Create user credentials that are used for active defense purposes.
Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) for the purpose of engagement. Decoy credentials can be planted in many locations and leveraged in a variety of ways.
|DOS0005||There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.|
|DOS0084||In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use.|
|DUC0005||A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.|
|DUC0084||A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them.|
|DUC0151||A defender can use adversary attempts at forced authentication exploits to seed adversary servers with decoy credentials.|
|DPR0024||Create user credentials for a decoy account, such as 'User ABC'. Store those credentials in the browser and other places on the system to see if an adversary attempts to harvest them.|
|T1003||OS Credential Dumping||Credential Access|
|T1078||Valid Accounts||Defense Evasion, Persistence, Privilege Escalation, Initial Access|
|T1187||Forced Authentication||Credential Access|
|T1482||Domain Trust Discovery||Discovery|
|T1538||Cloud Service Dashboard||Discovery|
|T1552||Unsecured Credentials||Credential Access|
|T1555||Credentials from Password Stores||Credential Access|
|T1602||Data from Configuration Repository||Collection|