MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Decoy Credentials
Create user credentials that are used for active defense purposes.
Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) for the purpose of engagement. Decoy credentials can be planted in many locations and leveraged in a variety of ways.
Details
ID:
DTE0012
Opportunities
| ID | Description |
|---|---|
| DOS0005 | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. |
| DOS0084 | In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use. |
Use Cases
| ID | Description |
|---|---|
| DUC0005 | A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them. |
| DUC0084 | A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them. |
| DUC0151 | A defender can use adversary attempts at forced authentication exploits to seed adversary servers with decoy credentials. |
Procedures
| ID | Description |
|---|---|
| DPR0024 | Create user credentials for a decoy account, such as 'User ABC'. Store those credentials in the browser and other places on the system to see if an adversary attempts to harvest them. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1003 | OS Credential Dumping | Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Persistence, Privilege Escalation, Initial Access |
| T1187 | Forced Authentication | Credential Access |
| T1482 | Domain Trust Discovery | Discovery |
| T1538 | Cloud Service Dashboard | Discovery |
| T1552 | Unsecured Credentials | Credential Access |
| T1555 | Credentials from Password Stores | Credential Access |
| T1602 | Data from Configuration Repository | Collection |