MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Decoy Content
Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.
Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc.
Details
ID:
DTE0011
Opportunities
| ID | Description |
|---|---|
| DOS0028 | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. |
| DOS0074 | There is an opportunity to influence an adversary to move toward systems you want them to engage with. |
| DOS0076 | In an adversary engagement situation, there is an opportunity to add legitimacy by ensuring decoy systems are fully populated with information an adversary would expect to see during this recon process. |
| DOS0082 | There is an opportunity to introduce data to an adversary to influence their future behaviors. |
| DOS0133 | In an adversary engagement scenario, there is an opportunity to observe how an adversary might manipulate data on a system. |
| DOS0190 | In an adversary engagement scenario, there is an opportunity to introduce decoy content to entice additional engagement activity. |
| DOS0210 | There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment. |
| DOS0234 | There is an opportunity to seed decoy content to make non-virtual systems look like virtual systems to see how an adversary reacts. |
Use Cases
| ID | Description |
|---|---|
| DUC0073 | A defender can create decoy registry objects and monitor access to them using Windows Registry Auditing. |
| DUC0074 | A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services. |
| DUC0076 | A defender can create entries in a decoy system's ARP cache, hosts file, etc. to add to the legitimacy of the device. |
| DUC0082 | A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter. |
| DUC0102 | A defender can plant decoy emails containing deceptive content and breadcrumbs to lure the attacker toward deception systems. |
| DUC0103 | A defender can insert into a system's clipboard decoy content for the adversary to find. |
| DUC0105 | A defender can introduce decoy audio content designed to make the adversary believe that their audio capture efforts are working. |
| DUC0113 | A defender can display decoy content on the screen which may be of interest to an adversary in an attempt to elicit further engagement. |
| DUC0114 | A defender can introduce video content designed to make the adversary believe that their capture efforts are working. |
| DUC0133 | A defender can deploy decoy content to see if an adversary attempts to manipulate data on the system or connected storage devices. |
| DUC0184 | A defender can utilize decoy files and directories to provide content that could be used by the adversary. |
| DUC0190 | A defender can utilize decoy network shares to provide content that could be used by the adversary. |
| DUC0207 | A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery. |
| DUC0208 | A defender could seed decoy network shares within an adversary engagement network to see if an adversary uses them for payload delivery or lateral movement. |
| DUC0210 | A defender can use decoy content to give the false impression about the nature of the system in order to entice an adversary to continue engagement. |
| DUC0234 | A defender can plant files, registry entries, software, processes, etc. to make a system look like a VM when it is not. |
| DUC0257 | A defender can seed decoy content into network service configuration files which may be consumed during an adversary's recon activity. |
| DUC0258 | A defender can expose decoy information about their organization to try and influence an adversary's future activity. |
| DUC0260 | A defender can insert decoy content into external sources or resources that adversaries may leverage for intelligence gathering. |
| DUC0261 | A defender can deploy a decoy website to support a deception operation or piece of the organization's deception strategy. |
Procedures
| ID | Description |
|---|---|
| DPR0022 | Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data. |
| DPR0023 | Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1012 | Query Registry | Discovery |
| T1016 | System Network Configuration Discovery | Discovery |
| T1018 | Remote System Discovery | Discovery |
| T1056 | Input Capture | Collection, Credential Access |
| T1080 | Taint Shared Content | Lateral Movement |
| T1082 | System Information Discovery | Discovery |
| T1083 | File and Directory Discovery | Discovery |
| T1113 | Screen Capture | Collection |
| T1114 | Email Collection | Collection |
| T1115 | Clipboard Data | Collection |
| T1123 | Audio Capture | Collection |
| T1125 | Video Capture | Collection |
| T1135 | Network Share Discovery | Discovery |
| T1217 | Browser Bookmark Discovery | Discovery |
| T1497 | Virtualization/Sandbox Evasion | Defense Evasion, Discovery |
| T1565 | Data Manipulation | Impact |
| T1590 | Gather Victim Network Information | Reconnaissance |
| T1591 | Gather Victim Org Information | Reconnaissance |
| T1592 | Gather Victim Host Information | Reconnaissance |
| T1593 | Search Open Websites/Domains | Reconnaissance |
| T1594 | Search Victim-Owned Websites | Reconnaissance |
| T1596 | Search Open Technical Databases | Reconnaissance |
| T1597 | Search Closed Sources | Reconnaissance |