Active Directory Decoy Account Configuration

Updated Sep 5, 2023

Configure an AD decoy account

You can configure a decoy Active Directory (AD) account that appeals to threat actors by appearing as a legitimate user. Activities triggered on this account are considered true positives for breach detection. Configuring this account helps reduce alert noise and decreases the detection time of an active attack on AD accounts within a network.

Note: Arctic Wolf does not recommend using the AD decoy account settings for all AD accounts. The AD decoy account is specifically configured to entice threat actors. Configure other AD accounts with the appropriate security measures.

Before you begin

Steps

  1. Create an AD decoy account.
  2. Configure AD decoy account properties.
  3. Configure Azure AD Connect sync filtering.
  4. Verify AD decoy account configuration.
  5. Provide account information to Arctic Wolf.

Step 1: Create an AD decoy account

If you have any old disabled accounts, you can reuse them as decoy accounts because attributes have populated data, for example, LastLogon and badPwdCount. If not, you can proceed with creating a new account to use as a decoy.

  1. From a domain controller (DC) or a device with AD tools installed, open Active Directory Users and Computers.

  2. Right-click the Organizational Unit (OU) where you want to create the AD decoy account, and then select New > User.

    Note: We recommend using an OU that is not set to sync to prevent configuration issues and reduce the time required to configure the account.

  3. In the dialog, enter account information that matches the standard format for AD users at your company.

    For example, if your User logon name value is FirstnameLastname@company, use the same format for the decoy account. Do not use words like fake or decoy in the account name. If a standard naming convention is unavailable, use an account name like Admin1 or Administrator1.

  4. Make note of the account name to use later.

  5. Click Next.

  6. Create a password for the account.

  7. Select these two checkboxes:

    • User cannot change password
    • Password never expires
  8. Click Next.

  9. Review your settings, and then click Finish to create the account.

  10. Sign in to the AD decoy account to populate AD schema attributes.

Step 2: Configure AD decoy account properties

  1. Right-click the new AD decoy account, and then select Properties.

  2. Click the Account tab.

  3. Click Logon Hours.

  4. In the Logon Hours dialog, select the Logon Denied option, and then click OK.

  5. In the Account options section, select these checkboxes:

    • Store password using reversible encryption
    • Smart card is required for interactive login
  6. Click OK.

  7. In the Security tab, under Permissions for Everyone, click Advanced.

  8. In the Advanced Security Settings dialog, complete these steps:

    Note: If the Security tab is not visible, verify that Advanced Features is enabled under the View menu for Active Directory.

    1. Click the Auditing tab.
    2. Click Add to create a new entry.
    3. Click Select a principal, and then click Everyone.
    4. In the Applies to list, select This object only.
    5. Scroll to the bottom of the list, and select Clear all.
    6. Click OK, and then click OK again to close the Advanced Security Settings dialog.
  9. In the General tab, enter a description such as User must change default password on first login: "P@ssw0rd!”.

  10. Click OK to close the dialog and apply the new properties.

  11. If you use:

Step 3: Configure Azure AD Connect sync filtering

Do not complete these steps if:

Note: If you use a hybrid Microsoft Entra ID, you must configure filtering with Azure AD Connect sync to prevent syncing the decoy account with Microsoft Entra ID. Microsoft Entra ID does not support the Logon Hours setting configured for the decoy account. If the decoy account is synced between Microsoft Entra ID and on-prem AD, the logon restriction is ignored and the account can be accessed. For more information about filtering, see Azure AD Connect sync: Configure filtering.

  1. Run these commands to disable the scheduler. This prevents the accidental export of unverified changes.

    import-module ADSync
    Set-ADSyncScheduler -SyncCycleEnabled $False
  2. Sign in to the server running Azure AD Connect sync using the appropriate admin account.

  3. Click Start > Synchronization Rules Editor.

  4. In the Direction list, select Inbound.

  5. Click Add New Rule.

  6. On the Description page, configure these fields:

    • Name field — Enter a descriptive name for the rule, such as Decoy - Do Not Sync.
    • Connected System — Select the correct forest.
    • Connected System Object Type — Select user.
    • Metaverse Object Type — Select person.
    • Link Type — Select Join.
    • Precedence — Enter a value that isn't currently used by another synchronization rule.
  7. Click Next.

  8. Click Add clause, and then configure the scoping filter:

    • Attribute — Select UserPrincipalName.
    • Operator — Select EQUAL.
    • Value — Enter the email address of the AD decoy account.
  9. Click Add group.

  10. Leave the Join rules section empty, and then click Next.

  11. Click Add transformation, and then configure these fields:

    • FlowType — Select Constant.
    • Target Attribute — Select cloudFiltered.
    • Source — Enter True.
  12. Click Add.

  13. Run a full synchronization to complete the configuration:

    1. Click Start > Synchronization Service.
    2. Click Connectors.
    3. In the Connectors list, select the relevant connector.
    4. In the Actions pane, click Run.
    5. In the Run Connector dialog, in the Run profiles section, select Full synchronization.
    6. Click OK.

    When the synchronization completes, the changes are staged to be exported to Microsoft Entra ID.

    Note: For up-to-date information about syncing, verifying, and exporting AD to Microsoft Entra ID, see Apply and verify changes.

  14. Before exporting the changes to Microsoft Entra ID, verify that the changes are correct:

    1. On the command line, navigate to %ProgramFiles%\Microsoft Azure AD Sync\bin.

    2. Run this command, where <Name of Connector> is the name of the relevant connector in Synchronization Service:

      csexport "<Name of Connector>" %temp%\export.xml /f:x

      The command generates an export.csv file that contains all changes staged for export.

    3. Review the file to verify the changes, and repeat the configuration steps as needed until the changes are what you expect.

  15. Export the verified changes to Microsoft Entra ID:

    1. In the Connectors list in Synchronization Service, select the relevant connector.
    2. In the Actions list, select Run.
    3. In Run profiles, select Export.
  16. In Powershell, run this command to re-enable the sync schedule:

    Set-ADSyncScheduler -SyncCycleEnabled $True.

Step 4: Verify AD decoy account configuration

Note: We recommend running this from the DC.

  1. Prepare the configuration file:

    1. Download the awn-ad-decoy-configure.zip file and move it to an easily-accessible folder on your machine.
    2. Right-click the awn-ad-decoy-configure.zip file, and then select Extract All.
    3. In the Extract Compressed (Zipped) Folders window, browse for a convenient location to extract the contents. For example, a desktop folder.
    4. Verify that Show extracted files when complete is selected.
    5. Select Extract to extract the contents of the zip file to the new awn-ad-decoy-configure folder in the selected destination.
  2. Open a PowerShell window as an administrator.

  3. In the PowerShell window, use the cd command to navigate to the awn-ad-decoy-configure folder.

  4. Run these commands, replacing <username> with the user logon name value from Step 1: Create an AD decoy account.

    Import-Module .\Verify-ADDecoy
    Verify-ADDecoy <username>

    Note: If you receive a warning that says Verify-ADDecoy.ps1 cannot be loaded because running scripts is disabled on this system., check to make sure you are running this as an administrator. You may also need to change your Execution Policy.

  5. If any of the Security Setting items fail, open a new PowerShell window and run the previous commands again.

  6. Take a screenshot of the dialog that appears. If any of the Security Setting items fail again, return to Step 2: Configure AD decoy account properties.

Step 5: Provide account information to Arctic Wolf

Arctic Wolf will then provision security monitoring for this application.

See also