An Event Log decoy is a deception technique used to engage adversaries by creating fake event log files that mimic legitimate system logs. These decoy logs are strategically placed in typical log directories (such as C:WindowsSystem32LogFiles on Windows or /var/log/ on macOS) and are populated with realistic but fabricated entries that resemble normal system activities, such as user logins, system errors, or security alerts.
The purpose of the Event Log decoy is to lure attackers into interacting with these logs, either by reading, modifying, or deleting them. When an adversary engages with the decoy logs, it triggers alerts that allow defenders to detect and monitor their activities. This technique not only helps in detecting unauthorized access but also provides valuable insights into the attacker’s methods and objectives.
Event Log decoys are typically monitored using File Integrity Monitoring (FIM) and auditing tools to ensure that any interaction with the decoy logs is captured and analyzed in real-time, thereby enhancing the overall security and detection capabilities of the environment.