Create user credentials that are used for active defense purposes.
Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) for the purpose of engagement. Decoy credentials can be planted in many locations and leveraged in a variety of ways.
|There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.
|In order to prolong an adversary engagement operation or enable detections, there is an opportunity to introduce credentials to an adversary that you want them to collect and use.
|A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.
|A defender can plant decoy credentials across an array of locations to increase the chances of an adversary finding and using them.
|A defender can use adversary attempts at forced authentication exploits to seed adversary servers with decoy credentials.
|Create user credentials for a decoy account, such as 'User ABC'. Store those credentials in the browser and other places on the system to see if an adversary attempts to harvest them.
|OS Credential Dumping
|Defense Evasion, Persistence, Privilege Escalation, Initial Access
|Domain Trust Discovery
|Cloud Service Dashboard
|Credentials from Password Stores
|Data from Configuration Repository