this manuscript and approving it for publication was Parul Garg. resourceful, well-funded, and driven by money as they get more well-organized and well-funded. Ransomware, which encrypts data and systems and demands money to decrypt them, is affecting many businesses. Ransomware attacks such as those that began on May 12, 2017 and spread to 150 countries and infected more than 230,000 systems within a day are only one example.
Because of the rising quantity and increasing complexity of security events, cyber threat intelligence has gained a lot of media attention in the last several years [3]. With the proliferation of open-source and commercial sources of threat information, many organizations have chosen to make use of these services. The issue is that while too much data is being used, there is also a dearth of data. As a result, there will be a problem with information overflow. Cyber threat intelligence data is being managed and converted into actionable information, distributed to the various tools, and used to aid in incident response through the Threat The Intelligence Sharing Platform (TISP) Terrorism threat intelligence feeds and systems are now being offered by information security providers and the cyber security industry. Content aggregation may provide a variety of threat data feeds, and a Threat Intelligence Management System can be used to derive commercial value from the information gathered. These two types of solutions can be combined to create a comprehensive solution.
Providers like FS-ISAC, OASIS, IBM X-Force Exchange, Facebook Xchange, HP Threat Central, Checkpoint Intel-liTrace, AlienVault OTX, and Crowd Strike intelligence exchange are putting more focus on material collection. More attention is being paid to threat intelligence management systems, such as Intel Works, Soltra, Threat Stream, and Vor Stack, to name a few. Many security providers have defined cyber threat intelligence in a way that is tailored to fit their marketing and commercial plans [1]. Because there isn't much academic literature about CTI, there isn't a lot of clarity in the community about how threat information is defined, what standards are used, and how they are used.
It is becoming increasingly difficult to keep up with difficulties as technology advances and an increasing number of gadgets are connected to the Internet. Known colloquially as canary tokens, honeytokens have been around for a while but are a good source of information. Unique IDs that can be used in a variety of locations are what they are. If they are contacted, an alert will be sent [8]. Figure 1 demonstrates a taxonomy diagram of cyber threat intelligence enrichment.
Similarly, HoneyBadger is a honeypot designed to provide hackers access to administrative features. It has ActiveX controls and Java applets as apps. According to Strand, it geolocates the hacker to within 20 metres when they think they've succeeded in hacking into the site. Using smartphone geolocation technology, the tool triangulates a user's position with respect to other local cell sites and wireless access points. This makes it easier for law enforcement to act. HoneyBadger is a geolocation framework that focuses on a specific area. As with conventional honeypots, HoneyBadger is an Active Defense technology that identifies the malicious actor and pinpoints their location. HoneyBadger uses ''agents,'' which are built into a number of different technologies and get the information they need from the [9].
Data from these agents is sent back to the HoneyBadger API, where it is stored and made available to users through the HoneyBadger user interface. Using Word Web Bug Server, we can build a document that creates a callback each time it is accessed. This callback lets us know where the attacker is located based on their IP address. Linked design sheets and 1-pixel graphics are used to hide these vulnerabilities from the casual viewer. But the main problem with current strategies is that they can't unmask the real identity of an attacker because most of the attackers use VPNs to hide their IP addresses. Since most of the information that comes out of cyber threat intelligence analysis is used to stop intrusions or help find them early, CTI is only used for defensive purposes.
For addressing cyber-attacks and improving the broken processes of cyber threat intelligence, there is a need for an approach that can provide a full defence mechanism as well as concrete information about the attacker. Therefore, deception-enrichment-counterintelligence combines with some novel mechanisms that can better achieve the most information about the adversary and take full control of its system as well. It utilises honey tokens in the form of documents that are distributed over the network while masquerading as essential documents, database files, or DNS records within the system. When an attacker gains access to a system and tries to access sensitive data or files, honey tokens will be combined with these data files to identify a security breach. The Honey token will be used to conduct a counterattack on the attacker, analyse and acquire more information about the attacker's machine while circumventing different defences such as VPN, thus disclosing the identity of the attacker.
The following components summarise the most important contributions of this work: • To defeat the VPN and get actual intel of the adversary, we proposed a multi-stage algorithm.
• Document-based tokens: a malicious link is placed inside the word data file (once the link is clicked, the output is saved in the database).
• VBA scripts are being used in multiple documents by adding obfuscation methods. VOLUME 10, 2022 • Word document can bypass the sandbox and is not detectable. An Excel document can bypass the anonymous connection.
• To avoid an attack, the lure files will have a payload hidden in macros that accesses our server's reverse shell. This section introduces notable academic and commercial initiatives that are related to the topic at discussion.

II. RELATED WORK
In this research, the authors take a defensive strategy for gathering and analyzing threat information and conducting security monitoring for electronic assaults and security vulnerabilities (such as a denial-of-service (DoS) attack or a phishing scam).
Installing a PDF exploit and handler, they suggested the system create an active and interactive honeypot for counterattacks via reverse TCP. The honeypot's primary goal is to capture the identity of the attacker rather than to monitor the actions of the attacker. The proposed system may collect information such as inbound traffic, VPN existence, and the attacker's routing details using the biteback method [3]. According to their findings, the cyber threat intelligence field's analysis is frequently insufficient, and that was our perspective in this study. This is largely due to flaws in the study's methodology. It's as simple as this: because of an unreliable procedure, CTI is now providing poor service. This, on the other hand, is perfectly fair. Even though CTI has already helped reveal numerous intrusion campaigns carried out by hacker groups affiliated with countries or governments, the field is still in its infancy and requires further development to reach a more mature stage. They argue that it requires CTI to draw on techniques developed in the field of intelligence studies as a starting point. They've also shown that the area faces several obstacles that must be overcome. Qualitative and supply issues will be mitigated, as well as bias and actor naming issues, when the CTI field improves its approach. The authors present the honey trap base as a low-level interaction honeypot for effective detection and enhanced security controls [4].
A persistent threat actor in West Asia is using Microsoft OneDrive for command-and-control (C2) purposes. Trellix experts have linked the endeavour to APT28, dubbed ''Fancy Bear,'' a threat actor linked to Russia's military intelligence service. According to Trellix's campaign data analysis, Eastern European threat actors target military and government entities. Trellix's multistage APT28 campaign started with a phished Excel file. The file exploited a Microsoft browser engine remote code execution vulnerability (MSHTML or ''Trident''). Microsoft found the zero-day vulnerability in September following reports of exploits. A malicious DLL programme ran in the affected system's memory, and Trellix's ''Graphite'' virus was downloaded. A Microsoft Graph API lets Web apps use Microsoft Cloud services. Graphite is a DLL executable developed on the Empire open-source postexploitation remote administration architecture, according to Trellix. The trojan installed an Empire agent after a multistage infection chain. Trellix's principal scientist dubbed the threat actor's cloud based C2 technique ''unique.'' ''Using OneDrive as a command-and-control server was shocking,'' he adds. An attacker may encrypt a victim's files. Once the attacker's OneDrive syncs with the victims' PCs, the encrypted instructions are executed, says Beek.

III. RESEARCH METHODOLOGY
This article presents research gaps that limit counterintelligence and counterattack for targeted threat intelligence to conduct proactive adversarial system intelligence and take control of attackers' machines. This research aims to provide organisations with realistic document-based tokens and a proactive defensive environment so they may capture attackers' system information, threat intelligence, attack pathways, malware, and TTPs to execute threat hunting. Our method is separated into two parts. In the first step, we develop malicious Word, Excel, and PDF documents to deceive attackers and identify APT attempts early. We used cyber deception to obtain opponents' information and discover them early.

A. METHODS USED
This study's main goals are data collection and analysis. We've set up honeypots like Cowrie and Windows, inserted lure documents, and used secure shell (SSH) and remote desktop protocol (RDP) to collect information on vulnerable computers. Honeypots and lure files are used for counterintelligence and counterattack, where threat actors may exploit their weaknesses and provide information. This data is collected after the system is installed and functioning but before it's placed into service.
The operation used a well-known company's public IP address. The attackers misunderstood this system as part of the organisation and took advantage of the situation by stealing important files. Attacks were registered, allowing us to study them in detail, uncovering important information about the attacks. This lets us obtain adversary information.
This investigation will find the attacker's traces and the exact goal of the attack.
All the testing data utilised in this project is authentic, unmodified information.

B. DATA ANALYSIS
We used a variety of tools and packages in many languages, as well as public online resources, to analyse data. The most popular coding tool is ''Visual Studio Code.'' We picked it because it has a simple user interface, requires little processing power, can be extended, and allows me to run my code in several conditions at once. Visual Studio Code's easy integration with Google Collaboration was another important factor. We mostly used Visual Studio Code, a Microsoft software; VBA; and Google Collaboration. When it comes to the data analysis aspect of the project, we've decided on Python since it offers an easy-to-use syntax, a large support community, and the availability of online packages.

C. EVALUATION METHOD(S) AND CRITERIA
As we know, in previous methods, counterintelligence is used for deception. Deception is not a new idea and has been extensively utilised by academics and practitioners since its inception, but there are numerous unknown use cases that might make it the most cost-effective and commonly used security solution on the market. The most common scenario includes the use of cyber deception, counterintelligence, and counterattack frameworks, as well as the uncertainty factor. We have utilised decoy files to enter an attacker's computer. These papers allow us to counter the attacker and decipher the hidden information. In the next few paragraphs, we will offer a comprehensive analysis of the results achieved using this research product, as well as a comparison of these results to those obtained via the use of a basic system that lacked a counterattack function.

IV. A PROPOSED MODEL FOR COUNTERINTELLIGENCE AND COUNTERATTACK
Counter-threat intelligence is used so infrequently, and cyberattacks have increased to such an extent that, in addition to mitigating them, we should have a look for other novel methods based on which we could not only stop the attacks but also easily track any attacker, and even hack into the system completely. This study covers the research gaps. As it stands, the main problem with the previous techniques is what if the attacker uses a VPN? Then the basic information the attacker displays is wrong, like the IP address. To solve this problem, we have created an environment for counterintelligence and counterattack. In this research, we created an environment where we created an ESXI server in a data center. On the server side, public and private paths are created where we can get information about the attacker logs. Furthermore, we use Cowrie and Windows honeypots, in which multiple ports are open like SSH. Logs are stored on a log server, and they deceive the information contained in these logs via a private path.

A. PROPOSED MODEL ARCHITECTURE
Our system setup includes ESXI, the VMware hypervisor, and an SDN, enabling numerous virtual machines to operate as docker containers (for low-interaction honeypots) or fully functioning computers (for high-interaction honeypots). My decoy arrangement uses Ubuntu's Open Virtual Switch (OVS) to spin up PCs. ''Rules'' refer to the mechanism that decides which honeypots a country should deploy to attract additional attackers and acquire threat information. OVS hosts a lot of fake Docker containers, which can be told apart by how they respond to an attacker.
The Payment Gateway only communicates with Cowrie, Conpot, and Snare Tanner. Because Windows is a complete OS, attackers target it more. Accordingly, honeypot restrictions fluctuate based on involvement and efficiency. Behind the firewall is a deception unit housing the complete system [34]. A single piece of equipment houses high and low engagement honeypots. We only let an attacker see services, machines, and data when they try to connect to the deception system. This is true whether they use a VPN or proxy.
On the server side, we have access to both public and private attack logs. We use SSH, Cowrie, and Windows honeypots. We use a log server in a secure manner to access logs. A well-designed RDP/SSH service should include an interactive interface for entering documents such as user passwords and transaction data. An attacker is fooled by a C2 server. Here's a system architecture description and diagram in Figure 2.
By assisting him in breaking into the system and launching attacks on his machine, the next step is for us to make real assets safer and more protected (by analysing this collected information of the attacker attempting to break into the system and engaging in malicious activities) by analysing the intel and making use of a log server that collects all this information in the form of logs. Then, logs are inspected, judgements are made, and policies are improved.

B. DATA ANALYSIS
Our Counterintelligence and Counterattack framework includes the following components:

1) HONEY TOKEN GENERATION
The Honey Token Generation Module generates tokens that are undetected by antivirus software and do not have any signatures. Marco's identity will be concealed by tokens generated, which will generate harmful tokens.

2) INFORMATION GATHERING USING COUNTERINTELLIGENCE
Code obfuscation is used to add automated scripts to the documents that are made. These scripts run when the token is accessed and gather information about the system from which the token was taken. The information gathered includes the information about the attacker's operating system, the type of network he or she is using, whether he or she is using Wi-Fi or Ethernet, and the information about the network's banner.

3) ACCESSED IP GEOGRAPHIC LOCATION
The attacker's position can be determined with the aid of this module. We may utilize the BSSID of the attacker's computer to determine the attacker's location. It will be shown a map with pins showing the location of the attacker. The location of an IP may be filtered by tokens, country, etc.

4) WINDOWS BASIC TOKENS
We deploy our embedded tokens into the network in the form of Microsoft Office documents (Word, PowerPoint, and Excel files). Tokens may only be used on PCs running Windows. The attacker can obtain the tokens from the EXSI framework. Tokens will include embedded payloads that are distinctive to a single user.

5) HONEY TOKENS FOR LINUX
Using documents that are supported by Libre Office and Open Office, we can produce lure tokens that are compatible with Linux. These tokens will be used for counterintelligence.

6) MALICIOUS DOCUMENTS
The generation of harmful documents is going to be helpful to the counterattacking framework. To stop an attack, the lure file will have a payload hidden in macros that will give the user access to the server's reverse shell.

7) COUNTER-ATTACK MANAGEMENT
After an attacker gets into our honeypot, we'll use the Counter-Attack Management module to act against him. The system will be accessed via macros. Using the tokens that the attacker got a hold of a counter-attack mechanism will be turned on. There are several alternatives available to the user when it comes to the harmful token. Once the user has the token, they can do things after the exploit has been used.

8) DROPPER FILES
The attacker group mainly targets people through fake job offers or stolen personal data from systems. Although our lure documents share certain similarities with the previous ones, we scanned the Word document for viruses and assessed it. When the malicious code that was planted is activated, a backdoor is put in place.

9) THE IP ADDRESSES INFORMATION
Using this module, we can retrieve a list of IPs that can view our lure documents using the counterintelligence function. This script will get the user's IP and user's agent. We can get the user's country name and city as well as device information like Mac addresses, etc.

10) JAVASCRIPT FILE DROPPER
This file can create a malicious JS file that can be inserted into several files, such as MS Word (.doc,.docm,.docx,.dotm), Excel (.xls, .xlsm, .xslx, .xltm), PPT (.pptm,.potm). We utilize the HXD editor to disguise our VBA scripts into base 64 format, then export them into c# files, and finally into Java Script files. This file can be used for counterintelligence and counterattack.

11) MANUAL ATTACKING USING SHELL
As the tokens are obtained by the attacker, the user is granted reverse shell access. It will be possible for the user to perform commands on the shell of the attacker. On the C2 server, the user will get the result of these operations. Post-exploit, the user might utilize the shell access to carry out further attacks. To keep the connection open, the token's macro will use shell access as a back door by taking advantage of shell access.

12) DISABLING MACRO-OPTION VIA EXE
It is very necessary to have an understanding of what the system loads at startup in order to account for the fact that the registry is loaded before the kernel. While attempting to take a command-and-control session inside the attacker's system, there are a number of issues that arise. In order to get control of the adversary's system, we are in the process of creating many lure files. Our lure document is downloaded via exe. The moment an attacker clicks on our executable, the values in the registry are modified, and malicious files are downloaded on the attacker's machine.

C. DATA ANALYSIS
This section contains harmful document-generating algorithms. We recommend bypassing the VPN and creating a multistage algorithm. We utilise Excel to run multistage processes. Below is code for a malicious file that runs algorithms. The first three-part algorithms illustrate how to beat the VPN (Algorithm-1), the second how to build a malicious document (Algorithm-2). For this, we utilise the Excel Donut Repository's xlm macro generator. Run a C# (exe) application in memory using a Microsoft Excel 4.0 macro. Xlm (Excel 4.0) macros may be placed in xls files. A malware payload C# file (something like a Cobalt Strike Beacon EXE with a main function that runs). Microsoft Visual turns the C# code into two.NET assemblies, one for the x86 architecture and the other for the x64 architecture.

D. ATTACKING PAYLOADS
In our deception environment, we have many attachments file types. Allow users to be notified when a document is opened, or macros are running.
Our counterintelligence and counterattack strategy use the payloads listed in Table 3. Experiments have utilized VBA Scripts, PE files, OLE files, and PS1. The payloads indicated, such as the Excel document payload, may be created using (Algorithm 2).

V. EXPERIMENTAL RESULTS AND EVALUATION
The report was published on Joe's sandbox, and the process tree reveals that the main executable first checks the system name, then the mac address, and finally the whole system information [49]. This assault against Aljazeera was a total recognition. Attackers may or may not prepare a broader assault based on this one. But this attack shows the intruders knew about Aljazeera's anti-virus software. If an attacker knows about the anti-virus, they may target it. Malware experts have classified this attack as both an evader and a Trojan. Spyware and ransomware may have a persistent link to the victim's PC. A categorization of the attacks is shown in the figure. Use Case of Deployment: High interaction honeypots cowrie and window are deployed in our deception system. Our proposed deception topology changes dynamically after some sequence of time, which makes it more realistic and effective. When an attacker interacts with a deception system that is really a fake machine with lure documents, the attacker will get files that could be used to launch a counterattack against the attacker's machine.
A. WINDOWS LOG a) Figure 4 shows the window honeypot logs and activities done by the attacker. For better evaluation of our proposed approach, we mapped collected TTP's and payload onto the MITRE ATT & CK framework. Windows honeypot logs show that the attacker executed some commands, stole some information, tried to move laterally, and escalated privileges. The wmi service is used to run code, and the svchost.exe file is used to move laterally and avoid defenses. b) We use System Monitor (Sysmon). It is a popular Windows logging add-on. Sysmon can watch code behaviour  and network traffic to detect malicious activities and produce detections based on them. The attacker used a technique called Hijack Execution Flow: DLL Side-Loading Malicious DLLs can be side-loaded by attackers. The side-loading technique is like DLL Search Order Hijacking. Alternatively, attackers can directly side-load their payloads by planting and contacting a real application that executes their payloads. Side-loading exploits the loader's DLL search order to find the victim software and malicious payload. It is probably used  by attackers to hide actions conducted by trusted, authorized, and maybe elevated system or software processes. Executables used to side-load benign payloads may not be identified during delivery or execution. Until they are loaded into the memory of a trusted process, payloads from enemies are often hidden or encrypted.
B. COWRIE a) Figure 5 shows the logs for experimental results of the Cowrie honeypot, which describe that an attacker tried to establish SSHD connections. The log file shows the source IP address, source port number, connection type, and indication for SSHD connections. Attackers used the ssh service to get in and then tried to run commands and steal our lure files. They also tried to execute remote commands. We have collected the logs of all commands executed by attackers using a SSHD connection. Cowrie honeypots are used to deceive attackers and catch the brute force attempts used by attackers to login. A fake directory is provided to attackers after successful login. A weak password is set, so that an attacker can brute force it and log in successfully in a fake directory. Inside the fake directory, we place our malicious document type tokens that are used to do counterintelligence and counterattack features.

VI. OBFUSCATION
By default, everyone who can run the Visual Basic Editor may access Excel VBA code. Any user may read unprotected VBA code, inflicting harm. Macro viruses may introduce dangerous code that pranks or undermines PC security. Protect your VBA script. You may still run the VBA code with the password. Unfortunately, there are various free software VOLUME 10, 2022 solutions that may quickly and simply recover a forgotten or lost VBE password. Several spreadsheet programmes can natively read Excel VBA (without the need for Excel). VBA obfuscation helps. If the original code was written to operate in both 32-and 64-bit Office, obfuscated VBA code can too. Excel VBA's runtime doesn't affect hidden VBA code. When utilised properly, obfuscation may significantly increase Excel's security while keeping it unhacked. These obfuscated files are presented in Figure 6. Screenshots show the obscured VBA script that is used in documents.

A. MACRO-ENABLE OPTION PREVENTION
VBA code is used to store macros, which are small computer applications. It is possible for VBA developers to create macros that can do almost any operation on a computer, including accessing any external resources the machine may be linked to. Powerful tools like Excel's built-in macros may be misused to propagate malware, hijack machines for botnets, steal data from databases, or send e-mail spam if they get into the hands of the wrong people. You should only allow macros in workbooks that you know and trust, and be suspicious of any workbooks that have macros enabled by others.
A yellow ''SECURITY WARNING'' bar will display under the ribbon by default when you first open a worksheet with macros enabled. The ''Enable Content'' button will allow macros to be activated. When the user clicks on the macro or content, the malicious code is executed in the document. Suppose, however, that the user didn't choose the checkbox to allow macros. To address this issue, we've developed a way that allows us to perform actions on the user's operating system by altering the machine registry. When our malicious document is run on the target PC, the Enable Macro option won't show up if we change the value of Enable Content or Macro in Memory from 0 to 1.
The given command can be used to change the value in the registry. We can use this command via an a.Bat file or a VBA script and Figure 7 displays the result.

B. COUNTERATTACK USING RAR FILE EXPLOIT
WinRAR, a popular file archiver, has disclosed a longstanding flaw. Check Point Research found a path traversal zero-day vulnerability in 'ACE' structured files that enables attackers to pick arbitrary destinations during file extraction. They can acquire persistence and code execution by extracting files from vulnerable locations like the Windows ''Startup'' menu. WinRAR 5.70 fixes this issue, but there is no automatic updating mechanism, so many users may continue to use obsolete versions. FireEye and 360 Threat Intelligence Center have identified similar attacks. In these operations, there are many different types of decoy documents and payloads, some of which we've never seen before and some of which use common technologies like PowerShell Empire.
In our decoy file, a password-protected RAR package named ''yearly financial information.rar'' was discovered to start an infection chain that resulted in the installation of a backdoor (''execute.exe'') on the targeted machine. Furthermore, the attacks steal malicious instructions from the target workstation, with the implant creating a separate folder on the server for each compromised host. We got the information about the attacker's machine via telegram. Basically, this executable file sniffs the victim's system information and sends it to our server. Several victims opened our exe file, and we obtained system information for a couple of them. Figure 8 shows the File Dropper Flow Diagram.

C. MALICIOUS JAVASCRIPT FILE DROPPER
This file can create malicious JS code that can be inserted into multiple files, for instance, MS Word (.doc,.docm,.docx,.dotm).
Microsoft PowerPoint (.pptm,.potm) and Microsoft Excel (.xls,.xlsm,.xslx,.xltm). For implementation, we use the HXD editor for obfuscation where we can change our VBA script into base 64 format. Then we can export this obfuscated script into a c# file. After this, we can put this script into a Java Script file. Figure 9 demonstrates the different constraints of Java Script code execution. Inside the Java Script code, we have the option to change the file extension to something like Excel, PDF, or Word. The screen illustrates the information from our experiments.

D. WORD FILE DROPPER
Individuals are usually targeted by the gang using boobytrapped job offers or organizational private detailed information that is placed on systems. Although the new campaign has some of the same characteristics as the previous one. Flow diagram shown in Figure 10   The Word document was analyzed by us and tested for viruses total as well. It provides information about various positions at IT, a xyz. -based consulting firm, only to start the infection chain when the embedded malicious code is activated, resulting in the deployment of a backdoor.
Aside from acquiring basic information about the attacker's system, the backdoor connects to a remote server and waits for further instructions that enable it to receive files from the server, upload arbitrary files, and run shell commands, with the results being sent back to the server. The given screenshots explain the exact information that is being collected by us on the server. The victim used a scanner to check the file, but it did not show any malicious things inside the file. So, our Malicious doc file can bypass the scanner as well. We can use multiple word document formats for the purpose of getting system information from the attacker's machine as well as finding out its location. Using the ''Counterintelligence'' feature, a proposed technique may bypass defenders and get adversarial intel such as actual IP addresses, proxy servers, running processes, system information, incoming and outgoing data, and Media Access Control addresses (MAC addresses). Experimental results show multiple things in detail. For instance, system information plus BSSID Using a mac address, we can find the actual location of the attacker. We used an online free source tool named wigle.net where we put in the BSSID and the location of the cyber crooks.

F. BASH SCRIPT FOR LINUX
As we know, it is used in the Linux environment. When we open this file in an authorized user mode like sudo command, then it creates an account like test4. In the Test4 folder, passwords are disabled. In the home directory or the root directory, a file named. bashrc is created. Whenever we do the search for a user or log in the user, then that bashrc file is executed first, so we append our backend URL at the end of the bashrc file. The curl command is used to request and then output like an IP address will be shown on our backend server.

G. VICTIM REPORT
We have received several responses from people who are trapped in honeypot environments. A few of them are attackers because their intention is to merely steal information from our machines. Some cyber security organisations are also involved in this activity. They stole our lure document where we put the malicious exe for counterattacking purposes and did a scanning process on it. The results show the organization's IP addresses as well as other information. Once, we put the IP address of the system on a free tool called IP-Lookup in order to see the domain of the address. We capture several other domains as well, shown in Figure 12, that are doing scanning of our malicious exe files, and one CYREN-named cyber security organisation is involved in this process as well.

H. MULTI-STAGE STRATEGY TO DEFEAT VPN
The fundamental difficulty with the previous tactics is that they do not work if the target uses a virtual private network VOLUME 10, 2022  (VPN). The fundamental information about the user that is shown, such as the IP address, is incorrect.
We presented a hybrid technique in which we first get all the starting services, then delete those applications, insert our exe file in the appropriate location, and lastly reboot the system. After that, the machine uses an executable file to ping the public IP address.
The C-sharp code is put within the Excel donut document, which has an auto-enabled format; when the Excel file is clicked, the code is executed, and our algorithm is performed; we will also get system information. First, we will demonstrate the results of our use cases of defeating VPN in the form of screenshots in Figure 13, which shows the before Operation Startup Status. Figure 14 demonstrates the Code Execution Result. Similarly, after the operation startup status shown in Figure 15, we will show the persistence techniques that can be done via malicious exe.
As we can see, the experimental results illustrate how to defeat the VPN via multiple document files, for instance, excel and Word. In the next few paragraphs, we'll talk about how the word ''persistent'' is used when talking about security breaches. As we all know, attackers use paid VPNs to generate persistence, and under persistence, the VPN will automatically run every time the system reboots. To counter this persistence, we simply remove such programs from the startup and registry. Using the ''Counterattack'' features, a suggested method could get around a VPN and get information about the attacker, such as their real IP addresses,   proxy servers, active processes, system data coming in and going out, and Media Access Control (MAC) addresses. Figure 16 illustrates MITRE ATT&CK mapping.

I. EVALUATION
We can evaluate our results into two parts. The first one is the evaluation of our lure files, which is illustrated in table 5. Secondly, the evaluation graph that is shown in figure 17 can be further divided into four parts. To begin with, 15 percent of the documents reported by attackers are lure files that are detected on the sand box. After this, our counterintelligence

VII. CONCLUSION
It's difficult for companies to defend themselves against cyberattacks since the attackers are constantly improving their methods of infiltrating a network. Finding the breach after it has occurred is a difficult undertaking since the intruders are always coming up with new methods of evading detection. Hackers can access personal information even after a security breach occurs. Attackers make use of paid VPN, and paid VPN is used to generate persistence. Once the computer is in persistence, the VPN will automatically run itself anytime it reboots. Therefore, to counter this persistence, we have removed those programmes from both the registry and the start menu.
A proposed method can defeat a virtual private network (VPN) by utilising the ''Counterattack'' function to obtain adversarial data such as true IP addresses, proxy servers, running processes, and system information. A ''counterintelligence'' function can allow us to get the intel of an attacker machine via multiple techniques. We generate malicious Java Script code that may be placed into a variety of different files, such as Microsoft Word (.doc,.docm,.docx,.dotm). PowerPoint (.ppt) (.pptm,.potm) and Excel (.xls,.xlsm,.xslx, and.xltm). The proposed method improves the effectiveness of recognising and countering threats using real-world attack scenarios and includes an algorithm for generating malicious documents. In contrast to traditional methods that focus on known threats, the suggested approach is intended to reveal the attacker's identity.

VIII. FUTURE WORK
In the future, we can use more widely adopted techniques to get into the shells of attackers' computers. In the commandand-control process, there are existing frameworks that may be used. To get further information from the computers used by attackers, we may combine all existing public tools as well as develop our own custom tools. We want to develop other exploits that are compatible with a variety of systems and will do so. There are machine learning models that may be utilised in an environment that is designed to be misleading in order to lure in an attacker. Solutions like geo-location can attract attackers. The greater the amount of work that must be done in front-end and back-end integration for a full framework, the more sophisticated the attackers these days are utilising increasingly sophisticated methods to mask their location, which means that in the future we will be able to cover every one of them.
MUHAMMAD USMAN RANA received the master's degree in information security from COMSATS University Islamabad, Pakistan, in 2022. He is currently working as a Security Researcher and an Analyst with the Cyber Security Laboratory, COMSATS University Islamabad. His current research interests include counterintelligence, deception, penetration testing, windows exploitation, SIEM, vulnerability assessment, threat intelligence, phishing, and offensive security.
OSAMA ELLAHI received the master's degree in information security from COMSATS University Islamabad, Pakistan, in 2022. He is currently working as a Security Researcher and an Analyst with the Cyber Security Laboratory, COMSATS University Islamabad. His current research interests include cyber security, offensive security, deception, windows exploitation, vulnerability assessment, threat intelligence, and phishing.
MASOOM ALAM received the Ph.D. degree in computer sciences from the University of Innsbruck, Austria. He is currently an Associate Professor with the Department of Computer Science, COMSATS Institute of Information Technology, Islamabad, Pakistan. His research interests include access control systems, model-driven architecture, and workflow management systems. VOLUME