MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Decoy Account
Create an account that is used for active defense purposes.
A decoy account is one that is created specifically for defensive or deceptive purposes. It can be in the form of user accounts, service accounts, software accounts, etc. The decoy account can be used to make a system, service, or software look more realistic or to entice an action.
Details
ID:
DTE0010
Opportunities
| ID | Description |
|---|---|
| DOS0001 | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. |
| DOS0004 | There is an opportunity to introduce user accounts that are used to make a system look more realistic. |
| DOS0187 | In an adversary engagement operation, there is an opportunity to present decoy accounts to the adversary during the enumeration process. |
| DOS0253 | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. |
Use Cases
| ID | Description |
|---|---|
| DUC0004 | A defender can create decoy user accounts which are used to make a decoy system or network look more realistic. |
| DUC0044 | A defender can use decoy accounts and monitor them for any activity that might reveal adversary manipulation. |
| DUC0187 | During an adversary engagement operation, a defender can utilize decoy accounts to provide content to an adversary and encourage additional activity. |
Procedures
| ID | Description |
|---|---|
| DPR0020 | Create a user account with a specified job function. Populate the user account's groups, description, logon hours, etc., with decoy data that looks normal in the environment. |
| DPR0021 | Create a user that has a valid email account. Use this account in such a way that the email address could be harvested by the adversary. This can be monitored to see if it is used in future attacks. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1078 | Valid Accounts | Defense Evasion, Persistence, Privilege Escalation, Initial Access |
| T1087 | Account Discovery | Discovery |
| T1098 | Account Manipulation | Persistence |
| T1589 | Gather Victim Identity Information | Reconnaissance |
| T1598 | Phishing for Information | Reconnaissance |