Customize Decoy VMs
For most deployments, the decoys included with FortiDeceptor are enough and are easier to deploy. However, if you want to use your own custom OS images for the decoy, FortiDeceptor supports Decoy Customization with a purchased subscription service.
Some examples of using Decoy Customization include:
- Windows 10 decoy joining AD.
- Windows Server 2016/2019 Enterprises users with their standard server management tools.
This version only supports Decoy Customization for Windows 10 and Windows Server 2016/2019. |
Overview of implementing Decoy Customization:
- Order the license with Decoy Customization subscription-based SKU.
- Install FortiDeceptor.
After installing FortiDeceptor with the Decoy Customization subscription, the Help icon in the toolbar has a Customization Cookbook.
- Follow the instructions in the Customization Cookbook. The high-level instructions are:
- Upload an ISO image.
- Install ARAE engine on image.
- Use the Deployment Wizard to install the customized decoy.
Customize the deception base OS image
Overview of customizing the deception base OS image:
Import Windows ISO image
Before importing an ISO image into FortiDeceptor, ensure you have completed the following:
- Purchased a license with Decoy Customization subscription-based SKU.
- Set up an ISO image with the licenses for your environment. For example, if you want to allow Active Domain (AD) accounts to access decoys, configure the settings on the AD servers, such as create dummy accounts, and so on.
To import an ISO image using the Imported Images page:
- Go to Deception > Customization and click the Imported Images tab.
- Click Import New ISO Image.
- Click Choose a file or drag and drop an image file into that pane.
To import an ISO image using the Customized Images page:
- Go to Deception > Customization and click the Customized Images tab.
- Click Import Image and Customize.
- Click Choose a file or drag and drop an image file into that pane.
To delete an ISO image:
- Go to Deception > Customization and click the Imported Images tab.
- Select one or more images and then click Delete.
Customize VM image
To initialize the VM instance:
- Go to Deception > Customization and click the Customized Images tab.
- Click Import Image and Customize.
- In the Select an imported ISO image dropdown list, select an ISO image. Then click Next.
- In the Configuration step, specify the following and then click Next.
Name
Upper and lowercase letters and numbers totaling under 48 characters.
1–4 cores.
Memory
1024–8192 MB.
Storage
20–50 GB.
This configuration is applied to the VM instance for customizing the image, This configuration is not applied to decoys.
- In the Customize step, install the OS from the ISO image.
To customize the VM:
- Ensure the OS is installed and then log in with an admin account.
- In Windows Explorer, locate the FDC_Toolkit folder and read the instructions in toolkit_README.txt.
- Configure the network using one of the following options.
- Right-click set_network.bat and then click Run as Administrator.
- Follow the instructions in net.json to configure the IP address, gateway, and DNS in Windows Control Panel > Network and Internet > Network Connections.
10.254.253.0/24 set by the script is the internal NAT IP address that is temporarily used by the customization VM to allow downloading files and accessing other network resources via the FortiDeceptor default route.
To customize the system:
- Ensure your license is activated.
- If you are using Windows 2016, enter the following commands in the PowerShell window to prevent lure configuration failures in the Decoy Deployment wizard.
secedit /export /cfg c:\secpol.cfg
(gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
rm -force c:\secpol.cfg -confirm:$false
- If you want to support decoys with AD accounts, do the following:
- Manually configure the DNS in Windows.
- Create a lure AD user account on your AD server.
You will need this AD user account when you deploy decoys based on this image.
- Join the AD server with this AD user account.
Install the Microsoft SQL Server (optional)
The following SQL Server versions are supported.
- SQL Server 2016. https://www.microsoft.com/en-us/download/details.aspx?id=56840
- SQL Server 2017. https://www.microsoft.com/en-us/download/details.aspx?id=55994
- SQL Server 2019. https://www.microsoft.com/en-us/sql-server/sql-server-downloads
- SQL Server Management Studio for SQL server management and customization. https://aka.ms/ssmsfullsetup
If you are downloading with Internet Explorer, it is recommended you disable IE Enhanced Security Configuration.
For Windows Server core OS, because there is no desktop, you must download the installation file on another computer and then use SMB to install the SQL Server.
To install SQL server:
- Download and install the SQL server on another computer.
- When the SQL Server installation is complete, click Install SMSS to download and install the SQL Server Management Studio to manage and customize the SQL Server.
To further customize the SQL database:
- Download a sample database from https://github.com/Microsoft/sql-server-samples/releases/download/wide-world-importers-v1.0/WideWorldImporters-Full.bak.
- In the FortiDeceptor Customize Decoy console, open SQL Server Management Studio.
- Right-click the database object and select Restore Database.
- Locate and add the sample DB you downloaded.
- When the sample DB is restored, right-click that DB and select Properties to change access permission to make the decoy DB more attractive to attackers.
- Give Grant permission to Select and Connect.
- Close SQL Server Management Studio.
- Verify that your DB is up using the command
netstat –an | findstr 1433
.
Install the FortiDeceptor customization toolkit
When system customization is complete, right-click FDC_CUS_toolkit.exe and select Run as Administrator and wait for the installation to finish.
Save the custom image
When the customization status in the GUI displays Ready, shut down Windows and then click Save to save this image.
It might take several minutes to save the entire image. When the image is saved, the page lists the image in Customized Images.
In Deception > Customization, the Customized Images tab lists the custom images.
The Actions column has icons for you to view logs, apply the image, or delete the image.
Deploy custom image
To apply a custom image:
- Go to Deception > Customization and click the Customized Images tab.
- Select a custom image and click the Apply button or click the Apply icon beside a custom image.
It might take a few minutes to apply the custom image. When applied, the custom image is listed in Deception > Deception OS.
To deploy decoys with custom images–generic image:
- Go to Deception > Deployment Wizard.
- Click a custom image and deploy it like a standard decoy.
We highly recommend enabling RDP and SMB services for decoys joined in the domain and not set in any local lure accounts. Many domains have different policies for account name and password which may cause the decoy to fail to initialize. |
To deploy decoys with custom images–SQL Server:
- Go to Deception > Deployment Wizard.
- Click a custom SQL server image.
To generate SQL alerts:
- You can generate SQL alerts using the
SQLCMD
tool or usingWideWorldImporters
.- To use
SQLCMD
, run the following commands.sqlcmd -S "IP Address" -U "username" -P "password"
use WideWorldImporters;
SELECT name
from SYSOBJECTS
WHERE
xtype = 'U'
go
- To use
WideWorldImporters
, run the following commands.use WideWorldImporters;
select top 100 * from Sales.Orders;
go
The Incident > Analysis page displays the alerts for the SQL server attack.
- To use