Fake Active Directory Objects

Engage Goals: EGO0003 Elicit

Engage Approach: EAP0001 Collect

Engage Actions: EAC0003 System Activity Monitoring, EAC0015 Information Manipulation

Name of Element: Fake Active Directory Objects

Description of Element:

Goal: Gather information about attacker activity by creating fake Active Directory objects.

Approach: Monitoring access to deceptive Active Directory objects.

This element creates fake user accounts, computers, or groups within Active Directory. Any attempts to access or interact with these objects are logged, providing valuable intelligence about attacker reconnaissance and lateral movement.

Technical Context:

This element leverages the Active Directory structure to create deceptive objects that appear legitimate to attackers. It can be combined with other techniques, such as honeypots, to further enhance its effectiveness. This aligns with the MITRE ATT&CK technique T1087.002 (Account Discovery: Domain Account).

Other:

This element can be particularly effective in enterprise environments where Active Directory is heavily used for authentication and authorization.

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense