MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Decoy Process
Execute software on a target system for the purposes of the defender.
Executing software will create a system process (either ephemeral or perpetual) on the target system, which can be used to influence the perception or action of an adversary. A decoy process could do things including give the impression of either a more or less secure system, the presence of attackable services or defensive infrastructure, or suggest the supposed purpose or use of the target machine.
Details
ID:
DTE0016
Opportunities
| ID | Description |
|---|---|
| DOS0182 | There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment. |
| DOS0251 | There is an opportunity to introduce services in a decoy network to determine if an adversary notices and tries to learn more about them. |
Use Cases
| ID | Description |
|---|---|
| DUC0080 | The defender can run processes on legitimate systems that create network artifacts for an adversary to collect. These artifacts may contain data such as credentials, hostnames, etc., that would lead an adversary to target decoy systems and networks. |
| DUC0182 | A defender can run decoy processes on a system to entice an adversary. |
| DUC0255 | A defender can deploy a diverse set of decoy systems to impact an adversary's level of effort during recon activity. |
Procedures
| ID | Description |
|---|---|
| DPR0031 | Create decoy processes on a system that mimic common antivirus process names. These processes when seen may prevent adversary malware from executing for fear of detection. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1057 | Process Discovery | Discovery |
| T1595 | Active Scanning | Reconnaissance |