We have a blog! Check out MITRE Shield on Medium.

Decoy Content

Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.

Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc.

Details
ID: DTE0011
Tactics:  Channel Detect Legitimize Facilitate Test Collect Disrupt

Opportunities

IDDescription
DOS0028 There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.
DOS0074 There is an opportunity to influence an adversary to move toward systems you want them to engage with.
DOS0076 In an adversary engagement situation, there is an opportunity to add legitimacy by ensuring decoy systems are fully populated with information an adversary would expect to see during this recon process.
DOS0082 There is an opportunity to introduce data to an adversary to influence their future behaviors.
DOS0133 In an adversary engagement scenario, there is an opportunity to observe how an adversary might manipulate data on a system.
DOS0190 In an adversary engagement scenario, there is an opportunity to introduce decoy content to entice additional engagement activity.
DOS0210 There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment.
DOS0234 There is an opportunity to seed decoy content to make non-virtual systems look like virtual systems to see how an adversary reacts.

Use Cases

IDDescription
DUC0073 A defender can create decoy registry objects and monitor access to them using Windows Registry Auditing.
DUC0074 A defender can create breadcrumbs or honeytokens to lure the attackers toward the decoy systems or network services.
DUC0076 A defender can create entries in a decoy system's ARP cache, hosts file, etc. to add to the legitimacy of the device.
DUC0082 A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter.
DUC0102 A defender can plant decoy emails containing deceptive content and breadcrumbs to lure the attacker toward deception systems.
DUC0103 A defender can insert into a system's clipboard decoy content for the adversary to find.
DUC0105 A defender can introduce decoy audio content designed to make the adversary believe that their audio capture efforts are working.
DUC0113 A defender can display decoy content on the screen which may be of interest to an adversary in an attempt to elicit further engagement.
DUC0114 A defender can introduce video content designed to make the adversary believe that their capture efforts are working.
DUC0133 A defender can deploy decoy content to see if an adversary attempts to manipulate data on the system or connected storage devices.
DUC0184 A defender can utilize decoy files and directories to provide content that could be used by the adversary.
DUC0190 A defender can utilize decoy network shares to provide content that could be used by the adversary.
DUC0207 A defender can use decoy content to give the false impression about the system when an adversary performs system information discovery.
DUC0208 A defender could seed decoy network shares within an adversary engagement network to see if an adversary uses them for payload delivery or lateral movement.
DUC0210 A defender can use decoy content to give the false impression about the nature of the system in order to entice an adversary to continue engagement.
DUC0234 A defender can plant files, registry entries, software, processes, etc. to make a system look like a VM when it is not.

Procedures

IDDescription
DPR0022 Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data.
DPR0023 Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1012 Query Registry Discovery
T1016 System Network Configuration Discovery Discovery
T1018 Remote System Discovery Discovery
T1056 Input Capture CollectionCredential Access
T1080 Taint Shared Content Lateral Movement
T1082 System Information Discovery Discovery
T1083 File and Directory Discovery Discovery
T1113 Screen Capture Collection
T1114 Email Collection Collection
T1115 Clipboard Data Collection
T1123 Audio Capture Collection
T1125 Video Capture Collection
T1135 Network Share Discovery Discovery
T1217 Browser Bookmark Discovery Discovery
T1497 Virtualization/Sandbox Evasion Defense EvasionDiscovery
T1565 Data Manipulation Impact