[ { "path": "DISCLAIMER", "content": "Deploy-Deception should be used for authorized testing and/or educational purposes only. No Exceptions." }, { "path": "Deploy-Deception.ps1", "content": "#Requires –Modules ActiveDirectory\n\n<#\n\nFile: Deploy-Deception.ps1\nAuthor: Nikhil Mittal (@nikhil_mitt)\nDescription: A PowerShell module to deploy active directory decoy objects.\nRequired Dependencies: ActiveDirectory Module by Microsoft\n\n#>\n\n\n##################################### Helper Functions #####################################\n\nfunction Create-DecoyUser\n{\n<#\n.SYNOPSIS\nCreate a user object.\n \n.DESCRIPTION\nCreates a user object on the domain. Must be run on a DC with domain admin privileges.\n\n.PARAMETER UserFirstName\nFirst name of the user to be crated. \n\n.PARAMETER UserLastName\nLast name of the user to be crated. \n\n.PARAMETER Password\nPassword for the user to be created. \n\n.PARAMETER OUDistinguishedName\nDistinguishedName of OU where the user will be created. The default User OU is used if this paramter is not specified.\n\n.EXAMPLE\nPS C:\\> Create-DecoyUser -UserFirstName user -UserLastName manager -Password Pass@123\nUse the above command to create a user 'usermanager'.\n\n.LINK\nhttps://www.labofapenetrationtester.com/2018/10/deploy-deception.html\nhttps://github.com/samratashok/Deploy-Deception\n#> \n [CmdletBinding()] Param(\n [Parameter(Position = 0, Mandatory = $False)]\n [String]\n $UserFirstName,\n\n [Parameter(Position = 1, Mandatory = $False)]\n [String]\n $UserLastName,\n \n [Parameter(Position = 2, Mandatory = $False)]\n [String]\n $Password,\n \n [Parameter(Position = 3, Mandatory = $False)]\n [String]\n $OUDistinguishedName\n )\n\n $UserDisplayName = $UserFirstName + $UserLastName\n Write-Verbose \"Creating user $UserDisplayName.\"\n\n if (!$OUDistinguishedName)\n {\n Write-Verbose \"Creating user $UserDisplayName.\"\n (New-ADUser -Name $UserDisplayName -AccountPassword (ConvertTo-SecureString -AsPlainText $Password -Force) -SamAccountName $UserDisplayName -Enabled $True -DisplayName $UserDisplayName -PassThru).SamAccountName\n }\n else\n {\n Write-Verbose \"Creating user $UserDisplayName in $OUDistinguishedName.\"\n (New-ADUser -Name $UserDisplayName -AccountPassword (ConvertTo-SecureString -AsPlainText $Password -Force) -SamAccountName $UserDisplayName -Enabled $True -DisplayName $UserDisplayName -Path $OUDistinguishedName -PassThru).SamAccountName\n }\n\n}\n\nfunction Create-DecoyComputer\n{\n<#\n.SYNOPSIS\nCreate a computer object.\n \n.DESCRIPTION\nCreates a computer object on the domain. Must be run on a DC with domain admin privileges.\n\n.PARAMETER ComputerName\nName of the computer to be crated. \n\n.PARAMETER OUDistinguishedName\nDistinguishedName of OU where the computer will be created. The default Computer OU is used if this paramter is not specified.\n\n.EXAMPLE\nPS C:\\> Create-DecoyComputer -ComputerName revert-web -Verbose\nUse the above command to create a computer 'revert-web'.\n\n.LINK\nhttps://www.labofapenetrationtester.com/2018/10/deploy-deception.html\nhttps://github.com/samratashok/Deploy-Deception\n#> \n [CmdletBinding()] Param(\n [Parameter(Position = 0, Mandatory = $False)]\n [String]\n $ComputerName,\n \n [Parameter(Position = 1, Mandatory = $False)]\n [String]\n $OUDistinguishedName\n )\n $DNSHostname = $ComputerName + \".\" + (Get-ADDomain).DNSRoot\n Write-Verbose \"Creating computer $ComputerName.\"\n\n if (!$OUDistinguishedName)\n {\n Write-Verbose \"Creating computer $DNSHostname.\"\n (New-ADComputer -Name $ComputerName -Enabled $True -DNSHostName $DNSHostname -PassThru).SamAccountName\n }\n else\n {\n Write-Verbose \"Creating computer $DNSHostname in $OUDistinguishedName.\"\n (New-ADComputer -Name $ComputerName -Enabled $True -DNSHostName $DNSHostname -Path $OUDistinguishedName -PassThru).SamAccountName\n }\n\n}\n\nfunction Create-DecoyGroup\n{\n<#\n.SYNOPSIS\nCreate a Group object.\n \n.DESCRIPTION\nCreates a Group object on the domain. Must be run on a DC with domain admin privileges.\n\n.PARAMETER GroupName\nName of the Group to be crated. \n\n.PARAMETER GroupScope\nThe scope of created group. Default is Global.\n\n.EXAMPLE\nPS C:\\> Create-DecoyGroup -GroupName 'Forest Admins' -Verbose\nUse the above command to create a Global Group 'Forest Admins'.\n\n.LINK\nhttps://www.labofapenetrationtester.com/2018/10/deploy-deception.html\nhttps://github.com/samratashok/Deploy-Deception\n#> \n [CmdletBinding()] Param(\n [Parameter(Position = 0, Mandatory = $False)]\n [String]\n $GroupName,\n \n [Parameter(Position = 1, Mandatory = $False)]\n [String]\n [ValidateSet (\"DomainLocal\",\"Global\",\"Universal\")]\n $GroupScope = \"Global\"\n )\n Write-Verbose \"Creating Group $GroupName.\"\n (New-ADGroup -Name $GroupName -GroupScope $GroupScope -PassThru).SamAccountName\n\n}\n\nfunction Get-ADObjectDetails\n{\n<#\n.SYNOPSIS\nHelper function to retrieve details about an object from domain.\n \n.DESCRIPTION\nHelper function to retrieve details - SamAccountName, Distibguished Name and ACL for an object from domain.\n\n.PARAMETER UserName\nUsername to get details for. \n\n.PARAMETER SamAccountName\nSamAccountName of a user to get details for.\n\n.PARAMETER DistinguisedName\nDistinguishedName of a user to get details for. \n\n.PARAMETER ComputerName\nComputerName to get details for. \n\n.PARAMETER GroupName\nGroupName to get details for. \n\n.PARAMETER OUName\nOUName to get details for.\n\n.EXAMPLE\nPS C:\\> Get-ADObjectDetails -SamAccountName usermanager.\nUse the above command to get details for the user 'usermanager'.\n\n.LINK\nhttps://www.labofapenetrationtester.com/2018/10/deploy-deception.html\nhttps://github.com/samratashok/Deploy-Deception\n#> \n\n [CmdletBinding()] Param(\n\n [Parameter(Position = 0, Mandatory = $False)]\n [String]\n $UserName,\n \n [Parameter(Position = 1, Mandatory = $False)]\n [String]\n $SAMAccountName,\n \n [Parameter(Position = 2, Mandatory = $False)]\n [String]\n $DistinguishedName,\n\n [Parameter(Position = 3, Mandatory = $False)]\n [String]\n $ComputerName,\n\n [Parameter(Position = 4, Mandatory = $False)]\n [String]\n $GroupName,\n \n [Parameter(Position = 5, Mandatory = $False)]\n [String]\n $OUName\n )\n\n if ($UserName)\n {\n $objDN = (Get-ADUser -Filter {Name -eq $UserName}).distinguishedname\n $TargetSamAccountName = (Get-ADUser -Filter {Name -eq $UserName}).SamAccountName\n }\n elseif ($SAMAccountName)\n {\n $objDN = (Get-ADUser -Identity $SamAccountName).distinguishedname\n $TargetSamAccountName = $SAMAccountName\n }\n elseif ($DistinguishedName)\n {\n $objDN = $DistinguishedName\n $TargetSamAccountName = (Get-ADUser -Filter {Name -eq $UserName}).SamAccountName\n }\n elseif ($ComputerName)\n {\n $objDN = (Get-ADComputer -Identity $ComputerName).distinguishedname\n $TargetSamAccountName = (Get-ADComputer -Identity $ComputerName).SamAccountName\n }\n elseif ($GroupName)\n {\n $objDN = (Get-ADGroup -Identity $GroupName).distinguishedname\n $TargetSamAccountName = (Get-ADGroup -Identity $GroupName).SamAccountName\n }\n\n elseif ($OUName)\n {\n $objDN = (Get-ADOrganizationalUnit -Filter {Name -eq $OUName}).distinguishedname\n $TargetSamAccountName = (Get-ADOrganizationalUnit -Filter {Name -eq $OUName}).SamAccountName\n }\n else\n {\n Write-Output 'Cannot find the object.'\n }\n #Write-Verbose \"Getting the existing ACL for $objDN.\"\n $ACL = Get-Acl -Path \"AD:\\$objDN\"\n\n \n # A PSObject for returning properties\n\n $ObjectProperties = @{\n\n SamAccountName = $TargetSamAccountName\n DistinguishedName = $objDN\n ACL = $ACL\n\n }\n\n New-Object psobject -Property $ObjectProperties\n}\n\nfunction Set-AuditRUle\n{\n<#\n.SYNOPSIS\nHelper function to set auditing for an object in domain.\n \n.DESCRIPTION\nHelper function to set auditing for an object in domain.\n\n.PARAMETER UserName\nUsername to set SACL for. \n\n.PARAMETER SamAccountName\nSamAccountName of a user to set SACL for.\n\n.PARAMETER DistinguisedName\nDistinguishedName of a user to set SACL for. \n\n.PARAMETER ComputerName\nComputerName to set SACL for. \n\n.PARAMETER GroupName\nGroupName to set SACL for. \n\n.PARAMETER OUName\nOUName to set SACL for.\n\n.PARAMETER Principal\nThe Principal (user or group) for which auditing is turned on when they use Rights defined by the Right or GUID paramter.\n\n.PARAMETER Right\nThr Right for which auditing is turned on when used by the principal specified with the Principal parameter.\nDefault is ReadProperty right.\n\n.PARAMETER GUID\nGUID for the property for which auditing is turned on when Princpal uses Right on the property.\n\n.PARAMETER AuditFlag\nTurn on Auditing for Success or Failure. Default is Success.\n\n.PARAMETER RemoveAuditing\nRemove previously added Auditing ACE.\n\n.LINK\nhttps://www.labofapenetrationtester.com/2018/10/deploy-deception.html\nhttps://github.com/samratashok/Deploy-Deception\n#> \n [CmdletBinding()] Param(\n [Parameter(Position = 0, Mandatory = $False)]\n [String]\n $UserName,\n\n [Parameter(Position = 1, Mandatory = $False)]\n [String]\n $SAMAccountName,\n \n [Parameter(Position = 2, Mandatory = $False)]\n [String]\n $DistinguishedName,\n\n [Parameter(Position = 3, Mandatory = $False)]\n [String]\n $ComputerName,\n \n [Parameter(Position = 4, Mandatory = $False)]\n [String]\n $GroupName,\n\n [Parameter(Position = 5, Mandatory = $False)]\n [String]\n $OUName,\n\n [Parameter(Position = 6, Mandatory = $False)]\n [String]\n $Principal,\n\n [Parameter(Position = 7, Mandatory = $False)]\n [String]\n [ValidateSet (\"GenericAll\",\"GenericRead\",\"GenericWrite\",\"ReadControl\",\"ReadProperty\",\"WriteDacl\",\"WriteOwner\",\"WriteProperty\")]\n $Right = \"ReadProperty\",\n\n [Parameter(Position = 8, Mandatory = $False)]\n [String]\n $GUID,\n\n [Parameter(Position = 9, Mandatory = $False)]\n [String]\n [ValidateSet (\"Success\",\"Failure\")]\n $AuditFlag = \"Success\",\n\n [Parameter(Mandatory = $False)]\n [Bool]\n $RemoveAuditing\n )\n \n $objectdetails = Get-ADObjectDetails -SAMAccountName $SamAccountName -ComputerName $ComputerName -GroupName $GroupName -OUName $OUName\n\n $ACL = $objectdetails.ACL\n\n $sid = New-Object System.Security.Principal.NTAccount($Principal)\n if (!$GUID)\n {\n $AuditRule = New-Object DirectoryServices.ActiveDirectoryAuditRule($sid,$Right,$AuditFlag)\n }\n\n # Set Auditing for a specific property in the object with the property or attribute GUID\n # Interesting GUID\n # userAccountControl - bf967a68-0de6-11d0-a285-00aa003049e2\n # x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a\n elseif ($GUID)\n {\n $objectGuid = New-Object Guid $GUID\n $AuditRule = New-Object DirectoryServices.ActiveDirectoryAuditRule($sid,$Right,$AuditFlag,$objectGuid)\n }\n else\n {\n Write-Warning \"Please specify a right. If you are targeting a specific object type, please provide a GUID.\"\n }\n\n $objDN = $objectdetails.DistinguishedName\n\n if(!$RemoveAuditing)\n {\n Write-Verbose \"Turning \"\"$AuditFlag\"\" Auditing on for \"\"$objDN\"\" when \"\"$Principal\"\" uses \"\"$Right\"\" right.\"\n $ACL.AddAuditRule($AuditRule)\n }\n else\n {\n Write-Verbose \"Removing \"\"$AuditFlag\"\" Auditing for \"\"$objDN\"\" when \"\"$Principal\"\" uses \"\"$Right\"\" right.\"\n $ACL.RemoveAuditRule($AuditRule)\n }\n\n Set-Acl \"AD:\\$objDN\" -AclObject $ACL\n\n}\n\n################################## End of Helper Functions #################################\n\n\nfunction Deploy-UserDeception\n{\n<#\n.SYNOPSIS\nDeploys the specific decoy user to log Security Event 4662 when a specific Right is used against it.\n\n.DESCRIPTION\nThis function sets up auditing when a specified Right is used by a specifed principal against the decoy user object.\n\nThe function must be run on a DC with domain admin privileges. There are multiple user attributes and flags\nwhich can be set while deploying the decoy. These attributes and flags make the decoy interesting for an attacker. \nWhen a right, say, ReadProperty is used to access the decoy user, a Security Event 4662 is logged. \n\nNote that Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> DS Access - Audit Directory Service Access\nGroup Policy needs to be configured to enable 4662 logging. \n\n.PARAMETER DecoySamAccountName\nSamAccountName of the decoy user. \n\n.PARAMETER DecoyDistinguishedName\nDistinguishedName of the decoy user. \n\n.PARAMETER UserFlag\nA decoy user property which would be 'interesting' for an attacker.\n\n.PARAMETER PasswordInDescription\nLeave a password in Description of the decoy user.\n\n.PARAMETER SPN\nSet 'interesting' SPN for the decoy user in the format servicename/host\n\n.PARAMETER Principal\nThe Principal (user or group) for which auditing is turned on when they use Rights defined by the Right or GUID paramter.\n\n.PARAMETER Right\nThr Right for which auditing is turned on when used by the principal specified with the Principal parameter.\nDefault is ReadProperty right.\n\n.PARAMETER GUID\nGUID for the property for which auditing is turned on when Princpal uses Right on the property.\n\n.PARAMETER AuditFlag\nTurn on Auditing for Success or Failure. Default is Success.\n\n.PARAMETER RemoveAuditing\nRemove previously added Auditing ACE.\n\n.EXAMPLE\nPS C:\\> Create-DecoyUser -UserFirstName user -UserLastName manager -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -Verbose\nCreates a decoy user whose password never expires and a 4662 is logged whenever ANY property of the user is read. Very verbose!\n\n.EXAMPLE\nPS C:\\> Create-DecoyUser -UserFirstName user -UserLastName manager -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose\nCreates a decoy user whose password never expires and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property of the user is read.\n\nThis property is not read by net.exe, WMI classes (like Win32_UserAccount) and ActiveDirectory module.\nBut LDAP based tools like PowerView and ADExplorer trigger the logging.\n\n.EXAMPLE\nPS C:\\> Create-DecoyUser -UserFirstName user -UserLastName manager-control -Password Pass@123 | Deploy-UserDeception -UserFlag AllowReversiblePasswordEncryption -Right ReadControl -Verbose \nCreates a decoy user which has Allow Reverisble Password Encrpytion property set. \nA 4662 is logged whenever DACL of the user is read.\n\nThis property is not read by enumeration tools unless specifically DACL or all properties for the decoy user are force read.\n\n.LINK\nhttps://www.labofapenetrationtester.com/2018/10/deploy-deception.html\nhttps://github.com/samratashok/Deploy-Deception\n#>\n [CmdletBinding()] Param(\n \n [Parameter(ParameterSetName=\"SamAccountName\",Position = 0, Mandatory = $False,ValueFromPipeline = $True)]\n [String]\n $DecoySamAccountName,\n \n [Parameter(ParameterSetName=\"ADSPath\",Position = 1, Mandatory = $False)]\n [String]\n $DecoyDistinguishedName,\n\n [Parameter(Position = 3, Mandatory = $False)]\n [String]\n [ValidateSet (\"DoesNotRequirePreAuth\",\"AllowReversiblePasswordEncryption\",\"PasswordNeverExpires\",\"TrustedForDelegation\",\"TrustedToAuthForDelegation\")]\n $UserFlag,\n\n [Parameter(Position = 4, Mandatory = $False)]\n [String]\n $PasswordInDescription,\n\n [Parameter(Position = 5, Mandatory = $False)]\n [String]\n $SPN,\n\n [Parameter(Position = 6, Mandatory = $False)]\n [String]\n $Principal = \"Everyone\",\n\n [Parameter(Position = 7, Mandatory = $False)]\n [String]\n [ValidateSet (\"GenericAll\",\"GenericRead\",\"GenericWrite\",\"ReadControl\",\"ReadProperty\",\"WriteDacl\",\"WriteOwner\",\"WriteProperty\")]\n $Right = \"ReadProperty\",\n\n [Parameter(Position = 8, Mandatory = $False)]\n [String]\n $GUID,\n\n [Parameter(Position = 9, Mandatory = $False)]\n [String]\n [ValidateSet (\"Success\",\"Failure\")]\n $AuditFlag = \"Success\",\n\n [Parameter(Mandatory = $False)]\n [Bool]\n $RemoveAuditing = $False\n )\n\n if($DecoySamAccountName)\n {\n $DecoySamAccountName = (Get-ADObjectDetails -SAMAccountName $DecoySamAccountName).SamAccountName\n }\n\n elseif ($DecoyDistinguishedName)\n {\n $DecoySamAccountName = (Get-ADObjectDetails -DistinguishedName $DecoyDistinguishedName).SamAccountName\n }\n\n else\n {\n Write-Output \"No such decoy user found.\"\n }\n \n if ($UserFlag)\n {\n # Set the Deocy user account userflags.\n Write-Verbose \"Adding $UserFlag to decoy user $DecoySamAccountName.\"\n switch($UserFlag)\n {\n \n \"DoesNotRequirePreAuth\"\n {\n Set-ADAccountControl -Identity $DecoySamAccountName -DoesNotRequirePreAuth $true\n }\n \"AllowReversiblePasswordEncryption\"\n {\n Set-ADAccountControl -Identity $DecoySamAccountName -AllowReversiblePasswordEncryption $true\n }\n \"PasswordNeverExpires\"\n {\n Set-ADAccountControl -Identity $DecoySamAccountName -PasswordNeverExpires $true\n }\n \"TrustedForDelegation\"\n {\n Set-ADAccountControl -Identity $DecoySamAccountName -TrustedForDelegation $true\n }\n \"TrustedToAuthForDelegation\"\n {\n Set-ADAccountControl -Identity $DecoySamAccountName -TrustedToAuthForDelegation $true\n }\n }\n }\n\n if ($PasswordInDescription)\n {\n # Be creative! For example, \"User Password is July@2018 - Last used by Gary\"\n Write-Verbose \"Adding $PasswordInDescription for decoy user $DecoySamAccountName.\"\n Set-ADUser -Identity $DecoySamAccountName -Description $PasswordInDescription\n }\n\n if ($SPN)\n {\n Write-Verbose \"Adding $SPN to decoy user $DecoySamAccountName.\"\n Set-ADUser -Identity $DecoySamAccountName -ServicePrincipalNames @{Add=$SPN}\n }\n\n Set-AuditRUle -SAMAccountName $DecoySamAccountName -Principal $Principal -Right $Right -GUID $GUID -AuditFlag $AuditFlag -Remove $RemoveAuditing\n \n}\n\nfunction Deploy-SlaveDeception\n{\n<#\n.SYNOPSIS\nDeploys the specific slave user and FUllControl over it for a master user to log Security Event 4662 when a specific Right is used.\n\n.DESCRIPTION\nThis function sets up auditing when a specified Right is used over the slave user by a master user who has FUllControl/GenericALl over the slave user.\n\nNote that Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> DS Access - Audit Directory Service Access\nGroup Policy needs to be configured to enable 4662 logging. \n\n.PARAMETER SlaveSamAccountName\nSamAccountName of the slave user. \n\n.PARAMETER SlaveDistinguishedName\nDistinguishedName of the slave user.\n\n.PARAMETER DecoySamAccountName\nSamAccountName of the decoy user.\n\n.PARAMETER DecoyDistinguishedName\nDistinguishedName of the decoy user.\n\n.PARAMETER RemoveAuditing\nRemove previously added Auditing ACE.\n\n.EXAMPLE\nPS C:\\> Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123 \nPS C:\\> Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 | Deploy-SlaveDeception -DecoySamAccountName masteruser -Verbose\n\nThe first command creates a deocy user 'masteruser'.\nThe second command creates a decoy user 'slaveuser' and provides masteruser GenericAll rights over slaveuser.\n\nFor both the users a 4662 is logged whenever there is any interaction with them.\n\n.EXAMPLE\nPS C:\\> Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose\nPS C:\\> Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 | Deploy-SlaveDeception -DecoySamAccountName masteruser -Verbose\nPS C:\\> Deploy-SlaveDeception -SlaveSamAccountName slaveuser -DecoySamAccountName masteruser -Verbose \nThe first command creates a decoy user 'masteruser' whose password never expires and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property of the user is read.\nThe second command creates a decoy user 'slaveuser' whose password never expires and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property of the user is read.\nThe third command grants masteruser GenericAll rights over slaveuser.\n\nThe above three commands make masteruser and slaveuser attractive for an attacker and the logging is triggered only for aggressive enumeration.\n\n.EXAMPLE\nPS C:\\> Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123\nPS C:\\> Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 \nPS C:\\> Deploy-SlaveDeception -SlaveSamAccountName slaveuser -DecoySamAccountName masteruser -Verbose \nPS C:\\> Deploy-UserDeception -DecoySamAccountName slaveuser -Principal masteruser -Right WriteDacl -Verbose\nThe first three commands create a slaveuser, create a master user and provide masteruser GenericAll rights on slaveuser.\nThe foruth command triggers a 4662 log only when masteruser is used change DACL (WirteDacl) of the slaveuser. \n\nThis is useful when targeting lateral movement and it is assumed that an adversary will get access to masteruser.\nFor example, masteruser could be a honeyuser whose credentials are left on multipe machines or masteruser can have its\nusable password in Description. \n\n.LINK\nhttps://www.labofapenetrationtester.com/2018/10/deploy-deception.html\nhttps://github.com/samratashok/Deploy-Deception\n#>\n[CmdletBinding()] Param(\n \n [Parameter(ParameterSetName=\"SamAccountName\",Position = 0, Mandatory = $False,ValueFromPipeline = $True)]\n [String]\n $SlaveSamAccountName,\n \n [Parameter(ParameterSetName=\"ADSPath\",Position = 1, Mandatory = $False)]\n [String]\n $SlaveDistinguishedName,\n\n [Parameter(Position = 2, Mandatory = $False)]\n [String]\n $DecoySamAccountName,\n \n [Parameter(Position = 3, Mandatory = $False)]\n [String]\n $DecoyDistinguishedName,\n\n [Parameter(Mandatory = $False)]\n [Bool]\n $RemoveAuditing = $False\n )\n\n if($DecoySamAccountName)\n {\n $DecoySamAccountName = (Get-ADObjectDetails -SAMAccountName $DecoySamAccountName).SamAccountName\n }\n\n elseif ($DecoyDistinguishedName)\n {\n $DecoySamAccountName = (Get-ADObjectDetails -DistinguishedName $DecoyDistinguishedName).SamAccountName\n }\n else\n {\n Write-Output \"No such decoy user found.\"\n }\n\n if($SlaveSamAccountName)\n {\n $SlaveSamAccountName = (Get-ADObjectDetails -SAMAccountName $SlaveSamAccountName).SamAccountName\n }\n elseif ($SlaveDistinguishedName)\n {\n $SlaveSamAccountName = (Get-ADObjectDetails -DistinguishedName $SlaveDistinguishedName).SamAccountName\n }\n else\n {\n Write-Output \"No such slave user found.\"\n }\n\n # Get ACL of the slave user\n $slaveuserdetails = Get-ADObjectDetails -SAMAccountName $SlaveSamAccountName\n $ACL = $slaveuserdetails.ACL\n\n # Set GenericALL (FullControl) rights on Slaveuser for Decoyuser\n $sid = New-Object System.Security.Principal.NTAccount($DecoySamAccountName)\n $ACE = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'GenericAll','Allow')\n $objDN = $slaveuserdetails.DistinguishedName\n $ACL.AddAccessRule($ACE)\n Set-Acl \"AD:\\$objDN\" -AclObject $ACL\n\n # Add auditing for DecoyUser and Slave on ReadProperty for x500uniqueIdentifier user property.\n\n Set-AuditRUle -SAMAccountName $DecoySamAccountName -Principal Everyone -Right ReadProperty -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -AuditFlag Success -RemoveAuditing $RemoveAuditing\n Set-AuditRUle -SAMAccountName $SlaveSamAccountName -Principal Everyone -Right ReadProperty -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -AuditFlag Success -RemoveAuditing $RemoveAuditing\n\n}\n\nfunction Deploy-PrivilegedUserDeception\n{\n<#\n.SYNOPSIS\nDeploys the specific decoy user and provide it high privileges (with protections) to make it interesting for an adversary.\n\n.DESCRIPTION\nThis function deploys a decoy user which has high privileges like membership of the Domain Admins group. \n\nThere are protections like DenyLogon to avoid abuse of these privileges. \n\nNote that Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> DS Access - Audit Directory Service Access\nGroup Policy needs to be configured to enable 4662 logging.\n\nand \n\nAudit Kerberos Authentication Service for Failure needs to be enabled for 4768.\n\n.PARAMETER DecoySamAccountName\nSamAccountName of the decoy user. \n\n.PARAMETER DecoyDistinguishedName\nDistinguishedName of the decoy user.\n\n.PARAMETER Technique\nThe privilges for the decoy user. Currently, DomainAdminsMembership and DCSyncRights.\n\n.PARAMETER Protection\nProtection for avoiding abuse of the privileges. Currently, only DenyLogon is available.\n\n.PARAMETER Principal\nThe Principal (user or group) for which auditing is turned on when they use Rights defined by the Right or GUID paramter.\n\n.PARAMETER Right\nThr Right for which auditing is turned on when used by the principal specified with the Principal parameter.\nDefault is ReadControl right.\n\n.PARAMETER GUID\nGUID for the property for which auditing is turned on when Princpal uses Right on the property.\n\n.PARAMETER AuditFlag\nTurn on Auditing for Success or Failure. Default is Success.\n\n.PARAMETER CreateLogon\nCreate a logon for the created decoyuser on the DC where the function is run. This helps in avoiding detection of the decoy\nwhich relies on logoncount. A user profile is created on the DC when this parameter is used. \n\n.PARAMETER logonCount\nNumber of logonCount for the decoy user. Default is 1.\n\n.PARAMETER RemoveAuditing\nRemove previously added Auditing ACE.\n\n.EXAMPLE\nPS C:\\> Create-DecoyUser -UserFirstName dec -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception -Technique DomainAdminsMemebership -Protection DenyLogon -Verbose\nCreate a decoy user named decda and make it a member of the Domain Admins group. As a protection against potential abuse,\nDeny logon to the user on any machine. Please be aware that if another DA gets comprimised the DenyLogon setting can be removed.\n\nIf there is any attempt to use the user credentials (password or hashes) a 4768 is logged.\n\nAny enumeration which reads DACL or all properties for the user will result in a 4662 logging. \n\n.EXAMPLE\nPS C:\\> Deploy-PrivilegedUserDeception -DecoySamaccountName decda -Technique DCSyncRights -Protection DenyLogon -Verbose\nUse existing user decda and make provide it DCSyncRights. As a protection against potential abuse,\nDeny logon to the user on any machine.\n\nIf there is any attempt to use the user credentials (password or hashes) a 4768 is logged.\n\nAny enumeration which reads DACL or all properties for the user will result in a 4662 logging. \n\n.EXAMPLE\nPS C:\\> Create-DecoyUser -UserFirstName test -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception -Technique DomainAdminsMemebership -Protection DenyLogon -CreateLogon -Verbose \nCreate a decoy user named decda and make it a member of the Domain Admins group. \nAs a protection against potential abuse, Deny logon to the user on any machine.. \n\nTo avoid detection of the decoy which relies on logoncount use the CreateLogon option which starts and stops a process as the\ndecoy user on the DC. A user profile is created on the DC when this parameter is used. \n\nIf there is any attempt to use the user credentials (password or hashes) a 4768 is logged.\n\nAny enumeration which reads DACL or all properties for the user will result in a 4662 logging. \n \n.LINK\nhttps://www.labofapenetrationtester.com/2018/10/deploy-deception.html\nhttps://github.com/samratashok/Deploy-Deception\n#>\n [CmdletBinding()] Param(\n \n [Parameter(ParameterSetName=\"SamAccountName\",Position = 0, Mandatory = $False,ValueFromPipeline = $True)]\n [String]\n $DecoySamAccountName,\n\n [Parameter(ParameterSetName=\"ADSPath\",Position = 1, Mandatory = $False)]\n [String]\n $DecoyDistinguishedName,\n\n [Parameter(Position = 2, Mandatory = $False)]\n [String]\n [ValidateSet (\"DomainAdminsMemebership\",\"DCSyncRights\")]\n $Technique,\n\n [Parameter(Position = 3, Mandatory = $False)]\n [String]\n [ValidateSet (\"DenyLogon\")]\n $Protection,\n\n [Parameter(Position = 4, Mandatory = $False)]\n [String]\n $Principal = \"Everyone\",\n\n [Parameter(Position = 5, Mandatory = $False)]\n [String]\n [ValidateSet (\"GenericAll\",\"GenericRead\",\"GenericWrite\",\"ReadControl\",\"ReadProperty\",\"WriteDacl\",\"WriteOwner\",\"WriteProperty\")]\n $Right = \"ReadControl\",\n\n [Parameter(Position = 6, Mandatory = $False)]\n [String]\n $GUID,\n\n [Parameter(Position = 7, Mandatory = $False)]\n [String]\n [ValidateSet (\"Success\",\"Failure\")]\n $AuditFlag = \"Success\",\n\n [Parameter(Mandatory = $False)]\n [Switch]\n $CreateLogon,\n\n [Parameter(Mandatory = $False)]\n [int]\n $logonCount = 1,\n\n [Parameter(Mandatory = $False)]\n [Bool]\n $RemoveAuditing = $False\n )\n\n if($DecoySamAccountName)\n {\n $DecoySamAccountName = (Get-ADObjectDetails -SAMAccountName $DecoySamAccountName).SamAccountName\n }\n\n elseif ($DecoyDistinguishedName)\n {\n $DecoySamAccountName = (Get-ADObjectDetails -DistinguishedName $DecoyDistinguishedName).SamAccountName\n }\n else\n {\n Write-Output \"No such decoy user found.\"\n }\n\n\n if ($Technique)\n {\n # Set the Deocy user's interesting privileges.\n switch($Technique)\n {\n \"DomainAdminsMemebership\"\n {\n # The user will actually be a part of the DA group but cannot logon.\n Write-Verbose \"Adding $DecoySamAccountName to the Domain Admins Group.\"\n Add-ADGroupMember -Identity \"Domain Admins\" -Members $DecoySamAccountName\n $isDA = $True\n }\n \"DCSyncRights\"\n { \n # Replication Rights\n Write-Verbose \"Providing DCSync permissions to $DecoySamAccountName.\"\n $DomainDN = (Get-AdDomain).DistinguishedName\n $ACL = Get-Acl \"AD:\\$DomainDN\"\n $sid = New-Object System.Security.Principal.NTAccount($DecoySamAccountName)\n $objectGuidChangesAll = New-Object Guid 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\n $ACE = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'ExtendedRight','Allow',$objectGuidChangesAll)\n $ACL.AddAccessRule($ACE)\n Set-Acl \"AD:\\$DomainDN\" -AclObject $ACL\n\n $ACL = Get-Acl \"AD:\\$DomainDN\"\n $objectGuidChanges = New-Object Guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\n $ACE = New-Object DirectoryServices.ActiveDirectoryAccessRule($sid,'ExtendedRight','Allow',$objectGuidChanges)\n $ACL.AddAccessRule($ACE)\n Set-Acl \"AD:\\$DomainDN\" -AclObject $ACL\n }\n }\n }\n\n if ($Protection)\n {\n switch ($Protection)\n {\n \"DenyLogon\"\n {\n # Deny logon to user from anywhere by setting logon hours\n $Hours = New-Object byte[] 21\n $Hours[5] = 000; $Hours[8] = 000; $Hours[11] = 000; $Hours[14] = 000; $Hours[17] = 000;\n $Hours[6] = 0; $Hours[9] = 0; $Hours[12] = 0; $Hours[15] = 0; $Hours[18] = 0;\n $ReplaceHashTable = New-Object HashTable\n $ReplaceHashTable.Add(\"logonHours\", $Hours)\n Write-Verbose \"Adding protection - Decoy user $DecoySamAccountName has been denied logon.\"\n Set-ADUser -Identity $DecoySamAccountName -Replace $ReplaceHashTable\n }\n }\n }\n\n # Add auditing to the decoy user\n Set-AuditRule -UserName $DecoyUserName -SAMAccountName $DecoySamAccountName -DistinguishedName $DecoyDistinguishedName -Principal $Principal -Right $Right -GUID $GUID -AuditFlag $AuditFlag -RemoveAuditing $RemoveAuditing\n \n}\n\nfunction Deploy-ComputerDeception\n{\n<#\n.SYNOPSIS\nDeploys the specific decoy computer to log Security Event 4662 when a specific Right is used against it.\n\n.DESCRIPTION\nThis function sets up auditing when a specified Right is used by a specifed principal against the decoy computer object.\n\nThe function must be run on a DC with domain admin privileges. There are multiple computer attributes and flags\nthat can be set while deploying the decoy. These attributes and flags make the decoy interesting for an attacker. \nWhen a right, say, ReadProperty is used to access the decoy computer, a Security Event 4662 is logged. \n\nNote that Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> DS Access - Audit Directory Service Access\nGroup Policy needs to be configured to enable 4662 logging. \n\n.PARAMETER DecoyComputerName\nSamAccountName of the decoy computer. \n\n.PARAMETER OperatingSystem\nOperatingSystem attribute for the decoy computer. \n\n.PARAMETER SPN\nSet 'interesting' SPN for the decoy computer in the format servicename/host.\n\n.PARAMETER PropertyFlag\nA decoy computer property which would be 'interesting' for an attacker.\n\n.PARAMETER Principal\nThe Principal (user or group) for which auditing is turned on when they use Rights defined by the Right or GUID paramter.\n\n.PARAMETER Right\nThr Right for which auditing is turned on when used by the principal specified with the Principal parameter.\nDefault is ReadProperty right.\n\n.PARAMETER GUID\nGUID for the property for which auditing is turned on when Princpal uses Right on the property.\n\n.PARAMETER AuditFlag\nTurn on Auditing for Success or Failure. Default is Success.\n\n.PARAMETER RemoveAuditing\nRemove previously added Auditing ACE.\n\n.EXAMPLE\nPS C:\\> Create-DecoyComputer -ComputerName revert-web -Verbose | Deploy-ComputerDeception -PropertyFlag TrustedForDelegation -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose\nCreates a decoy computer that has Unconstrained Delegation enabled and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property or all the properties\nof the computer are read.\n\n.EXAMPLE\nPS C:\\> Deploy-ComputerDeception -DecoyComputerName comp1 -PropertyFlag TrustedForDelegation -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose\nUses an existing computer object and set Unconstrained Delegation on it. A 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property or all the properties\nof the computer are read.\n\nUsing a real machine for the decoy is always recommended as it is harder to identify as a decoy. \n\n\n.EXAMPLE\nPS C:\\> Deploy-ComputerDeception -DecoyComputerName comp1 -OperatingSystem \"Windows Server 2003\" -Right ReadControl -Verbose\nUses an existing computer object and set its Operating System property to Windows Server 2003. \n\nA 4662 is logged whenever DACL or all the properties of the computer are read.\n\nUsing a real machine for the decoy is always recommended as it is harder to identify as a decoy. \n\n.LINK\nhttps://www.labofapenetrationtester.com/2018/10/deploy-deception.html\nhttps://github.com/samratashok/Deploy-Deception\n#>\n [CmdletBinding()] Param(\n \n [Parameter(Position = 0, Mandatory = $False,ValueFromPipeline = $True)]\n [String]\n $DecoyComputerName,\n\n [Parameter(Position = 1, Mandatory = $False)]\n [String]\n $OperatingSystem,\n\n [Parameter(Position = 2, Mandatory = $False)]\n [String]\n $SPN,\n\n [Parameter(Position = 3, Mandatory = $False)]\n [String]\n [ValidateSet (\"AllowReversiblePasswordEncryption\",\"PasswordNeverExpires\",\"TrustedForDelegation\")]\n $PropertyFlag,\n\n\n [Parameter(Position = 4, Mandatory = $False)]\n [String]\n $Principal = \"Everyone\",\n\n [Parameter(Position = 5, Mandatory = $False)]\n [String]\n [ValidateSet (\"GenericAll\",\"GenericRead\",\"GenericWrite\",\"ReadControl\",\"ReadProperty\",\"WriteDacl\",\"WriteOwner\",\"WriteProperty\")]\n $Right = \"ReadProperty\",\n\n [Parameter(Position = 6, Mandatory = $False)]\n [String]\n $GUID,\n\n [Parameter(Position = 7, Mandatory = $False)]\n [String]\n [ValidateSet (\"Success\",\"Failure\")]\n $AuditFlag = \"Success\",\n\n [Parameter(Mandatory = $False)]\n [Bool]\n $RemoveAuditing = $False\n )\n\n if ($SPN)\n {\n Write-Verbose \"Setting $SPN to decoy computer $DecoyComputerName.\"\n Set-ADComputer -Identity $DecoyComputerName -ServicePrincipalNames @{Add=$SPN}\n }\n\n if($OperatingSystem)\n {\n Write-Verbose \"Setting $OperatingSystem to decoy computer $DecoyComputerName.\"\n Set-ADComputer -OperatingSystem $OperatingSystem -Identity $DecoyComputerName\n }\n\n if ($PropertyFlag)\n {\n # Set the Deocy computeraccount userflags.\n Write-Verbose \"Setting $PropertyFlag to decoy computer $DecoyComputerName.\"\n switch($PropertyFlag)\n {\n \n \"AllowReversiblePasswordEncryption\"\n {\n Set-ADComputer -Identity $DecoyComputerName -AllowReversiblePasswordEncryption $true\n }\n \"PasswordNeverExpires\"\n {\n Set-ADComputer -Identity $DecoyComputerName -PasswordNeverExpires $true\n }\n \"TrustedForDelegation\"\n {\n Set-ADComputer -Identity $DecoyComputerName -TrustedForDelegation $true\n }\n }\n }\n\n # Add auditing to the decoy computer\n Set-AuditRUle -ComputerName $DecoyComputerName -Principal $Principal -Right $Right -GUID $GUID -AuditFlag $AuditFlag -RemoveAuditing $RemoveAuditing\n}\n\nfunction Deploy-GroupDeception\n{\n<#\n.SYNOPSIS\nDeploys the specific decoy group to log Security Event 4662 when a specific Right is used against it.\n\n.DESCRIPTION\nThis function sets up auditing when a specified Right is used by a specifed principal against the decoy group object.\n\nThe function must be run on a DC with domain admin privileges. A decoy group can have members and the group can be\na member of other groups to make the decoy interesting for an attacker. \n\nWhen a right, say, ReadProperty is used to access the decoy group, a Security Event 4662 is logged. \n\nNote that Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> DS Access - Audit Directory Service Access\nGroup Policy needs to be configured to enable 4662 logging. \n\n.PARAMETER DecoyGroupName\nSamAccountName of the decoy group. \n\n.PARAMETER AddMembers\nAdd list of Members to the decoy Group.\n\n.PARAMETER AddToGroup\nMake the decoy group a member of the specified group.\n\n.PARAMETER Principal\nThe Principal (user or group) for which auditing is turned on when they use Rights defined by the Right or GUID paramter.\n\n.PARAMETER Right\nThr Right for which auditing is turned on when used by the principal specified with the Principal parameter.\nDefault is ReadProperty right.\n\n.PARAMETER GUID\nGUID for the property for which auditing is turned on when Princpal uses Right on the property.\n\n.PARAMETER AuditFlag\nTurn on Auditing for Success or Failure. Default is Success.\n\n.PARAMETER RemoveAuditing\nRemove previously added Auditing ACE.\n\n.EXAMPLE\nPS C:\\> Create-DecoyGroup -GroupName 'Forest Admins' -Verbose | Deploy-GroupDeception -AddMembers slaveuser -AddToGroup dnsadmins -Right ReadControl -Verbose \nCreates a decoy Group 'Forest Admins', adds slaveuser as a member and makes the group part of the dnsadmins group. \nA 4662 is logged whenever DACL or all the properties of the group are read.\n\n.EXAMPLE\nPS C:\\> Create-DecoyGroup -GroupName \"Forest Admins\" -Verbose | Deploy-GroupDeception -AddMembers slaveuser -AddToGroup dnsadmins -GUID bc0ac240-79a9-11d0-9020-00c04fc2d4cf -Verbose\nCreates a decoy Group 'Forest Admins',adds slaveuser as a member and makes the group part of the dnsadmins group.\nA 4662 is logged whenever membership of the Forest Admins group is listed. \n\n.LINK\nhttps://www.labofapenetrationtester.com/2018/10/deploy-deception.html\nhttps://github.com/samratashok/Deploy-Deception\n#>\n [CmdletBinding()] Param(\n \n [Parameter(Position = 0, Mandatory = $False,ValueFromPipeline = $True)]\n [String]\n $DecoyGroupName,\n \n [Parameter(Position = 1, Mandatory = $False)] \n [String[]]\n $AddMembers,\n\n [Parameter(Position = 2, Mandatory = $False)]\n [String]\n $AddToGroup,\n\n [Parameter(Position = 3, Mandatory = $False)]\n [String]\n $Principal = \"Everyone\",\n\n [Parameter(Position = 4, Mandatory = $False)]\n [String]\n [ValidateSet (\"GenericAll\",\"GenericRead\",\"GenericWrite\",\"ReadControl\",\"ReadProperty\",\"WriteDacl\",\"WriteOwner\",\"WriteProperty\")]\n $Right = \"ReadProperty\",\n\n [Parameter(Position = 5, Mandatory = $False)]\n [String]\n $GUID,\n\n [Parameter(Position = 6, Mandatory = $False)]\n [String[]]\n [ValidateSet (\"Success\",\"Failure\")]\n $AuditFlag = \"Success\",\n\n [Parameter(Mandatory = $False)]\n [Bool]\n $RemoveAuditing = $False\n )\n\n if ($AddMembers)\n {\n Write-Verbose \"Adding members $AddMembers to $DecoyGroupName.\"\n Add-ADGroupMember -Identity $DecoyGroupName -Members $AddMembers\n }\n if($AddToGroup)\n {\n Write-Verbose \"Adding $DecoyGroupName to $AddToGroup.\"\n Add-ADGroupMember -Identity $AddToGroup -Members $DecoyGroupName\n }\n\n # Add auditing to the decoy group\n Set-AuditRUle -GroupName $DecoyGroupName -Principal $Principal -Right $Right -GUID $GUID -AuditFlag $AuditFlag -RemoveAuditing $RemoveAuditing \n}\n" }, { "path": "Deploy-Deception.psm1", "content": "\n<#\nImport this module to load all the functions in Deploy-Deception in the current PowerShell session.\n\nPS > Import-Module C:\\Deploy-Deception\\Deploy-Deception.psm1\n\n#>\n\n\nif(!$PSScriptRoot)\n{ \n $PSScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent\n}\n$PSScriptRoot\nGet-ChildItem -Recurse $PSScriptRoot *.ps1 | ForEach-Object {. $_.FullName}\n\n" }, { "path": "LICENSE", "content": "Deploy-Deception is a PowerShell module to deploy active directory decoy objects. \n\nCopyright (C) 2018 Nikhil \"SamratAshok\" Mittal\n\nThis program is free software: you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation, either version 3 of the License, or\n(at your option) any later version.\n\nThis program is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with this program. If not, see .\n\nThis program is meant for educational purposes only. The creator takes no responsibility of any mis-use of this program.\n" }, { "path": "README.md", "content": "# Deploy-Deception\n\n### Deploy-Deception is a PowerShell module to deploy active directory decoy objects.\nBy [nikhil_mitt](https://twitter.com/nikhil_mitt)\n\n### Usage\n\nImport the module in the current PowerShell session.\n\nPS C:\\\\> Import-Module C:\\Deploy-Deception\\Deploy-Deception.psd1\n\nUse the script with dot sourcing.\n\nPS C:\\\\> . C:\\Deploy-Deception\\Deploy-Deception.ps1\n\nTo get help about any function, use:\n\nPS C:\\\\> Get-Help [functionname] -Full\n\nFor example, to see the help about Deploy-UserDeception, use\n\nPS C:\\\\> Get-Help Deploy-UserDeception -Full\n\n### Functions\nDeploy-Deception currently has following functions:\n\nAll the functions must be run on a DC with domain admin privileges. There are multiple attributes and flags\nwhich can be set while deploying a decoy. These attributes and flags make the decoy interesting for an attacker. \nWhen a right, say, ReadProperty is used to access the decoy, a Security Event 4662 is logged. \n\nNote that Windows Settings|Security Settings|Advanced Audit Policy Configuration|DS Access|Audit Directory Service Access\nGroup Policy needs to be configured to enable 4662 logging. \n\n### Deploy-UserDeception\nThis function sets up auditing when a specified Right is used by a specifed principal against the decoy user object.\n\nEXAMPLE\n\nPS C:\\\\> Create-DecoyUser -UserFirstName user -UserLastName manager -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -Verbose\n\nCreates a decoy user whose password never expires and a 4662 is logged whenever ANY property of the user is read. Very verbose!\n\nEXAMPLE\n\nPS C:\\\\> Create-DecoyUser -UserFirstName user -UserLastName manager -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose\n\nCreates a decoy user whose password never expires and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property of the user is read.\n\nThis property is not read by net.exe, WMI classes (like Win32_UserAccount) and ActiveDirectory module.\n\nBut LDAP based tools like PowerView and ADExplorer trigger the logging.\n\nEXAMPLE\n\nPS C:\\\\> Create-DecoyUser -UserFirstName user -UserLastName manager-control -Password Pass@123 | Deploy-UserDeception -UserFlag AllowReversiblePasswordEncryption -Right ReadControl -Verbose \n\nCreates a decoy user which has Allow Reverisble Password Encrpytion property set. \n\nA 4662 is logged whenever DACL of the user is read.\n\nThis property is not read by enumeration tools unless specifically DACL or all properties for the decoy user are force read.\n\n### Deploy-SlaveDeception\nThis function sets up auditing when a specified Right is used over the slave user by a master user who has FUllControl/GenericALl over the slave user.\n\nEXAMPLE\n\nPS C:\\\\> Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123 \n\nPS C:\\\\> Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 | Deploy-SlaveDeception -DecoySamAccountName masteruser -Verbose\n\nThe first command creates a deocy user 'masteruser'.\n\nThe second command creates a decoy user 'slaveuser' and provides masteruser GenericAll rights over slaveuser.\n\nFor both the users a 4662 is logged whenever there is any interaction with them.\n\nEXAMPLE\n\nPS C:\\\\> Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose\n\nPS C:\\\\> Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 | Deploy-SlaveDeception -DecoySamAccountName masteruser -Verbose\n\nPS C:\\\\> Deploy-SlaveDeception -SlaveSamAccountName slaveuser -DecoySamAccountName masteruser -Verbose \n\nThe first command creates a decoy user 'masteruser' whose password never expires and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property of the user is read.\n\nThe second command creates a decoy user 'slaveuser' whose password never expires and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property of the user is read.\n\nThe third command grants masteruser GenericAll rights over slaveuser.\n\nThe above three commands make masteruser and slaveuser attractive for an attacker and the logging is triggered only for aggressive enumeration.\n\nEXAMPLE\n\nPS C:\\\\> Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123\n\nPS C:\\\\> Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 \n\nPS C:\\\\> Deploy-SlaveDeception -SlaveSamAccountName slaveuser -DecoySamAccountName masteruser -Verbose \n\nPS C:\\\\> Deploy-UserDeception -DecoySamAccountName slaveuser -Principal masteruser -Right WriteDacl -Verbose\n\nThe first three commands create a slaveuser, create a master user and provide masteruser GenericAll rights on slaveuser.\n\nThe foruth command triggers a 4662 log only when masteruser is used change DACL (WirteDacl) of the slaveuser. \n\nThis is useful when targeting lateral movement and it is assumed that an adversary will get access to masteruser.\nFor example, masteruser could be a honeyuser whose credentials are left on multipe machines or masteruser can have its\nusable password in Description.\n\n### Deploy-PrivilegedUserDeception\nThis function deploys a decoy user which has high privileges like membership of the Domain Admins group. \nEXAMPLE\n\nPS C:\\\\> Create-DecoyUser -UserFirstName dec -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception -Technique DomainAdminsMemebership -Protection DenyLogon -Verbose\n\nCreate a decoy user named decda and make it a member of the Domain Admins group. As a protection against potential abuse,\nDeny logon to the user on any machine. Please be aware that if another DA gets comprimised the DenyLogon setting can be removed.\n\nIf there is any attempt to use the user credentials (password or hashes) a 4768 is logged.\n\nAny enumeration which reads DACL or all properties for the user will result in a 4662 logging. \n\nEXAMPLE\n\nPS C:\\\\> Deploy-PrivilegedUserDeception -DecoySamaccountName decda -Technique DomainAdminsMemebership -Protection LogonWorkStation nonexistent -Verbose\n\nUse existing user decda and make it a member of the Domain Admins group. As a protection against potential abuse,\nset LogonWorkstation for the user to a nonexistent machine.\n\nIf there is any attempt to use the user credentials (password or hashes) a 4768 is logged.\n\nAny enumeration which reads DACL or all properties for the user will result in a 4662 logging. \n\nEXAMPLE\n\nPS C:\\\\> Deploy-PrivilegedUserDeception -DecoySamaccountName decda -Technique DCSyncRights -Protection LogonWorkStation nonexistent -Verbose\n\nUse existing user decda and make provide it DCSyncRights. As a protection against potential abuse, set LogonWorkstation for the user to a nonexistent machine.\n\nIf there is any attempt to use the user credentials (password or hashes) a 4768 is logged.\n\nAny enumeration which reads DACL or all properties for the user will result in a 4662 logging. \n\nEXAMPLE\n\nPS C:\\\\> Create-DecoyUser -UserFirstName test -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception -Technique DomainAdminsMemebership -Protection LogonWorkStation -LogonWorkStation revert-dc -CreateLogon -Verbose \n\nCreate a decoy user named decda and make it a member of the Domain Admins group. \nAs a protection against potential abuse, set LogonWorkstation for the user to the DC where this function is executed. \n\nTo avoid detection of the decoy which relies on logoncount use the CreateLogon option which starts and stops a process as the\ndecoy user on the DC. A user profile is created on the DC when this parameter is used. \n\nIf there is any attempt to use the user credentials (password or hashes) a 4768 is logged.\n\nAny enumeration which reads DACL or all properties for the user will result in a 4662 logging. \n\n### Deploy-ComputerDeception\nThis function sets up auditing when a specified Right is used by a specifed principal against the decoy computer object.\n\nPS C:\\\\> Create-DecoyComputer -ComputerName revert-web -Verbose | Deploy-ComputerDeception -PropertyFlag TrustedForDelegation -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose\n\nCreates a decoy computer that has Unconstrained Delegation enabled and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property or all the properties\nof the computer are read.\n\nEXAMPLE\n\nPS C:\\\\> Deploy-ComputerDeception -DecoyComputerName comp1 -PropertyFlag TrustedForDelegation -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose\n\nUses an existing computer object and set Unconstrained Delegation on it. A 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property or all the properties\nof the computer are read.\n\nUsing a real machine for the decoy is always recommended as it is harder to identify as a decoy. \n\n\nEXAMPLE\n\nPS C:\\\\> Deploy-ComputerDeception -DecoyComputerName comp1 -OperatingSystem \"Windows Server 2003\" -Right ReadControl -Verbose\nUses an existing computer object and set its Operating System property to Windows Server 2003. \n\nA 4662 is logged whenever DACL or all the properties of the computer are read.\n\nUsing a real machine for the decoy is always recommended as it is harder to identify as a decoy. \n\n### Deploy-GroupDeception\nThis function sets up auditing when a specified Right is used by a specifed principal against the decoy group object.\n\nEXAMPLE\n\nPS C:\\\\> Create-DecoyGroup -GroupName 'Forest Admins' -Verbose | Deploy-GroupDeception -AddMembers slaveuser -AddToGroup dnsadmins -Right ReadControl -Verbose \n\nCreates a decoy Group 'Forest Admins', adds slaveuser as a member and makes the group part of the dnsadmins group. \nA 4662 is logged whenever DACL or all the properties of the group are read.\n\nEXAMPLE\n\nPS C:\\\\> Create-DecoyGroup -GroupName \"Forest Admins\" -Verbose | Deploy-GroupDeception -AddMembers slaveuser -AddToGroup -dnsadmins -GUID bc0ac240-79a9-11d0-9020-00c04fc2d4cf -Verbose\n\nCreates a decoy Group 'Forest Admins',adds slaveuser as a member and makes the group part of the dnsadmins group.\nA 4662 is logged whenever membership of the Forest Admins group is listed. \n\n### Bugs, Feedback and Feature Requests\nPlease raise an issue if you encounter a bug or have a feature request. \n\n### Contributing\nYou can contribute by fixing bugs or contributing to the code. If you cannot code, you can test the deployment in your network and share the results about false positives with me to help improve the project.\n\n### Blog Posts\nhttps://www.labofapenetrationtester.com/2018/10/deploy-deception.html\n\n" } ]