This sample script creates a deployment group with the requested breadcrumb type and downloads the deployment package

create_deployment_group_with_all_breadcrumb_types.create_breadcrumb(client, breadcrumb_type, breadcrumb_data, username, password, group_name)[source]

Create a breadcrumb.

A breadcrumb consists of connection credentials deployed on an endpoint. An attacker will find and use these credentials to connect to a service on a decoy.

  • client – An existing connection (the result of mazerunner.connect).
  • breadcrumb_type – Browser cookie, MySQL connection command, SMB path, etc.
  • breadcrumb_data – Breadcrumb configuration dict.
  • username – The user we would like to create on the service, which the attacker is intended to find and use.
  • password – The password of that user.
  • group_name – A deployment group to which the breadcrumb should belong.
create_deployment_group_with_all_breadcrumb_types.create_decoy_if_needed(client, decoy_key)[source]

Create and power on a decoy, if non exist already.

Decoys are virtual machines, to which we want to attract the attacker.

  • client – An existing connection (the result of mazerunner.connect).
  • decoy_key – The key in the DECOY_DATA hash of the desired decoy.
create_deployment_group_with_all_breadcrumb_types.create_service_if_needed(client, service_data)[source]

Create a service.

Services are applications installed on the decoys, to which we would like the attacker to try to log in.

  • client – An existing connection (the result of mazerunner.connect).
  • service_data – Arguments for the service configuration.

Configure command arguments parser.


Here’s the procedure:

  • Parse the command args.
  • Configure connection to MazeRunner; store in the ‘client’ variable.
  • Create a deployment group (which is a logical group of breadcrumbs).
  • Create the breadcrumbs and their required services and decoy (see create_breadcrumb, create_service_if_needed, create_decoy_if_needed).
  • Load the deployment group info from the server; wait for all the info to arrive.
  • Deploy the deployment groups.


This sample script creates an SMB deception chain with a list of usernames supplied by the user, each having a random password from a passwords file or from a predetermined password pool.


Configure the command arguments parser


Here is what we do:

  • Parse the command arguments.
  • Create a decoy named “Backup Server Decoy”.
  • Wait until the decoy is created.
  • Create an SMB service.
  • Attach the SMB service to the decoy we previously created.
  • Load users & passwords data file.
  • Create breadcrumbs and attach them to the service we previously created.
  • Start the decoy machine.

At the end of this process, we will have a nested (KVM) decoy. On that decoy, we will have an SMB service installed, which will have several SMB users.


This script will delete all of the entities on your MazeRunner system.


Parse command arguments


Here is what we do:

  • Parse command arguments.
  • Create MazeRunner connection.
  • Get a collection of all breadcrumbs.
  • Delete all elements in the collection.
  • Same for deployment groups, decoys, services, endpoints, cidr mappings, background tasks


This script will periodically query MazeRunner for new events and print them.


Parse command arguments


Here is what we do:

  • Parse command arguments.
  • Fetch all possible types of alerts.
  • Get an AlertCollection: show/hide muted alerts according to option specified in the command, and show all types of alerts.
  • Check the current amount of alerts.
  • Periodically check for alerts and print the new ones.


This sample script deploys (install/uninstall) a specific Deployment Group on linux endpoint[s] supplied by the user. A unique endpoint can be provided from the command line, or use a csv file to deploy on multiple endpoints.

mazerunner.samples.deploy_to_linux.deploy_zip_on_endpoints(zipfile, endpoints, deploy_type, deployment_group)[source]

Deploy (install/uninstall) the zipfile on each of the endpoints in the list.

  • zipfile – String contains the full local path to the zipfile we need to upload.
  • endpoints – List of the endpoints we need to deploy on.
  • deploy_type – type of deployment - install/uninstall.
  • deployment_group – the name of the deployment group we want to deploy, this param is used only for printing the name.

Parse command arguments

mazerunner.samples.deploy_to_linux.init_ssh_client(host, port, user, passwd)[source]

Init the SSClient and the SFTPClient.

  • host – The ip of the endpoint we need to connect.
  • port – The port of the endpoint.
  • user – The user (should be root, or a user who can SUDO without password).
  • passwd – The password for the user to connect to the endpoint.

(paramiko.SSHClient, paramiko.SFTPClient).


Parse a CSV file to a list of items. Each item is a dict contains an endpoint’s data with the following values: host, port, user, pass.

Parameters:csv_file – Name of the CSV file to parse.
mazerunner.samples.deploy_to_linux.run_cmd(ssh, cmd)[source]

Tun a command on an existing ssh connection.

  • ssh – ssh client.
  • cmd – command to run.


This script will allow you to integrate the Responder feature in MazeRunner with ElasticSearch. For usage information, run the script with no params.


This sample script runs a syslog server that will receive CEF messages and send them back to MazeRunner’s ActiveSOC using the API.