We have a blog! Check out MITRE Shield on Medium.

Decoy Process

Execute software on a target system for the purposes of the defender.

Executing software will create a system process (either ephemeral or perpetual) on the target system, which can be used to influence the perception or action of an adversary. A decoy process could do things including give the impression of either a more or less secure system, the presence of attackable services or defensive infrastructure, or suggest the supposed purpose or use of the target machine.

Details
ID: DTE0016
Tactics:  Channel Legitimize

Opportunities

IDDescription
DOS0182 There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment.

Use Cases

IDDescription
DUC0080 The defender can run processes on legitimate systems that create network artifacts for an adversary to collect. These artifacts may contain data such as credentials, hostnames, etc., that would lead an adversary to target decoy systems and networks.
DUC0182 A defender can run decoy processes on a system to entice an adversary.

Procedures

IDDescription
DPR0031 Create decoy processes on a system that mimic common antivirus process names. These processes when seen may prevent adversary malware from executing for fear of detection.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1040 Network Sniffing Credential AccessDiscovery
T1057 Process Discovery Discovery