MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Decoy Process

Execute software on a target system for the purposes of the defender.

Executing software will create a system process (either ephemeral or perpetual) on the target system, which can be used to influence the perception or action of an adversary. A decoy process could do things including give the impression of either a more or less secure system, the presence of attackable services or defensive infrastructure, or suggest the supposed purpose or use of the target machine.

ID: DTE0016
Tactics:  Channel Legitimize


DOS0182 There is an opportunity to present decoy processes to an adversary to influence their behaviors, test their interest, or add legitimacy to a system or environment.
DOS0251 There is an opportunity to introduce services in a decoy network to determine if an adversary notices and tries to learn more about them.

Use Cases

DUC0080 The defender can run processes on legitimate systems that create network artifacts for an adversary to collect. These artifacts may contain data such as credentials, hostnames, etc., that would lead an adversary to target decoy systems and networks.
DUC0182 A defender can run decoy processes on a system to entice an adversary.
DUC0255 A defender can deploy a diverse set of decoy systems to impact an adversary's level of effort during recon activity.


DPR0031 Create decoy processes on a system that mimic common antivirus process names. These processes when seen may prevent adversary malware from executing for fear of detection.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1040 Network Sniffing Credential AccessDiscovery
T1057 Process Discovery Discovery
T1595 Active Scanning Reconnaissance