Skip to content

Network Share Breadcrumbs Enterprise

Network share breadcrumbs plant a saved connection to a fake share hosted by your Trapster. When an attacker enumerates shares or opens a saved connection, they connect to the honeypot and trigger a breadcrumb incident on the Incidents page.

Requires SMB service and VM deployment

Network share breadcrumbs target your Trapster's SMB service, which is only available on VM deployments (not Docker or Kubernetes). Enable SMB from Trapsters → device → Services before generating share breadcrumbs. See SMB honeypot.

Available formats

FormatGuide
Windows SMB shortcutWindows SMB shortcut
PowerShell SMB scriptPowerShell SMB script

Generate either format from the SMB service row: Trapsters → device → ServicesGenerate breadcrumb.

Use cases

  • Workstation compromise: an attacker finds a saved \\trapster\share connection in Windows Explorer or a mapped drive script
  • Script enumeration: login or startup scripts that reference a Trapster share get executed by attackers during reconnaissance
  • NAS impersonation: Trapster mimics a NAS device; any authentication attempt reveals compromised credentials

Deployment locations

  • Desktop or Documents folder shortcuts
  • Mapped network drives (via registry or script)
  • Shortcuts in Network Locations
  • References in login or startup scripts
  • Entries in net use history (via PowerShell script)