Credential Breadcrumbs Enterprise
How credential breadcrumbs work
When Include decoy credentials is on, Trapster embeds a unique auto-generated identifier in each breadcrumb. Depending on the format, this may be a username/password pair, an HTTP URL path, or an SMB share name. This identifier is:
- Never used on any real system
- Known only to your Trapster dashboard
- Tied to the specific breadcrumb and its placement note
When an attacker uses this credential against any Trapster service, the dashboard immediately recognizes it as a breadcrumb. Not just a generic honeypot trigger. And raises a breadcrumb incident on the Incidents page that names the source endpoint.
Database config formats
In addition to password files and scripts, Trapster can plant database client configuration files:
| Format | File | Service | Guide |
|---|---|---|---|
| MySQL Config | ~/.my.cnf | MySQL | MySQL config |
| PostgreSQL Password File | ~/.pgpass (Linux/macOS) or %APPDATA%\\postgresql\\pgpass.conf (Windows) | PostgreSQL | PostgreSQL password file |
| MSSQL Connection Script | connect_db.ps1 | MSSQL | MSSQL connection script |
Generate these from the corresponding service row: Trapsters → device → Services → Generate breadcrumb.
Why this matters
A standard honeypot incident tells you: someone is probing your network.
A breadcrumb incident tells you: the attacker reached your Trapster using credentials found on WORKSTATION-42 in C:\Users\jdoe\Documents\passwords.txt.
This gives your incident response team a confirmed starting point for containment.
Credential lifetime
Credentials are stored in your dashboard until you explicitly delete the breadcrumb from the Breadcrumbs tab. They cannot expire or rotate automatically. If you redeploy a breadcrumb after deleting it, a new credential pair is generated.
