Engage Goals: EGO0001 Expose
Engage Approach: EAP0002 Detect
Engage Actions: EAC0003 System Activity Monitoring, EAC0012 Personas
Name of Element: Deceptive Service Accounts
Description of Element:
Goal: Detect and track the usage of service accounts by unauthorized users or malicious processes.
Approach: Creating and monitoring decoy service accounts to identify suspicious activities.
Deploy decoy service accounts with names or privileges that mimic legitimate accounts. Monitor these accounts for any login attempts, resource access, or modifications to reveal attacker activity.
Technical Context:
This element requires integration with the service account management system. It can be implemented by creating fake service principal names (SPNs) or by configuring deceptive service accounts in Active Directory. This aligns with the MITRE ATT&CK technique T1078 (Valid Accounts).
Other:
This element can be combined with deceptive network configurations to create a more convincing illusion. For example, fake service accounts can be associated with decoy network services or honeypots to lure attackers.