MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Decoy System
Configure a computing system to serve as an attack target or experimental environment.
A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc.
Details
ID:
DTE0017
Opportunities
| ID | Description |
|---|---|
| DOS0001 | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. |
| DOS0005 | There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. |
| DOS0009 | There is an opportunity to determine if an adversary already has valid account credentials for your network and if they are trying to use them access your network via remote services. |
| DOS0169 | There is an opportunity to deploy virtual decoy systems and see if an adversary discovers or reacts to the virtualization. |
| DOS0199 | In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task. |
| DOS0253 | There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions. |
Use Cases
| ID | Description |
|---|---|
| DUC0001 | A defender can use a decoy system to access a compromised website to see how it works (study the exploit sequence, collect relevant artifacts, etc.). |
| DUC0007 | A defender can use decoy system running a public-facing application to see if an adversary attempts to compromise the system and learn their TTPs. |
| DUC0009 | A defender can setup a decoy VPN server and see if an adversary attempts to use valid account to authenticate to it. |
| DUC0026 | A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware. |
| DUC0034 | A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system. |
| DUC0078 | A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use. |
| DUC0097 | A defender can deploy a decoy software deployment tool within an adversary engagement environment to see how the adversary attempts to use the device during their activity. |
| DUC0134 | A defender can deploy a decoy system to see if an adversary attempts to shutdown or reboot the device. |
| DUC0169 | A defender can deploy a virtual decoy system to see if the adversary recognizes the virtualization and reacts. |
| DUC0199 | A defender could implement a decoy system running a remote service (such as telnet, SSH, and VNC) and see if the adversary attempts to login to the service. |
| DUC0200 | A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information. |
| DUC0223 | A defender can install remote access tools on decoy systems across the network to see if the adversary uses these tools for command and control. |
| DUC0225 | A defender can have decoy systems that are easy to gain access to and have Office installed. The decoy system can be monitored to see if an adversary attempts to inject anything malicious into Office templates. |
| DUC0255 | A defender can deploy a diverse set of decoy systems to impact an adversary's level of effort during recon activity. |
Procedures
| ID | Description |
|---|---|
| DPR0032 | Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system. |
| DPR0033 | Setup a server which appears to be something that is commonly expected within a network, such as web server. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1021 | Remote Services | Lateral Movement |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1046 | Network Service Scanning | Discovery |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1133 | External Remote Services | Persistence, Initial Access |
| T1189 | Drive-by Compromise | Initial Access |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1203 | Exploitation for Client Execution | Execution |
| T1219 | Remote Access Software | Command and Control |
| T1221 | Template Injection | Defense Evasion |
| T1497 | Virtualization/Sandbox Evasion | Defense Evasion, Discovery |
| T1529 | System Shutdown/Reboot | Impact |
| T1580 | Cloud Infrastructure Discovery | Discovery |
| T1592 | Gather Victim Host Information | Reconnaissance |
| T1595 | Active Scanning | Reconnaissance |
| T1600 | Weaken Encryption | Defense Evasion |
| T1601 | Modify System Image | Defense Evasion |