MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Decoy Content

Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.

Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc.

ID: DTE0011
Tactics:  Channel Detect Legitimize Facilitate Test Collect Disrupt


DOS0028 There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.
DOS0074 There is an opportunity to influence an adversary to move toward systems you want them to engage with.
DOS0076 In an adversary engagement situation, there is an opportunity to add legitimacy by ensuring decoy systems are fully populated with information an adversary would expect to see during this recon process.
DOS0082 There is an opportunity to introduce data to an adversary to influence their future behaviors.
DOS0133 In an adversary engagement scenario, there is an opportunity to observe how an adversary might manipulate data on a system.
DOS0190 In an adversary engagement scenario, there is an opportunity to introduce decoy content to entice additional engagement activity.
DOS0210 There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment.
DOS0234 There is an opportunity to seed decoy content to make non-virtual systems look like virtual systems to see how an adversary reacts.

Use Cases

DUC0073 A defender can create decoy registry objects and monitor access to them using Windows Registry Auditing.
DUC0074 A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services.
DUC0076 A defender can create entries in a decoy system's ARP cache, hosts file, etc. to add to the legitimacy of the device.
DUC0082 A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter.
DUC0102 A defender can plant decoy emails containing deceptive content and breadcrumbs to lure the attacker toward deception systems.
DUC0103 A defender can insert into a system's clipboard decoy content for the adversary to find.
DUC0105 A defender can introduce decoy audio content designed to make the adversary believe that their audio capture efforts are working.
DUC0113 A defender can display decoy content on the screen which may be of interest to an adversary in an attempt to elicit further engagement.
DUC0114 A defender can introduce video content designed to make the adversary believe that their capture efforts are working.
DUC0133 A defender can deploy decoy content to see if an adversary attempts to manipulate data on the system or connected storage devices.
DUC0184 A defender can utilize decoy files and directories to provide content that could be used by the adversary.
DUC0190 A defender can utilize decoy network shares to provide content that could be used by the adversary.
DUC0207 A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery.
DUC0208 A defender could seed decoy network shares within an adversary engagement network to see if an adversary uses them for payload delivery or lateral movement.
DUC0210 A defender can use decoy content to give the false impression about the nature of the system in order to entice an adversary to continue engagement.
DUC0234 A defender can plant files, registry entries, software, processes, etc. to make a system look like a VM when it is not.
DUC0257 A defender can seed decoy content into network service configuration files which may be consumed during an adversary's recon activity.
DUC0258 A defender can expose decoy information about their organization to try and influence an adversary's future activity.
DUC0260 A defender can insert decoy content into external sources or resources that adversaries may leverage for intelligence gathering.
DUC0261 A defender can deploy a decoy website to support a deception operation or piece of the organization's deception strategy.


DPR0022 Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data.
DPR0023 Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1012 Query Registry Discovery
T1016 System Network Configuration Discovery Discovery
T1018 Remote System Discovery Discovery
T1056 Input Capture CollectionCredential Access
T1080 Taint Shared Content Lateral Movement
T1082 System Information Discovery Discovery
T1083 File and Directory Discovery Discovery
T1113 Screen Capture Collection
T1114 Email Collection Collection
T1115 Clipboard Data Collection
T1123 Audio Capture Collection
T1125 Video Capture Collection
T1135 Network Share Discovery Discovery
T1217 Browser Bookmark Discovery Discovery
T1497 Virtualization/Sandbox Evasion Defense EvasionDiscovery
T1565 Data Manipulation Impact
T1590 Gather Victim Network Information Reconnaissance
T1591 Gather Victim Org Information Reconnaissance
T1592 Gather Victim Host Information Reconnaissance
T1593 Search Open Websites/Domains Reconnaissance
T1594 Search Victim-Owned Websites Reconnaissance
T1596 Search Open Technical Databases Reconnaissance
T1597 Search Closed Sources Reconnaissance