MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Decoy Diversity

Deploy a set of decoy systems with different OS and software configurations.

Decoy diversity is the deployment of decoy systems with varying Operating Systems and software configurations. Most enterprise networks contain systems which utilize different types and versions of operating systems and applications (Microsoft Windows, MacOS, Linux, Microsoft Office, Adobe Reader, etc.) Deploying decoy systems with such variations allows you to present a realistic environment to an adversary. It also allows you to see if they use different TTPs on systems with different configurations.

ID: DTE0013
Tactics:  Test Legitimize Facilitate Channel Detect


DOS0002 There is an opportunity to discover who or what is being targeting by an adversary.
DOS0008 There is an opportunity to present several public-facing application options to see what application(s) the adversary targets.
DOS0188 There is an opportunity to use decoy accounts of varying types to see what an adversary is most interested in.
DOS0191 There is an opportunity to supply a variety of different decoy network shares to an adversary to see what they are drawn to look at and use.

Use Cases

DUC0002 A defender could use a decoy or set of decoys with different network addresses, operating systems, web browsers, language settings, and etc. to determine if every system that visits a compromised website receives its malicious payload or only specific systems receive it.
DUC0008 A defender can use a diverse set of decoy systems to study an adversary and determine which types of public-facing applications they choose to exploit.
DUC0078 A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use.
DUC0188 A defender can make a variety of decoy accounts and see if the adversary seems to be drawn to accounts of a specific type, with specific permissions, group access, etc.
DUC0191 A defender can make a variety of decoy network shares available to an adversary and see if the adversary seems to be drawn to shares with specific names, permissions, etc.


DPR0025 Use a Windows Virtual Machine (VM) and a Mac VM to visit a malicious website and note any differences in how the site functions based on the client that was used.
DPR0026 Deploy multiple decoy systems, each with a unique network fingerprint (ports, services, connections, etc.) in order to provide an adversary a wide range of targets.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1087 Account Discovery Discovery
T1135 Network Share Discovery Discovery
T1189 Drive-by Compromise Initial Access
T1190 Exploit Public-Facing Application Initial Access
T1601 Modify System Image Defense Evasion