Deploy-Deception: A PowerShell module to deploy active directory decoy objects

Deploy-Deception

Deploy-Deception is a PowerShell module to deploy active directory decoy objects.

Deploy-Deception

Functions

Deploy-Deception currently has the following functions:

All the functions must be run on a DC with domain admin privileges. There are multiple attributes and flags which can be set while deploying a decoy. These attributes and flags make the decoy interesting for an attacker. When a right, say, ReadProperty is used to access the decoy, a Security Event 4662 is logged.

Note that Windows Settings|Security Settings|Advanced Audit Policy Configuration|DS Access|Audit Directory Service Access Group Policy needs to be configured to enable 4662 logging.

Deploy-UserDeception

This function sets up auditing when a specified Right is used by a specified principal against the decoy user object.

EXAMPLE

PS C:\> Create-DecoyUser -UserFirstName user -UserLastName manager -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -Verbose

Creates a decoy user whose password never expires and a 4662 is logged whenever ANY property of the user is read. Very verbose!

Deploy-SlaveDeception

This function sets up auditing when a specified Right is used over the slave user by a master user who has FUllControl/GenericALl over the slave user.

EXAMPLE

PS C:\> Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123

PS C:\> Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 | Deploy-SlaveDeception -DecoySamAccountName masteruser -Verbose

The first command creates a deocy user ‘masteruser’.

The second command creates a decoy user ‘slaveuser’ and provides masteruser GenericAll rights over slaveuser.

For both the users a 4662 is logged whenever there is any interaction with them.

Deploy-PrivilegedUserDeception

This function deploys a decoy user which has high privileges like membership of the Domain Admins group. EXAMPLE

PS C:\> Create-DecoyUser -UserFirstName dec -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception -Technique DomainAdminsMemebership -Protection DenyLogon -Verbose

Create a decoy user named decda and make it a member of the Domain Admins group. As a protection against potential abuse, Deny logon to the user on any machine. Please be aware that if another DA gets compromised the DenyLogon setting can be removed.

If there is any attempt to use the user credentials (password or hashes) a 4768 is logged.

Any enumeration which reads DACL or all properties for the user will result in a 4662 logging.

EXAMPLE

PS C:\> Deploy-PrivilegedUserDeception -DecoySamaccountName decda -Technique DomainAdminsMemebership -Protection LogonWorkStation nonexistent -Verbose

Use existing user decda and make it a member of the Domain Admins group. As a protection against potential abuse set LogonWorkstation for the user to a non-existent machine.

If there is any attempt to use the user credentials (password or hashes) a 4768 is logged.

Any enumeration which reads DACL or all properties for the user will result in a 4662 logging.

Deploy-ComputerDeception

This function sets up auditing when a specified Right is used by a specified principal against the decoy computer object.

PS C:\> Create-DecoyComputer -ComputerName revert-web -Verbose | Deploy-ComputerDeception -PropertyFlag TrustedForDelegation -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose

Creates a decoy computer that has Unconstrained Delegation enabled and a 4662 is logged whenever x500uniqueIdentifier – d07da11f-8a3d-42b6-b0aa-76c962be719a property or all the properties of the computer are read.

EXAMPLE

PS C:\> Deploy-ComputerDeception -DecoyComputerName comp1 -PropertyFlag TrustedForDelegation -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose

Uses an existing computer object and set Unconstrained Delegation on it. A 4662 is logged whenever x500uniqueIdentifier – d07da11f-8a3d-42b6-b0aa-76c962be719a property or all the properties of the computer are read.

Using a real machine for the decoy is always recommended as it is harder to identify as a decoy.

Deploy-GroupDeception

This function sets up auditing when a specified Right is used by a specifed principal against the decoy group object.

EXAMPLE

PS C:\> Create-DecoyGroup -GroupName ‘Forest Admins’ -Verbose | Deploy-GroupDeception -AddMembers slaveuser -AddToGroup dnsadmins -Right ReadControl -Verbose

Creates a decoy Group ‘Forest Admins’, adds slaveuser as a member and makes the group part of the dnsadmins group. A 4662 is logged whenever DACL or all the properties of the group are read.

Download

git clone https://github.com/samratashok/Deploy-Deception.git

Usage

Import the module in the current PowerShell session.

PS C:\> Import-Module C:\Deploy-Deception\Deploy-Deception.psd1

Use the script with dot sourcing.

PS C:\> . C:\Deploy-Deception\Deploy-Deception.ps1

To get help about any function, use:

PS C:\> Get-Help [functionname] -Full

For example, to see the help about Deploy-UserDeception, use

PS C:\> Get-Help Deploy-UserDeception -Full

Tutorial

Copyright (C) 2018 Nikhil “SamratAshok” Mittal

Source: https://github.com/samratashok/

Share