Deception
Running the Decoy Deployment Script on an Active Directory
To create decoy user accounts and computers in an Active Directory (AD), you must download the decoy deployment script from the Zscaler Deception Admin Portal and run it on the AD. You must run the deployment script to create user accounts in both the credential and credential-less modes.
Prerequisites
Make sure that the following prerequisites are met:
- Have admin access to the primary domain controller to run the script.
- Have Powershell version 3.0 or later on your system.
- Install PSReadLine on the AD server to read user inputs.
Running the Decoy Deployment Script on an AD
Follow these steps to run a deployment script on an AD:
- Step 1: Configure the Group Policy Management Security Settings on a Domain Controller
- Press the
Windows key+Ron your system. In the Run window, enter
gpmc.mscto open the Group Policy Management console.- Configure the security audit policy:
Right-click Default Domain Controllers Policy and select Edit from the drop-down menu.
Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.
- In the Logon/Logoff pane, double-click Audit Logon.
- In the Audit Logon Properties window, select the Configure the following events, Success, and Failure checkboxes.
Click OK.
- Enable Kerberos detection:
- Go to Advanced Audit Policy Configuration > Audit Policies > Account Logon.
- In the Account Logon pane, double-click Audit Kerberos Authentication Service.
- In the Audit Kerberos Authentication Service Properties window, select the Configure the following events, Success, and Failure checkboxes.
Click OK.
- In the Account Logon pane, double-click Audit Kerberos Service Ticket Operations.
- In the Audit Kerberos Service Ticket Operations Properties window, select the Configure the following events, Success, and Failure checkboxes.
Click OK.
- Enable AD enumeration:
- Go to Advanced Audit Policy Configuration > Audit Policies > DS Access.
- In the DS Access pane, double-click Audit Directory Service Access.
- In the Audit Directory Service Access Properties window, select the Configure the following events, Success, and Failure checkboxes.
Click OK.
Enabling the logs increases the volume of logs generated by the AD.
Close - Press the
- Step 2: Download the Deployment Script from the Deception Admin Portal
- In the Deception Admin Portal, go to Deceive > Active Directory Decoys > Decoy Users.
Select an AD decoy user and click Download Deployment Script.
- Step 3: Run the Deployment Script
- Copy the deployment script
(Start-Deployment.ps1)to the primary domain controller. - Open PowerShell on the primary domain controller with administrative privileges.
- Go to the path where the deployment script is saved.
Run the script on the primary domain controller using the following commands:
Unblock-File .\Start-Deployment.ps1Import-Module .\Start-Deployment.ps1Start-Deployment
The deployment script tests the configured audit policies for all the primary domain controllers and displays the results in green text.
Enter
1to create a decoy user.After the decoy user is created, enter
7to verify the decoy deployment.Enter
8to generate the deployment JSON file.The script tries to upload the JSON file directly to the Deception Admin Portal.
If the script fails to upload the JSON file to the Deception Admin Portal, then the script writes the JSON file to your local computer (to the same folder where the deployment script is located). In this case, you must upload the JSON file to the Deception Admin Portal.
To upload the deployment JSON file to the Deception Admin Portal:
- Copy the deployment script
