Decoy System

Configure a computing system to serve as an attack target or experimental environment.

A decoy system is a computing resource presented to the adversary in support of active defense. The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc.

ID: DTE0017
Tactics:  Channel Collect Test Detect Facilitate Legitimize


DOS0001 There is an opportunity to study the adversary and collect first-hand observations about them and their tools.
DOS0005 There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.
DOS0009 There is an opportunity to determine if an adversary already has valid account credentials for your network and if they are trying to use them access your network via remote services.
DOS0169 There is an opportunity to deploy virtual decoy systems and see if an adversary discovers or reacts to the virtualization.
DOS0199 In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task.
DOS0253 There is an opportunity to introduce decoy information, users, systems, etc. to influence an adversary's future actions.

Use Cases

DUC0001 A defender can use a decoy system to access a compromised website to see how it works (study the exploit sequence, collect relevant artifacts, etc.).
DUC0007 A defender can use decoy system running a public-facing application to see if an adversary attempts to compromise the system and learn their TTPs.
DUC0009 A defender can setup a decoy VPN server and see if an adversary attempts to use valid account to authenticate to it.
DUC0026 A defender can configure a decoy system with limited restrictions to see if the adversary creates or alters scheduled tasks to launch their malware.
DUC0034 A defender can use a decoy system to see if an adversary exploits vulnerable software in order to compromise the system.
DUC0078 A defender can add decoy systems to the network so an adversary can have a variety of network services available to them. The defender can observe which network services the adversary attempts to use.
DUC0097 A defender can deploy a decoy software deployment tool within an adversary engagement environment to see how the adversary attempts to use the device during their activity.
DUC0134 A defender can deploy a decoy system to see if an adversary attempts to shutdown or reboot the device.
DUC0169 A defender can deploy a virtual decoy system to see if the adversary recognizes the virtualization and reacts.
DUC0199 A defender could implement a decoy system running a remote service (such as telnet, SSH, and VNC) and see if the adversary attempts to login to the service.
DUC0200 A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.
DUC0223 A defender can install remote access tools on decoy systems across the network to see if the adversary uses these tools for command and control.
DUC0225 A defender can have decoy systems that are easy to gain access to and have Office installed. The decoy system can be monitored to see if an adversary attempts to inject anything malicious into Office templates.
DUC0255 A defender can deploy a diverse set of decoy systems to impact an adversary's level of effort during recon activity.


DPR0032 Use an isolated system to visit a suspected compromised website. Collect any associated scripting code or files dropped onto the system.
DPR0033 Setup a server which appears to be something that is commonly expected within a network, such as web server.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1021 Remote Services Lateral Movement
T1027 Obfuscated Files or Information Defense Evasion
T1046 Network Service Scanning Discovery
T1053 Scheduled Task/Job ExecutionPersistencePrivilege Escalation
T1072 Software Deployment Tools ExecutionLateral Movement
T1133 External Remote Services PersistenceInitial Access
T1189 Drive-by Compromise Initial Access
T1190 Exploit Public-Facing Application Initial Access
T1203 Exploitation for Client Execution Execution
T1219 Remote Access Software Command and Control
T1221 Template Injection Defense Evasion
T1497 Virtualization/Sandbox Evasion Defense EvasionDiscovery
T1529 System Shutdown/Reboot Impact
T1580 Cloud Infrastructure Discovery Discovery
T1592 Gather Victim Host Information Reconnaissance
T1595 Active Scanning Reconnaissance
T1600 Weaken Encryption Defense Evasion
T1601 Modify System Image Defense Evasion