By nikhil_mitt
Import the module in the current PowerShell session.
PS C:\> Import-Module C:\Deploy-Deception\Deploy-Deception.psd1
Use the script with dot sourcing.
PS C:\> . C:\Deploy-Deception\Deploy-Deception.ps1
To get help about any function, use:
PS C:\> Get-Help [functionname] -Full
For example, to see the help about Deploy-UserDeception, use
PS C:\> Get-Help Deploy-UserDeception -Full
Deploy-Deception currently has following functions:
All the functions must be run on a DC with domain admin privileges. There are multiple attributes and flags which can be set while deploying a decoy. These attributes and flags make the decoy interesting for an attacker. When a right, say, ReadProperty is used to access the decoy, a Security Event 4662 is logged.
Note that Windows Settings|Security Settings|Advanced Audit Policy Configuration|DS Access|Audit Directory Service Access Group Policy needs to be configured to enable 4662 logging.
This function sets up auditing when a specified Right is used by a specifed principal against the decoy user object.
EXAMPLE
PS C:\> Create-DecoyUser -UserFirstName user -UserLastName manager -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -Verbose
Creates a decoy user whose password never expires and a 4662 is logged whenever ANY property of the user is read. Very verbose!
EXAMPLE
PS C:\> Create-DecoyUser -UserFirstName user -UserLastName manager -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose
Creates a decoy user whose password never expires and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property of the user is read.
This property is not read by net.exe, WMI classes (like Win32_UserAccount) and ActiveDirectory module.
But LDAP based tools like PowerView and ADExplorer trigger the logging.
EXAMPLE
PS C:\> Create-DecoyUser -UserFirstName user -UserLastName manager-control -Password Pass@123 | Deploy-UserDeception -UserFlag AllowReversiblePasswordEncryption -Right ReadControl -Verbose
Creates a decoy user which has Allow Reverisble Password Encrpytion property set.
A 4662 is logged whenever DACL of the user is read.
This property is not read by enumeration tools unless specifically DACL or all properties for the decoy user are force read.
This function sets up auditing when a specified Right is used over the slave user by a master user who has FUllControl/GenericALl over the slave user.
EXAMPLE
PS C:\> Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123
PS C:\> Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 | Deploy-SlaveDeception -DecoySamAccountName masteruser -Verbose
The first command creates a deocy user 'masteruser'.
The second command creates a decoy user 'slaveuser' and provides masteruser GenericAll rights over slaveuser.
For both the users a 4662 is logged whenever there is any interaction with them.
EXAMPLE
PS C:\> Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose
PS C:\> Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 | Deploy-SlaveDeception -DecoySamAccountName masteruser -Verbose
PS C:\> Deploy-SlaveDeception -SlaveSamAccountName slaveuser -DecoySamAccountName masteruser -Verbose
The first command creates a decoy user 'masteruser' whose password never expires and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property of the user is read.
The second command creates a decoy user 'slaveuser' whose password never expires and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property of the user is read.
The third command grants masteruser GenericAll rights over slaveuser.
The above three commands make masteruser and slaveuser attractive for an attacker and the logging is triggered only for aggressive enumeration.
EXAMPLE
PS C:\> Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123
PS C:\> Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123
PS C:\> Deploy-SlaveDeception -SlaveSamAccountName slaveuser -DecoySamAccountName masteruser -Verbose
PS C:\> Deploy-UserDeception -DecoySamAccountName slaveuser -Principal masteruser -Right WriteDacl -Verbose
The first three commands create a slaveuser, create a master user and provide masteruser GenericAll rights on slaveuser.
The foruth command triggers a 4662 log only when masteruser is used change DACL (WirteDacl) of the slaveuser.
This is useful when targeting lateral movement and it is assumed that an adversary will get access to masteruser. For example, masteruser could be a honeyuser whose credentials are left on multipe machines or masteruser can have its usable password in Description.
This function deploys a decoy user which has high privileges like membership of the Domain Admins group. EXAMPLE
PS C:\> Create-DecoyUser -UserFirstName dec -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception -Technique DomainAdminsMemebership -Protection DenyLogon -Verbose
Create a decoy user named decda and make it a member of the Domain Admins group. As a protection against potential abuse, Deny logon to the user on any machine. Please be aware that if another DA gets comprimised the DenyLogon setting can be removed.
If there is any attempt to use the user credentials (password or hashes) a 4768 is logged.
Any enumeration which reads DACL or all properties for the user will result in a 4662 logging.
EXAMPLE
PS C:\> Deploy-PrivilegedUserDeception -DecoySamaccountName decda -Technique DomainAdminsMemebership -Protection LogonWorkStation nonexistent -Verbose
Use existing user decda and make it a member of the Domain Admins group. As a protection against potential abuse, set LogonWorkstation for the user to a nonexistent machine.
If there is any attempt to use the user credentials (password or hashes) a 4768 is logged.
Any enumeration which reads DACL or all properties for the user will result in a 4662 logging.
EXAMPLE
PS C:\> Deploy-PrivilegedUserDeception -DecoySamaccountName decda -Technique DCSyncRights -Protection LogonWorkStation nonexistent -Verbose
Use existing user decda and make provide it DCSyncRights. As a protection against potential abuse, set LogonWorkstation for the user to a nonexistent machine.
If there is any attempt to use the user credentials (password or hashes) a 4768 is logged.
Any enumeration which reads DACL or all properties for the user will result in a 4662 logging.
EXAMPLE
PS C:\> Create-DecoyUser -UserFirstName test -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception -Technique DomainAdminsMemebership -Protection LogonWorkStation -LogonWorkStation revert-dc -CreateLogon -Verbose
Create a decoy user named decda and make it a member of the Domain Admins group. As a protection against potential abuse, set LogonWorkstation for the user to the DC where this function is executed.
To avoid detection of the decoy which relies on logoncount use the CreateLogon option which starts and stops a process as the decoy user on the DC. A user profile is created on the DC when this parameter is used.
If there is any attempt to use the user credentials (password or hashes) a 4768 is logged.
Any enumeration which reads DACL or all properties for the user will result in a 4662 logging.
This function sets up auditing when a specified Right is used by a specifed principal against the decoy computer object.
PS C:\> Create-DecoyComputer -ComputerName revert-web -Verbose | Deploy-ComputerDeception -PropertyFlag TrustedForDelegation -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose
Creates a decoy computer that has Unconstrained Delegation enabled and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property or all the properties of the computer are read.
EXAMPLE
PS C:\> Deploy-ComputerDeception -DecoyComputerName comp1 -PropertyFlag TrustedForDelegation -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose
Uses an existing computer object and set Unconstrained Delegation on it. A 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property or all the properties of the computer are read.
Using a real machine for the decoy is always recommended as it is harder to identify as a decoy.
EXAMPLE
PS C:\> Deploy-ComputerDeception -DecoyComputerName comp1 -OperatingSystem "Windows Server 2003" -Right ReadControl -Verbose Uses an existing computer object and set its Operating System property to Windows Server 2003.
A 4662 is logged whenever DACL or all the properties of the computer are read.
Using a real machine for the decoy is always recommended as it is harder to identify as a decoy.
This function sets up auditing when a specified Right is used by a specifed principal against the decoy group object.
EXAMPLE
PS C:\> Create-DecoyGroup -GroupName 'Forest Admins' -Verbose | Deploy-GroupDeception -AddMembers slaveuser -AddToGroup dnsadmins -Right ReadControl -Verbose
Creates a decoy Group 'Forest Admins', adds slaveuser as a member and makes the group part of the dnsadmins group. A 4662 is logged whenever DACL or all the properties of the group are read.
EXAMPLE
PS C:\> Create-DecoyGroup -GroupName "Forest Admins" -Verbose | Deploy-GroupDeception -AddMembers slaveuser -AddToGroup -dnsadmins -GUID bc0ac240-79a9-11d0-9020-00c04fc2d4cf -Verbose
Creates a decoy Group 'Forest Admins',adds slaveuser as a member and makes the group part of the dnsadmins group. A 4662 is logged whenever membership of the Forest Admins group is listed.
Please raise an issue if you encounter a bug or have a feature request.
You can contribute by fixing bugs or contributing to the code. If you cannot code, you can test the deployment in your network and share the results about false positives with me to help improve the project.
https://www.labofapenetrationtester.com/2018/10/deploy-deception.html