Configure an AD decoy account

You can configure a decoy Active Directory (AD) account that appeals to threat actors by appearing as a legitimate user.

Note:
  • Do not start this procedure if you are in the deployment phase. Your Concierge Security® Team (CST) will determine if this is appropriate for your organization.
  • Arctic Wolf does not recommend using the AD decoy account settings for all AD accounts. The AD decoy account is specifically configured to entice threat actors. Configure other AD accounts with the appropriate security measures.

These actions are required:

  • Make sure your deployment phase is complete.
  • Discuss this feature with your CST to determine if it is right for your organization.

Create an AD decoy account

If you have any old disabled accounts, you can reuse them as decoy accounts because attributes have populated data, for example, LastLogon and badPwdCount. If not, you can proceed with creating a new account to use as a decoy.

For each domain that you have, complete these steps:
  1. From a domain controller (DC) or a device with AD tools installed, open Active Directory Users and Computers.
  2. Right-click the Organizational Unit (OU) where you want to create the AD decoy account, and then select New > User.
    Note:

    Arctic Wolf recommends using an OU that is not set to sync to prevent configuration issues and reduce the time required to configure the account.

  3. In the dialog, enter account information that matches the standard format for administrator or service accounts at your company.

    For example, if your administrator accounts usually have a User logon name of admin-name, use the same format for the decoy account. Do not use words like fake or decoy in the account name. Do not use default names like Admin or Administrator.

    Note:

    The user logon name must be unique in your environment.

  4. Make note of the account name to use later.
  5. Click Next.
  6. Create a password for the account that follows the password policy for your organization.
  7. Select these two checkboxes:
    • User cannot change password
    • Password never expires
  8. Click Next.
  9. Review your settings, and then click Finish to create the account.
  10. Sign in to the AD decoy account to populate AD schema attributes.

Configure AD decoy account properties

  1. Right-click the new AD decoy account, and then select Properties.
  2. Click the Account tab.
  3. Click Logon Hours.
  4. In the Logon Hours dialog, select the Logon Denied option, and then click OK.
  5. In the Account options section, select these checkboxes:
    • Store password using reversible encryption
    • Smart card is required for interactive login
  6. Click OK.
  7. In the General tab, enter a description that is consistent with the type of account you want to create.
    For example, for a temporary web administrator account, enter Temp Admin company_name-Web password: generic_password
    Where:
    • company_name is the name of your organization.
    • generic_password is a simple password that uses letters, numbers, and a special character.

    For example, Temp Admin Companyname-Web password: c0mp4nyn4m3!.

  8. Click OK to close the dialog and apply the new properties.
  9. If you use:

Configure Azure AD Connect sync filtering

Do not complete these steps if:

  • You are using an OU for the AD decoy account that is not set to sync.
  • You do not use a hybrid Microsoft Entra ID.
Note:

If you use a hybrid Microsoft Entra ID, you must configure filtering with Azure AD Connect sync to prevent syncing the decoy account with Microsoft Entra ID. Microsoft Entra ID does not support the Logon Hours setting configured for the decoy account. If the decoy account is synced between Microsoft Entra ID and on-prem AD, the logon restriction is ignored and the account can be accessed. See Azure AD Connect sync: Configure filtering for more information.

  1. Run these commands to disable the scheduler. This prevents the accidental export of unverified changes.
    SHELL 
    import-module ADSync
Set-ADSyncScheduler -SyncCycleEnabled $False
  2. Sign in to the server running Azure AD Connect sync using the appropriate admin account.
  3. Click Start > Synchronization Rules Editor.
  4. In the Direction list, select Inbound.
  5. Click Add New Rule.
  6. On the Description page, configure these fields:
    • Name field — Enter a descriptive name for the rule, such as Decoy - Do Not Sync.
    • Connected System — Select the correct forest.
    • Connected System Object Type — Select user.
    • Metaverse Object Type — Select person.
    • Link Type — Select Join.
    • Precedence — Enter a unique value that is not currently used by a different synchronization rule. We recommend using a value lower than 100 but higher than any other values set for other synchronization rules.
  7. Click Next.
  8. Click Add group.
  9. Click Add clause, and then configure the scoping filter:
    • Attribute — Select UserPrincipalName.
    • Operator — Select EQUAL.
    • Value — Enter the email address of the AD decoy account.
  10. Leave the Join rules section empty, and then click Next.
  11. Click Add transformation, and then configure these fields:
    • FlowType — Select Constant.
    • Target Attribute — Select cloudFiltered.
    • Source — Enter True.
  12. Click Add.
  13. Run a full synchronization to complete the configuration:
    1. Click Start > Synchronization Service.
    2. Click Connectors.
    3. In the Connectors list, select the relevant connector.
    4. In the Actions pane, click Run.
    5. In the Run Connector dialog, in the Run profiles section, select Full synchronization.
    6. Click OK.

    When the synchronization completes, the changes are staged to be exported to Microsoft Entra ID.

    Note:

    For up-to-date information about syncing, verifying, and exporting AD to Microsoft Entra ID, see Apply and verify changes.

  14. Before exporting the changes to Microsoft Entra ID, verify that the new rule is configured correctly:
    1. In the PowerShell window, use the cd command to navigate to the %ProgramFiles%\Microsoft Azure AD Sync\bin.
    2. Run this command, where Name of Connector is the name of the relevant connector in Synchronization Service:
      SHELL 
      csexport "<Name of Connector>" %temp%\export.csv /f:x

      The command generates an export.csv file that contains all changes staged for export.

    3. Review the file to verify the changes, and repeat the configuration steps as needed until the changes are what you expect.
  15. Export the verified changes to Microsoft Entra ID:
    1. In the Connectors list in Synchronization Service, select the relevant connector.
    2. In the Actions list, select Run.
    3. In Run profiles, select Export.
  16. In Powershell, run this command to re-enable the sync schedule:
    SHELL 
    Set-ADSyncScheduler -SyncCycleEnabled $True

Configure a service principal name

Arctic Wolf recommends setting up a service principal name (SPN) that is not actively used within your organization. No legitimate connections should ever request a ticket for this service.

When configuring the SPN, choose a service class that matches the type of account you are creating. For example, for a temporary web administrator account, choose HTTP.

To configure the SPN, you must choose a service class name. In general, this can be any unique string. We recommend using a name that fits the naming convention of other services in your environment. Adding svc as a prefix or suffix to an arbitrary unique name can be a sufficient target that looks attractive for threat actors. If you do not have any services that have a generic name such as MSSQLsvc, you can add TERMSRV, HOST or pssvc as a prefix or suffix.

For more information about setting an SPN or creating a name, see Setspn and Name Formats for Unique SPNs - Win32 apps.

To configure the SPN, do of these actions:

Configure an SPN using the command line

Run this command:
CODE 
setspn -U -S <service_class>/<hostname> <username>

Where:

  • service_class is the unique string that identifies the general class of service. For example, HTTP.
  • hostname is the name of the host. If the host is a server, use the fully qualified name.
  • username is the username for the decoy account.
For example, setspn -U -S HTTP/webtemp.mydomain.local admin-webtemp

Configure an SPN using the attribute editor

  1. Open the Active Directory Users and Computers application.
  2. Click the Users folder, and then locate the decoy account.
  3. Right-click the decoy account, and then click Properties.
  4. Click the Attribute Editor tab, and then click the servicePrincipalName attribute.
  5. In the Multi-valued String Editor dialog, in the Value to add field, enter service_class/username.

    Where:

    • service_class is the unique string that identifies the general class of service. For example, HTTP.

    • username is the username for the decoy account.

  6. Click Add.
  7. Click OK.
  8. In the Properties dialog, click Apply.
  9. Click OK.

Verify AD decoy account configuration

Note:

Arctic Wolf recommends running this from the DC.

  1. Prepare the configuration file:
    1. Download the awn-ad-decoy-configure.zip file and move it to an easily-accessible folder on your machine.
    2. Right-click the awn-ad-decoy-configure.zip file, and then select Extract All.
    3. In the Extract Compressed (Zipped) Folders window, browse for a convenient location to extract the contents. For example, a desktop folder.
    4. Verify that Show extracted files when complete is selected.
    5. Select Extract to extract the contents of the zip file to the new awn-ad-decoy-configure folder in the selected destination.
  2. Optional: Using Command Prompt, verify the hash values of the Verify-ADDecoy.ps1 and Verify-ADDecoy.psd1 files:
    1. Run this command:
      CODE 
      certutil -hashfile <ps1_file_location> SHA256
      Where:
      • ps1_file_location is the location of the Verify-ADDecoy.ps1 file. For example, c:\Users\User_Name\Downloads\awn-ad-decoy-configure\Verify-ADDecoy.ps1.
      The returned hash value should match 9d77be63c9a9f3ba97f7341201255dbf666c75d1b7f8fcd71591a1271e1b3fd7
    2. Run this command:
      CODE 
      certutil -hashfile <psd1_file_location> SHA256
      Where:
      • psd1_file_location is the location of the Verify-ADDecoy.psd1 file. For example, c:\Users\User_Name\Downloads\awn-ad-decoy-configure\Verify-ADDecoy.psd1.
      The returned hash value should match 4d597def8b05e925751fa9e3432d9de750b6236b466ac478315425dab0063733
  3. Open a PowerShell window as an administrator.
  4. In the PowerShell window, use the cd command to navigate to the awn-ad-decoy-configure folder.
  5. Run these commands, replacing username with the user logon name value from Create an AD decoy account.
    SHELL 
    Import-Module .\Verify-ADDecoy
Verify-ADDecoy <username> -Spn
    Note:
    • If you did not configure an SPN, omit -Spn from the command.
    • If you receive a warning that says Verify-ADDecoy.ps1 cannot be loaded because running scripts is disabled on this system., check to make sure you are running this as an administrator. You might also need to change your Execution Policy.
  6. If any of the Security Setting items fail, open a new PowerShell window and run the previous commands again.
    Tip: It is common for the Enticing Description check to fail. As long as the description created in Configure AD decoy account properties includes a phrase that is attractive to threat actors, like pw or password, you can proceed to the next step.
  7. Using the Windows Snipping Tool, take a screenshot of the PowerShell dialog that appears. If any of the Security Setting items fail, return to Configure AD decoy account properties.
    Note: Make sure that the screenshot only includes the terminal window. Do not include any other information that may be confidential.

Provide account information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter AD Decoy Setup.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
  5. Click Send Message.
    Arctic Wolf provisions security monitoring for this application.