Execute software on a target system for the purposes of the defender.
Executing software will create a system process (either ephemeral or perpetual) on the target system, which can be used to influence the perception or action of an adversary. A decoy process could do things including give the impression of either a more or less secure system, the presence of attackable services or defensive infrastructure, or suggest the supposed purpose or use of the target machine.
|DOS0182||There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment.|
|DUC0080||The defender can run processes on legitimate systems that create network artifacts for an adversary to collect. These artifacts may contain data such as credentials, hostnames, etc., that would lead an adversary to target decoy systems and networks.|
|DUC0182||A defender can run decoy processes on a system to entice an adversary.|
|DPR0031||Create decoy processes on a system that mimic common antivirus process names. These processes when seen may prevent adversary malware from executing for fear of detection.|
|T1040||Network Sniffing||Credential Access, Discovery|