Skip to content

Breadcrumbs Enterprise

Breadcrumbs are decoy artifacts placed on your real machines. They look like legitimate credentials, connection shortcuts, or configuration files. But they point to your Trapster. When an attacker compromises a machine and finds one, they will try to use it, triggering an incident that identifies both the attacker and the endpoint they came from.

How it works

  1. Generate a breadcrumb from the Trapster's Services tab. Trapster creates a deployment file or script tied to that service
  2. Deploy it on a target machine. Place the file in Documents, import a registry key, or run the script
  3. An attacker finds and uses it: they connect to your Trapster using the fake credential or shortcut
  4. You get a unique incident: the incident includes the placement note you wrote during generation, telling you which endpoint was compromised

Unlike a standard honeypot incident (which tells you someone is probing your network), a breadcrumb incident tells you which machine was already compromised.

Where to create and view breadcrumbs

TaskNavigation
Generate a breadcrumbTrapsters → select a device → Services tab → Generate breadcrumb on a service row
View breadcrumb historyTrapsters → select a device → Breadcrumbs tab

The Breadcrumbs tab lists every decoy generated for that Trapster with status (Active, Stale, or Triggered). For when breadcrumbs become stale and how to handle IP changes, see Trapsters: Breadcrumbs and IP changes.

Creating a breadcrumb

The formats offered in the wizard depend on the service you generate from (HTTP shortcuts for web services, SMB shortcuts for file shares, database config files for MySQL, and so on).

  1. Open Trapsters and click the Trapster you want the breadcrumb to target
  2. Go to the Services tab
  3. On the service row (HTTP, SSH, SMB, etc.), click Generate breadcrumbSelecting generate new breadcumb
  4. Choose a format from the list (filtered to formats relevant to that service)
  5. Enter a note describing where you will place the breadcrumb (this appears in the incident)
  6. Choose whether to Include decoy credentials (on by default) Generating new breadcrumb
  7. Click Generate, then download or copy the file or script and deploy it on the target machine Created breadcrumb

Include decoy credentials

This toggle controls whether Trapster embeds a fake password, share name, or URL path in the breadcrumb. Trapster always auto-generates the value when credentials are included. There is no field to type your own.

SettingWhat you getWhen to use it
On (default)A realistic auto-generated credential or path embedded in the decoyMost deployments. When the attacker uses that exact value, Trapster matches it to this breadcrumb and raises a Critical incident with your placement note
OffThe file still references the Trapster IP, but without an embedded credentialWhen you only want to plant a connection shortcut or script that points at the honeypot without a fake password. The attacker may still discover and connect to the Trapster, but you lose the precise breadcrumb credential match

Leave credentials on unless you deliberately want a reference-only decoy.

Incidents from breadcrumbs

When an attacker uses a breadcrumb credential against your Trapster, an incident appears on the Incidents page. Breadcrumb incidents include:

  • The placement note you wrote during generation
  • The credential pair used
  • Source IP of the attacker
  • Target service and Trapster

See Incidents and Threat Graph for the full incident workflow.

Trapster supports 19 formats. The wizard filters this list to formats relevant to the service you generate from.

FormatTypical platformsAvailable from (service examples)Guide
Fake password fileAnyAll servicesPassword file
Bash historyLinux, macOSSSH, FTP, HTTP, HTTPS, SMB, MySQL, PostgreSQL, MSSQL, Telnet, RsyncBash history
Bash script (.sh)Linux, macOSMost services except RDP-only shortcutsBash script
PowerShell historyWindowsSSH, FTP, HTTP, HTTPS, SMB, MySQL, PostgreSQL, MSSQL, RDP, Telnet, RsyncPowerShell history
PowerShell script (.ps1)WindowsMost services except client-profile shortcutsPowerShell script
RDP profileWindowsRDPRDP shortcut
PuTTY profileWindowsSSHPuTTY
FileZilla profileWindowsFTPFileZilla
WinSCP profileWindowsFTPWinSCP
PowerShell SSH scriptWindowsSSHPowerShell SSH script
PowerShell SMB scriptWindowsSMBPowerShell SMB script
Windows SMB shortcutWindowsSMBWindows SMB shortcut
Windows HTTP shortcutWindowsHTTPHTTP shortcut
Windows HTTPS shortcutWindowsHTTPSHTTPS shortcut
macOS HTTP shortcutmacOSHTTPmacOS HTTP shortcut
macOS HTTPS shortcutmacOSHTTPSmacOS HTTPS shortcut
MySQL config (~/.my.cnf)Linux, macOSMySQLMySQL config
PostgreSQL password file (~/.pgpass)Linux, macOS, WindowsPostgreSQLPostgreSQL password file
MSSQL connection script (.ps1)Windows (PowerShell)MSSQLMSSQL connection script

Next steps