Network Share Breadcrumbs Enterprise
Network share breadcrumbs plant a saved connection to a fake share hosted by your Trapster. When an attacker enumerates shares or opens a saved connection, they connect to the honeypot and trigger a breadcrumb incident on the Incidents page.
Requires SMB service and VM deployment
Network share breadcrumbs target your Trapster's SMB service, which is only available on VM deployments (not Docker or Kubernetes). Enable SMB from Trapsters → device → Services before generating share breadcrumbs. See SMB honeypot.
Available formats
| Format | Guide |
|---|---|
| Windows SMB shortcut | Windows SMB shortcut |
| PowerShell SMB script | PowerShell SMB script |
Generate either format from the SMB service row: Trapsters → device → Services → Generate breadcrumb.
Use cases
- Workstation compromise: an attacker finds a saved
\\trapster\shareconnection in Windows Explorer or a mapped drive script - Script enumeration: login or startup scripts that reference a Trapster share get executed by attackers during reconnaissance
- NAS impersonation: Trapster mimics a NAS device; any authentication attempt reveals compromised credentials
Deployment locations
- Desktop or Documents folder shortcuts
- Mapped network drives (via registry or script)
- Shortcuts in Network Locations
- References in login or startup scripts
- Entries in
net usehistory (via PowerShell script)
