Deception
Creating an Active Directory Decoy User
You can create an AD decoy user account in an Active Directory (AD) domain with different privilege levels. These decoy user accounts help you capture enumeration and detect privilege escalation techniques, such as brute force, Kerberoast detection, etc. Adversaries querying an AD find these decoy user accounts and use the credentials to access other assets in the organization. High fidelity alerts are triggered when the decoy accounts are accessed or when AD logs are analyzed.
Before adding and deploying a decoy user to an AD, you must add an AD domain.
To add an AD decoy user account:
- Go to Deceive > Active Directory Decoys > Decoy Users.
- From the Domain drop-down menu, select an AD domain on which you want to deploy the AD decoy user.
Click Actions and select Add decoys.
In the Decoy Details window:
- Username: Enter a username for the decoy user.
OU: Enter the distinguished name of the organization unit (OU) name for the decoy user. If the AD domain is created with credentials, this field is automatically populated. If the AD domain is created without credentials, enter an OU name. For example, enter
OU=admins,OU=database,DC=example,DC=local.Make sure that the OU name is accurate. Otherwise, the deployment script throws an error during deployment.
- First Name: (Optional) Enter the first name of the decoy user.
- Last Name: (Optional) Enter the last name of the decoy user.
- Office: (Optional) Enter the office details of the decoy user.
- Telephone Number: (Optional) Enter the telephone number of the decoy user.
- Email: (Optional) Enter the email ID of the decoy user.
- Can Password Expire: Enable to activate the password expiration feature.
- Pre-auth Not Required (Make account vulnerable to ASREPRoasting attacks): Enable to make the user account vulnerable to AS-REP roasting attacks.
Group membership: (Optional) Enter the group name of the decoy user. Adversaries often target user accounts that are members of privileged administrative groups.
If you add a decoy user to the Protected Groups, enumeration detection doesn't always work because of the SDProp process. To learn more, refer to the Microsoft documentation.
- Description: (Optional) Enter a description like password or password hints that can detect the presence of adversaries within the environment. Adversaries often analyze the description attributes for information gathering and stored passwords.
- Make Account Kerberoastable: (Optional) Select a decoy from the drop-down menu to configure the
serviceprincipalnameattribute for the decoy account to make it vulnerable to Kerberoasting attacks. - Restrict Logon To: (Optional) Select a decoy from the drop-down menu to configure the
logonworkstationsattribute for the decoy user account. Using this attribute, you can restrict the user’s accessibility to specific computers. - Profile Path: (Optional) Select a decoy from the drop-down menu to configure the
profilePathattribute for the decoy user account. Adversaries analyze this attribute to discover file shares.
Click Save.
The AD decoy user account is added. The following icons indicate the decoy deployment status:
: Decoy successfully deployed.
: Decoy updated, but deployment is pending.
: Decoy deployment pending.
: Decoy deployment failed.
After the AD decoy user is created, run the deployment script on your AD domain controller.
For AD decoys created using domains managed by server agents, you don't have to manually run the deployment scripts. The server agent automates AD decoy user deployment. If the decoy deployment has failed, click Retry Failed Deployments to submit the deployment request again.
