Skip to content

Tripwire Management

Dropping Tripwires

Tripwire deployment can be enabled during any Internal, External, Phishing Impact, or Rapid Response pentest. If you’re running an ongoing scheduled test, you can update the test template to enable tripwire deployment.

Directions

  1. Go to the configuration or template for an Internal, External, Phishing Impact, or Rapid Response pentest.
  2. Scroll to the Tripwires section.
  3. Click the toggle to enable Tripwires. Enabling Tripwires will also activate the NodeZero Remote Access Tool (RAT), which is required for tripwire deployment.
  4. Save your changes or start the pentest.

Rapid Response pentest

Note: Only Rapid Response tests that make use of the RAT are able to drop tripwires.

During the pentest, NodeZero will attempt to drop tripwires on hosts that it successfully compromised and deployed the RAT to. If NodeZero gains write access to a network share, it will also attempt to drop tripwires on that share.

After the pentest is complete, the test results will show the number of tripwires deployed, and the person who initiated the pentest will receive an email notification with details about the newly dropped tripwires, along with the pentest completion summary.

Injecting a Credential

Note: If you inject one or more credentials as part of the pentest, NodeZero will also leverage those credentials to deploy tripwires where the credential grants write access.

Managing Tripwires

All tripwires deployed by NodeZero can be viewed and managed in the Manage page under Tripwires in the top navigation.

The table on this page provides detailed information about each tripwire, including:

  • The type of tripwire.
  • When it was deployed.
  • The asset it was deployed to.
  • Its current status.
  • Links to the pentest during which the tripwire was dropped.

You can filter tripwires by Status or Type, or use the search functionality to find specific tripwires, such as by the pentest in which they were deployed.

Clicking on a tripwire's name will bring up a details page with additional information, such as the tripwire’s location and links to the impacts related to the asset from the pentest during which the tripwire was dropped.

The details page also includes instructions on how to delete the tripwire.

Remove a tripwire

Note: NodeZero is an agentless solution, so it does not have the capability to delete tripwires after deployment. Once dropped, the tripwire is active and will trigger alerts if any activity is detected on it.

Testing Tripwires

From a tripwire’s details page, you can simulate an attacker's behavior by testing the tripwire. This test is run within Horizon3.ai’s infrastructure and simulates the kind of action that would trigger the tripwire in a real scenario.

The test may take a few minutes to complete. Once finished, a test alert will be generated, appearing in the Portal. Notifications will also be sent via email, and a webhook event (if configured with a vendor) will be triggered. Test alerts are clearly labeled as such in the Portal, email, and webhook event.