Active Directory Decoy Account Configuration
Updated Sep 5, 2023Configure an AD decoy account
You can configure a decoy Active Directory (AD) account that appeals to threat actors by appearing as a legitimate user. Activities triggered on this account are considered true positives for breach detection. Configuring this account helps reduce alert noise and decreases the detection time of an active attack on AD accounts within a network.
Note: Arctic Wolf does not recommend using the AD decoy account settings for all AD accounts. The AD decoy account is specifically configured to entice threat actors. Configure other AD accounts with the appropriate security measures.
Before you begin
- Discuss this feature with your Concierge Security® Team to determine if it is right for your organization.
Steps
- Create an AD decoy account.
- Configure AD decoy account properties.
- Configure Azure AD Connect sync filtering.
- Verify AD decoy account configuration.
- Provide account information to Arctic Wolf.
Step 1: Create an AD decoy account
If you have any old disabled accounts, you can reuse them as decoy accounts because attributes have populated data, for example, LastLogon
and badPwdCount
. If not, you can proceed with creating a new account to use as a decoy.
-
From a domain controller (DC) or a device with AD tools installed, open Active Directory Users and Computers.
-
Right-click the Organizational Unit (OU) where you want to create the AD decoy account, and then select New > User.
Note: We recommend using an OU that is not set to sync to prevent configuration issues and reduce the time required to configure the account.
-
In the dialog, enter account information that matches the standard format for AD users at your company.
For example, if your User logon name value is
FirstnameLastname@company
, use the same format for the decoy account. Do not use words likefake
ordecoy
in the account name. If a standard naming convention is unavailable, use an account name likeAdmin1
orAdministrator1
. -
Make note of the account name to use later.
-
Click Next.
-
Create a password for the account.
-
Select these two checkboxes:
- User cannot change password
- Password never expires
-
Click Next.
-
Review your settings, and then click Finish to create the account.
-
Sign in to the AD decoy account to populate AD schema attributes.
Step 2: Configure AD decoy account properties
-
Right-click the new AD decoy account, and then select Properties.
-
Click the Account tab.
-
Click Logon Hours.
-
In the Logon Hours dialog, select the Logon Denied option, and then click OK.
-
In the Account options section, select these checkboxes:
- Store password using reversible encryption
- Smart card is required for interactive login
-
Click OK.
-
In the Security tab, under Permissions for Everyone, click Advanced.
-
In the Advanced Security Settings dialog, complete these steps:
Note: If the Security tab is not visible, verify that Advanced Features is enabled under the View menu for Active Directory.
- Click the Auditing tab.
- Click Add to create a new entry.
- Click Select a principal, and then click Everyone.
- In the Applies to list, select This object only.
- Scroll to the bottom of the list, and select Clear all.
- Click OK, and then click OK again to close the Advanced Security Settings dialog.
-
In the General tab, enter a description such as
User must change default password on first login: "P@ssw0rd!”
. -
Click OK to close the dialog and apply the new properties.
-
If you use:
- A hybrid Microsoft Entra ID - Proceed to Step 3: Configure Azure AD Connect sync filtering.
- On-premises AD only - Proceed to Step 4: Verify AD decoy account configuration.
Step 3: Configure Azure AD Connect sync filtering
Do not complete these steps if:
- You are using an OU for the AD decoy account that is not set to sync.
- You do not use a hybrid Microsoft Entra ID.
Note: If you use a hybrid Microsoft Entra ID, you must configure filtering with Azure AD Connect sync to prevent syncing the decoy account with Microsoft Entra ID. Microsoft Entra ID does not support the Logon Hours setting configured for the decoy account. If the decoy account is synced between Microsoft Entra ID and on-prem AD, the logon restriction is ignored and the account can be accessed. For more information about filtering, see Azure AD Connect sync: Configure filtering.
-
Run these commands to disable the scheduler. This prevents the accidental export of unverified changes.
import-module ADSync Set-ADSyncScheduler -SyncCycleEnabled $False
-
Sign in to the server running Azure AD Connect sync using the appropriate admin account.
-
Click Start > Synchronization Rules Editor.
-
In the Direction list, select Inbound.
-
Click Add New Rule.
-
On the Description page, configure these fields:
- Name field — Enter a descriptive name for the rule, such as
Decoy - Do Not Sync
. - Connected System — Select the correct forest.
- Connected System Object Type — Select user.
- Metaverse Object Type — Select person.
- Link Type — Select Join.
- Precedence — Enter a value that isn't currently used by another synchronization rule.
- Name field — Enter a descriptive name for the rule, such as
-
Click Next.
-
Click Add clause, and then configure the scoping filter:
- Attribute — Select UserPrincipalName.
- Operator — Select EQUAL.
- Value — Enter the email address of the AD decoy account.
-
Click Add group.
-
Leave the Join rules section empty, and then click Next.
-
Click Add transformation, and then configure these fields:
- FlowType — Select Constant.
- Target Attribute — Select cloudFiltered.
- Source — Enter
True
.
-
Click Add.
-
Run a full synchronization to complete the configuration:
- Click Start > Synchronization Service.
- Click Connectors.
- In the Connectors list, select the relevant connector.
- In the Actions pane, click Run.
- In the Run Connector dialog, in the Run profiles section, select Full synchronization.
- Click OK.
When the synchronization completes, the changes are staged to be exported to Microsoft Entra ID.
Note: For up-to-date information about syncing, verifying, and exporting AD to Microsoft Entra ID, see Apply and verify changes.
-
Before exporting the changes to Microsoft Entra ID, verify that the changes are correct:
-
On the command line, navigate to
%ProgramFiles%\Microsoft Azure AD Sync\bin
. -
Run this command, where
<Name of Connector>
is the name of the relevant connector in Synchronization Service:csexport "<Name of Connector>" %temp%\export.xml /f:x
The command generates an
export.csv
file that contains all changes staged for export. -
Review the file to verify the changes, and repeat the configuration steps as needed until the changes are what you expect.
-
-
Export the verified changes to Microsoft Entra ID:
- In the Connectors list in Synchronization Service, select the relevant connector.
- In the Actions list, select Run.
- In Run profiles, select Export.
-
In Powershell, run this command to re-enable the sync schedule:
Set-ADSyncScheduler -SyncCycleEnabled $True.
Step 4: Verify AD decoy account configuration
Note: We recommend running this from the DC.
-
Prepare the configuration file:
- Download the
awn-ad-decoy-configure.zip
file and move it to an easily-accessible folder on your machine. - Right-click the
awn-ad-decoy-configure.zip
file, and then select Extract All. - In the Extract Compressed (Zipped) Folders window, browse for a convenient location to extract the contents. For example, a desktop folder.
- Verify that Show extracted files when complete is selected.
- Select Extract to extract the contents of the zip file to the new
awn-ad-decoy-configure
folder in the selected destination.
- Download the
-
Open a PowerShell window as an administrator.
-
In the PowerShell window, use the
cd
command to navigate to theawn-ad-decoy-configure
folder. -
Run these commands, replacing
<username>
with the user logon name value from Step 1: Create an AD decoy account.Import-Module .\Verify-ADDecoy Verify-ADDecoy <username>
Note: If you receive a warning that says
Verify-ADDecoy.ps1 cannot be loaded because running scripts is disabled on this system.
, check to make sure you are running this as an administrator. You may also need to change your Execution Policy. -
If any of the Security Setting items fail, open a new PowerShell window and run the previous commands again.
-
Take a screenshot of the dialog that appears. If any of the Security Setting items fail again, return to Step 2: Configure AD decoy account properties.
Step 5: Provide account information to Arctic Wolf
- Contact your Concierge Security® Team to inform them that you have configured an AD decoy account. Include this information:
- Username — The user logon name of the AD decoy account from Step 1: Create an AD decoy account.
- Domain name — You only need to provide this value if the account name is not unique to the network or environment.
- The screenshot from the final step of Step 4: Verify AD decoy account configuration.
Arctic Wolf will then provision security monitoring for this application.