Configure an Active Directory Decoy Account
This document describes how to configure an Active Directory (AD) decoy account that appeals to bad actors. Activities triggered on this account are considered true positives for breach detection.
The AD decoy account is configured to appear as a legitimate user. Configuring this account helps reduce alert noise and decreases the detection time of an active attack on AD accounts within a network.
Note: Arctic Wolf does not recommend using the AD decoy account settings for all AD accounts. The AD decoy account is specifically configured to entice bad actors. Configure other AD accounts with the appropriate security measures.
Configure an AD decoy account Direct link to this section
Step 1: Create an AD decoy account Direct link to this section
If you have any old disabled accounts, you can reuse them as decoy accounts because attributes such as LastLogon
, badPwdCount
, and so on have populated data. If not, you can proceed with creating a new account to use as a decoy.
-
From a domain controller (DC) or device with AD tools installed, open Active Directory Users and Computers.
-
Right-click the Organizational Unit (OU) where you want to create the AD decoy account, and then select New > User.
-
In the dialog box, enter account information that matches the standard format for AD users at your company.
For example, if you usually make the User logon name value
FirstnameLastname@company
, follow the same format for the decoy account.Note: You need to provide this value in Verify AD decoy account configuration and [Provide account information to Arctic Wolf](#step-4%3A-provide-account-information-to-arctic-wolf.
-
Click Next.
-
Create a password for the account.
-
Select both of these options, and then click Next:
- User cannot change password
- Password never expires
-
Review your settings, and then click Finish to create the account.
-
Sign in to the AD decoy account to populate AD schema attributes.
Step 2: Configure AD decoy account properties Direct link to this section
-
Right-click the new AD decoy account, and then select Properties.
-
In the Account tab, under Account options:
-
Select Store password using reversible encryption.
-
Select Smart card is required for interactive login.
-
Select Logon Hours to open the dialog box.
-
Select Logon Denied, and then click OK.
-
-
In the Security tab, under Permissions for Everyone, click Advanced to open the Advanced Security Settings dialog box and complete the following steps:
Note: If the Security tab is not visible, verify that Advanced Features is enabled under the View menu for Active Directory.
-
Click the Auditing tab.
-
Click Add to create a new entry.
-
Click Select a principal, and then choose Everyone.
-
For the Applies to field, select This object only.
-
Scroll to the bottom of the list, and select Clear all.
-
Click OK, and then click OK again to close the Advanced Security Settings dialog box.
-
-
In the General tab, enter a Description such as
User must change default password on first login: "P@ssw0rd!”
. -
Click OK to close the dialog box and apply the new properties.
Step 3: Verify AD decoy account configuration Direct link to this section
Note: We recommend running this from the domain controller.
-
Prepare the configuration file:
-
Download the awn-ad-decoy-configure.zip file and move it to an easily-accessible folder on your machine.
-
Right-click the
awn-ad-decoy-configure.zip
file, and then select Extract All. -
In the Extract Compressed (Zipped) Folders window, browse for a convenient location to extract the contents, such as the Desktop folder.
-
Verify that Show extracted files when complete is selected.
-
Select Extract to extract the contents of the
.zip
file to the newawn-ad-decoy-configure
folder in the selected destination.
-
-
Open a PowerShell window as an administrator.
-
In the PowerShell window, use the
cd
command to navigate to theawn-ad-decoy-configure
folder. -
Run the following command, replacing
<username>
with the user logon name value from Create an AD decoy account..\decoy_v4.ps1 <username>
-
Screenshot the resulting dialog. If any of the Security Setting items fail, return to Configure AD decoy account properties.
Step 4: Provide account information to Arctic Wolf Direct link to this section
-
Contact your Concierge Security® Team to inform them that you have configured an AD decoy account. Include the following information:
-
Username — The user logon name of the AD decoy account from Create an AD decoy account.
-
Domain name — You only need to provide this value if the account name is not unique to the network or environment.
-
The screenshot from the final step of Verify AD decoy account configuration.
-
Arctic Wolf will then provision security monitoring for this application.