The worst of all deceptions is self-deception
Goal: Detect and track the usage of service accounts by unauthorized users or malicious processes.
Approach: Creating and monitoring decoy service accounts to identify suspicious activities.
Deploy decoy service accounts with names or privileges that mimic legitimate accounts. Monitor these accounts for any login attempts, resource access, or modifications to reveal attacker activity.
Goal: Expose attackers attempting to enumerate or exploit group memberships and gather information about their activities.
Approach: Creating fake user groups or assigning users to deceptive groups to monitor unauthorized access attempts.
Create fake user groups with enticing names or privileges, or assign honeytoken accounts to legitimate groups to lure attackers and monitor their attempts to exploit group memberships.
Goal: Disrupt attacker profiling and behavioral analysis by simulating unusual user activity.
Approach: Generating fake user activity to confuse attackers and trigger alerts.
Generate fake user activity, such as logins at odd hours, access to unusual files, or execution of uncommon commands. This can disrupt attacker attempts to profile user behavior and blend in with normal activity.
Goal: Detect and track the usage of administrative tools by unauthorized users.
Approach: Monitoring access to and usage of honeytokened tools.
Deploy decoy versions of administrative tools (e.g., PowerShell, PsExec) that mimic their legitimate counterparts but log usage, trigger alerts, or provide misleading information.
Goal: Identify attackers attempting privilege escalation and gather information about their techniques.
Approach: Creating enticing but fake privilege escalation vulnerabilities.
Introduce seemingly vulnerable services or configurations that appear to allow privilege escalation. These paths lead to controlled environments or trigger alerts upon exploitation, revealing attacker TTPs.
Goal: Expose attackers attempting to utilize compromised accounts and gather information about their activities.
Approach: Monitoring access to and usage of honeytoken accounts.
Create realistic but fake user accounts (“honeytokens”) with attractive data or access privileges. These accounts have deceptive profiles, leading attackers towards fabricated resources or triggering alerts upon access.
Goal: Disrupt malware operation by manipulating file system operations.
Approach: Intercepting and altering file system requests.
This element installs a file system filter driver that intercepts file system requests and can modify or redirect them. This can be used to prevent malware from accessing sensitive files, executing malicious code, or persisting on the system.
Goal: Gather information about attacker activity by creating fake Active Directory objects.
Approach: Monitoring access to deceptive Active Directory objects.
This element creates fake user accounts, computers, or groups within Active Directory. Any attempts to access or interact with these objects are logged, providing valuable intelligence about attacker reconnaissance and lateral movement.
Goal: Disrupt attacker activity by generating deceptive WMI events.
Approach: Generating fake WMI events to confuse attackers.
This element generates deceptive WMI events that mimic legitimate system activity but contain false information. This can confuse attackers and disrupt their reconnaissance or lateral movement efforts.
Goal: Gather information about web-based attacks by deploying a deceptive browser extension.
Approach: Collecting data on attacker activity through a deceptive browser extension.
This element involves creating a browser extension that mimics legitimate functionality but secretly collects information about attacker activity.