We have a blog! Check out MITRE Shield on Medium.

Decoy Account

Create an account that is used for active defense purposes.

A decoy account is one that is created specifically for defensive or deceptive purposes. It can be in the form of user accounts, service accounts, software accounts, etc. The decoy account can be used to make a system, service, or software look more realistic or to entice an action.

Details
ID: DTE0010
Tactics:  Legitimize Channel Collect Detect Facilitate Contain Test

Opportunities

IDDescription
DOS0001 There is an opportunity to study the adversary and collect first-hand observations about them and their tools.
DOS0004 There is an opportunity to introduce user accounts that are used to make a system look more realistic.
DOS0187 In an adversary engagement operation, there is an opportunity to present decoy accounts to the adversary during the enumeration process.

Use Cases

IDDescription
DUC0004 A defender can create decoy user accounts which are used to make a decoy system or network look more realistic.
DUC0044 A defender can use decoy accounts and monitor them for any activity that might reveal adversary manipulation.
DUC0187 During an adversary engagement operation, a defender can utilize decoy accounts to provide content to an adversary and encourage additional activity.

Procedures

IDDescription
DPR0020 Create a user account with a specified job function. Populate the user account's groups, description, logon hours, etc., with decoy data that looks normal in the environment.
DPR0021 Create a user that has a valid email account. Use this account in such a way that the email address could be harvested by the adversary. This can be monitored to see if it is used in future attacks.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1078 Valid Accounts Defense EvasionPersistencePrivilege EscalationInitial Access
T1087 Account Discovery Discovery
T1098 Account Manipulation Persistence