In modern detection engineering, speed and signal quality are everything. As attackers master the art of blending in, our alerts are increasingly drowned out by the noise of legitimate activity. We need a better tripwire—one that is silent until an adversary stumbles, and when it sounds, it does so with near-perfect fidelity. This is the promise of deception, and more specifically, the promise of data-driven identity deception.
This article introduces F4keH0und, a PowerShell framework we’ve developed to operationalize this concept in Active Directory. We’ll explore how it leverages an attacker’s favorite tool—BloodHound—against them and how its design aligns with the core principles of deception theory.
BloodHound: The Attacker’s Roadmap
Before we build a trap, we must understand the paths our targets travel. In Active Directory or ENTRA, BloodHound is the de facto tool for this. It ingests data about users, groups, computers, permissions, and sessions, and maps it into a graph. This graph doesn’t just show objects; it shows attack paths—the complex chains of privilege and access that allow an attacker to move from a low-privilege user to a Domain Admin.
For a defender, this data is gold. If we know the exact paths an attacker will likely take, we can litter those paths with irresistible and highly monitored traps. This is the entire premise of F4keH0und. It consumes the same data an attacker uses to plan their assault and uses it to inform a data-driven deception strategy.
The Deception Advantage: Lightweight Lures vs. Heavy Honeypots
For years, “deception” in cybersecurity was synonymous with honeypots: entire servers or networks designed to be attacked. While valuable, they are often cumbersome, resource-intensive, and difficult to scale.
Identity deception, the approach F4keH0und takes, is different. Instead of building a fake castle, we plant a single, fake key to the real one. The advantages are immense:
- High Fidelity: A legitimate user has no reason to interact with a dormant admin account or a fake SQL service account. Any interaction is, by definition, suspicious. This eliminates the false positives that plague other detection methods.
- Low Friction & Cost: Creating a new user account or service principal is a trivial operation with almost no performance overhead, unlike running dozens of virtual honeypot servers.
- Scalability: Because decoys are lightweight, we can deploy hundreds of them across the enterprise, creating a vast sensor network that is woven directly into the production environment.
F4keH0und and the 7 Laws of Deception
A successful deception campaign isn’t just about creating fakes; it’s a science. The “Grammar of Deceit” provides a framework of seven laws that govern effective deception operations. Let’s see how F4keH0und’s design aligns with these principles.
1. The Law of Discovery: An adversary must be able to discover the deception.
A hidden trap is a useless trap. F4keH0und directly addresses this by using BloodHound data to place decoys on the path of least resistance. Because the decoys (e.g., Stale Admins, Kerberoastable users) are based on patterns that BloodHound is designed to find, any attacker using the same tool will inevitably discover our lures during their reconnaissance phase.
2. The Law of Believability: The deception must appear credible to the adversary.
F4keH0und excels here by using template-based mimicry. It doesn’t create a random user named decoy123. It finds a real, dormant Domain Admin named j.doe and suggests creating a decoy named j.doe_backup. It finds that Kerberoasting is a viable path and suggests creating a decoy with a believable SPN like MSSQLSvc/decoy-sql-prod-01.corp.local:1433. This contextual awareness makes the decoys blend in with real objects.
3. The Law of Interaction: An adversary must interact with the deception.
The decoys are designed to be irresistible. A stale, privileged account suggests an easy win. A Kerberoastable service account for a “production SQL server” is a high-priority target for any attacker looking to escalate privileges. The goal of F4keH0und is to create lures so tempting that the adversary feels compelled to act.
4. The Law of Feedback: The adversary’s interaction must provide feedback to the defender.
This is the detection piece. While F4keH0und doesn’t integrate directly with a SIEM, its final action is to generate a CSV handover report. This report details every decoy, its SID, its name, and the reason for its creation. This document is the critical link that allows the SecOps team to write highly specific, high-fidelity alert rules. An event ID 4769 (A Kerberos service ticket was requested) for our decoy SPN is not noise; it’s a confirmed indicator of compromise.
5. The Law of Consequence: The adversary’s interaction with the deception results in a consequence.
The primary consequence is detection. By interacting with a F4keH0und decoy, the attacker reveals their presence, methods, and location on the network far earlier in the kill chain than traditional defenses might. This buys the defense team invaluable time to respond.
6. The Law of Containment: The deception should limit the adversary’s freedom of action.
This law is traditionally about containing an attacker within a honeypot. F4keH0und takes a different approach. The decoys are created as disabled by default and with complex, unknown passwords. They are dead-ends. An attacker can attempt to Kerberoast the account, but they will not be able to crack the password. They can target the account for lateral movement, but authentication will fail. The deception detects the action without providing the attacker with any actual foothold.
7. The Law of Scalability: The deception must be scalable.
This is one of F4keH0und’s greatest strengths. As a PowerShell script, it can analyze data from a massive domain and, with a single command, deploy dozens or hundreds of contextually aware decoys in minutes. This allows a small team to manage a deception layer at an enterprise scale, a task that would be impossible with traditional honeypots.
The Imperfect Deception: A Sober Look at F4keH0und v1.0
From a defender’s perspective, F4keH0und is not yet perfect. When contextualized with the 7 Laws, some limitations become clear:
- Believability is Incomplete: While the decoys have believable names and properties, they are “standalone” objects. An advanced attacker might notice that a decoy mimicking a Domain Admin isn’t actually a member of the “Domain Admins” group, or any group at all. This lack of relationships can expose the decoy upon closer inspection.
- Containment is a Trade-off: F4keH0und places decoys directly into the production environment. This is what makes them lightweight and discoverable, but it sacrifices the deep forensic capabilities of a fully contained honeypot. The goal is detection, not prolonged analysis of attacker TTPs in an isolated sandbox.
The Road to Perfection: Making F4keH0und Better
These limitations are not dead-ends; they are the roadmap for Version 2.0. To create the “perfect deception” campaign, F4keH0und can be improved in several key ways:
- Enhance Believability with Relationships: The next major feature is to make decoys graph-aware. After creating a decoy, the script should automatically add it to a selection of non-privileged groups that its real-life template was a member of. This weaves the decoy into the social fabric of Active Directory, making it far more resilient to scrutiny.
- Create Deceptive Edges: Beyond group memberships, the script could create other relationships visible in BloodHound. For example, it could spoof a session for a decoy admin on a low-value server, creating a tempting but fake path for an attacker to follow.
- Expand the Analysis Library: The framework is designed to be extensible. More detection modules can be added to find and mimic other attack paths, such as those related to Constrained Delegation, ACL abuse, or dangerous certificate templates.
By focusing on adding these relationships, F4keH0und will evolve from mimicking objects to mimicking entire attack paths, making it an even more formidable tool in the defender’s arsenal.