MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Decoy Credentials

Create user credentials that are used for active defense purposes.

Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) for the purpose of engagement. Decoy credentials can be planted in many locations and leveraged in a variety of ways.

ID: DTE0012
Tactics:  Detect Test Channel Facilitate Legitimize Collect Disrupt


DOS0005 There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.
DOS0084 In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use.

Use Cases

DUC0005 A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.
DUC0084 A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them.
DUC0151 A defender can use adversary attempts at forced authentication exploits to seed adversary servers with decoy credentials.


DPR0024 Create user credentials for a decoy account, such as 'User ABC'. Store those credentials in the browser and other places on the system to see if an adversary attempts to harvest them.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1003 OS Credential Dumping Credential Access
T1078 Valid Accounts Defense EvasionPersistencePrivilege EscalationInitial Access
T1187 Forced Authentication Credential Access
T1482 Domain Trust Discovery Discovery
T1538 Cloud Service Dashboard Discovery
T1552 Unsecured Credentials Credential Access
T1555 Credentials from Password Stores Credential Access
T1602 Data from Configuration Repository Collection