MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Decoy Account

Create an account that is used for active defense purposes.

A decoy account is one that is created specifically for defensive or deceptive purposes. It can be in the form of user accounts, service accounts, software accounts, etc. The decoy account can be used to make a system, service, or software look more realistic or to entice an action.

ID: DTE0010
Tactics:  Legitimize Channel Collect Detect Facilitate Contain Test


DOS0001 There is an opportunity to study the adversary and collect first-hand observations about them and their tools.
DOS0004 There is an opportunity to introduce user accounts that are used to make a system look more realistic.
DOS0187 In an adversary engagement operation, there is an opportunity to present decoy accounts to the adversary during the enumeration process.
DOS0253 There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions.

Use Cases

DUC0004 A defender can create decoy user accounts which are used to make a decoy system or network look more realistic.
DUC0044 A defender can use decoy accounts and monitor them for any activity that might reveal adversary manipulation.
DUC0187 During an adversary engagement operation, a defender can utilize decoy accounts to provide content to an adversary and encourage additional activity.


DPR0020 Create a user account with a specified job function. Populate the user account's groups, description, logon hours, etc., with decoy data that looks normal in the environment.
DPR0021 Create a user that has a valid email account. Use this account in such a way that the email address could be harvested by the adversary. This can be monitored to see if it is used in future attacks.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1078 Valid Accounts Defense EvasionPersistencePrivilege EscalationInitial Access
T1087 Account Discovery Discovery
T1098 Account Manipulation Persistence
T1589 Gather Victim Identity Information Reconnaissance
T1598 Phishing for Information Reconnaissance