MDE | Deception

Derk van der Woude
4 min readNov 16, 2023

--

Deception is a new feature in Microsoft Defender for Endpoint. This blog provides a high level overview of the new feature. Deception deploys virtual decoys (local accounts/Alias and advices/Host name) on the assigned Microsoft Defender for Endpoint devices.

When a decoy is targeted (e.g. by Red Team or Bad Actor) by lateral movement, an Incident (tagged Deception) is created in Microsoft Defender XDR (previous Microsoft 365 Defender).

This blog describes:

  1. The setup of Microsoft Defender for Endpoint | Deception
  2. Discovery of the decoys (from a bad actor or red team perspective)
  3. Attack (lateral movement) of the discovered decoys
  4. Incidents in Microsoft Defender XDR created by the attack

Setup of Deception

To setup Deception the first thing we need to do is enable the Deception feature in the Advanced settting of Microsoft Defender for Endpoint.

The next step is to enable and edit the Default Rule or create (up to 10) Custom Rule(s).

Each rule consists of the following steps

  • Name and Lure Types (Basic or Advanced)
  • Scope (plant Lures to All or tagged devices)
  • Decoys (pre-staged accounts and hosts but my advise is to use the corporate naming convection)
  • Lures (autogenerated or custom)

Wait a few hours for the decoys to be planted on the scoped devices.

Keep in mind all decoys are planted on the scoped MDE devices and not in the Active Directory itself.

The decoy devices (Host names) are added to ‘C:\windows\system32\drivers\etc\hosts’ of the scoped Microsoft Defender for Endpoint devices.

The decoy accounts (alias) are ingested in the LSASS (Local Security Authority Subsystem Service) memory space. LSASS caches credentials in memory for active users on the local device.

Discovery

A bad actor (or red team) always start with the reconnaisance phase to discover and analyze the environment for the initial attack and/or lateral movement.

User account (Dump LSASS)

User account(s) and credentials (hash) can be discovered via MimiKatz (including the fake decoy user accounts).

Other methods of dumping LSASS are Procdump (Sysinternals) and Task Manager (Create memory dump file).

The (off-line) file .DMB can be ingested in MimiKatz via the minidump parameter to read the user accounts and credentials (hashes).

Device (dump DNS Cache)

Devices accessed from the ‘compromised’ device are stored in the DNS Cache. These devices can be used for lateral movement purposes. To find the devices, the DNS cache can be dumped. Via the Command-line.

ipconfig /displaydns

Or via PowerShell.

Get-DnsClientCache

Now that we got assets (accounts and devices) discovered we can ‘attack’ the devices :-)

Attack: Lateral Movement

Attacking a discovered asset can be seen as lateral movement, a technique used (after initial access) to move through the network to get more access (e.g. the end goal in Active Directory is domain dominance).

An RDP (Remote Desktop Protocol) session to a discovered device results in an error but is enough to trigger a deception incident.

Another method to access a device is via PsExec (Sysinternals), for example

psexec \\dc01.s3cur1ty.local "c:\\backdoor.exe"

Both methods result in an error but are enough to trigger a deception incident which we will see in the next chapter.

Microsoft Defender XDR| Incidents

When a decoy account or device is targeted an alert / incident is created in Microsoft Defender XDR and Tagged as Deception.

This blog provides a high level overview of this new 100% detection feature, more options (e.g. file access) will follow soon in new releases of the Deception feature.

--

--