Engage Goals: EGO0001 Expose, EGO0003 Elicit
Engage Approach: EAP0001 Collect, EAP0002 Detect
Engage Actions: EAC0015 Information Manipulation, EAC0018 Security Controls
Name of Element: Fake Active Directory Domain Controller
Description of Element:
Goal: To identify attackers attempting to enumerate or modify Active Directory objects.
Approach: Monitoring access to the fake domain controller and analyzing attacker behavior. This element involves setting up a fake domain controller that mimics a legitimate one but contains deceptive information, such as fake user accounts or group memberships.
Attackers who attempt to interact with the fake domain controller will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to compromise the Active Directory environment.
Technical Context:
This element can be combined with other deceptive elements, such as deceptive LDAP responses or fake user accounts, to enhance its effectiveness. It aligns with the MITRE ATT&CK technique T1069.002 (Permission Groups Discovery: Domain Groups).
Other:
This element requires careful planning and execution to ensure that it does not interfere with the normal operation of the Active Directory environment.