Suspicious Activity Framework
It's a framework designed to automate detection of compromised accounts, through the use of canary credentials.
The basic principle is:
- generate a canary credential (non-existent but plausible looking username and password) and submit it to a phishing site
- monitor auth logs for any auth attempts using the canary credential
- For any auth attempts, log the IP and save it as a "bad IP"
- monitor auth logs for any auth activity from bad IPs. Alert on successful auth.
I originally wrote this as a few horrible bash scripts. I've started to re-write it again in bash, mostly as psuedo code to demonstrate the principle. I will be devloping a version in python.