Deploying tokens using AD GPO logon script

FortiDeceptor generates a deception lure package based on the decoy service configuration. For example, deploying a Windows server decoy with the services RDP and SMB, and Linux desktop decoy with the services SSH and SAMBA generates a deception lure package named FDC_TokenPKG_XXXXXXXXX that contains the deception lure files.

The deception lure package is a zip file that has three directories containing all the relevant data and configuration for each OS.

The deception lure for each OS uses the same concept: binary files with several JSON files that provide the decoy fake access parameters for the lure.

There are two ways to assign logon scripts. The first is on the Profile tab of the user properties dialog in the Active Directory Users and Computers (ADUC). The second is via Group Policy Objects (GPO).

This section provides in-depth instructions on how to deploy Windows lures using the second option via AD GPO logon script.

The main idea for the GPO logon script distribution is:

• Place the deception lure package in a network directory that is accessible to all endpoints.
• Generate a batch file that runs under the logon script and runs each time the end user logs into the network domain.
• The batch file copies the deception lure package to the endpoint and executes it.
• After execution, the endpoint has the deception lure in place.

To prepare the GPO logon script:

1. Download the deception lure package from the FortiDeceptor Admin Console.
2. Unzip the downloaded file to a temporary location.
3. Open the unzipped file and access the windows directory.
4. Copy the following from the windows directory:
   • windows_token.exe
   • res directory.
5. On the AD server, go to \\%UserDNSDomain%\SysVol\domain\scripts

   In this example, the domain is FDC.COM so the location is \\FDC.COM\SysVol\FDC.COM\scripts.

6. In the scripts directory, create a new directory and name it MyFiles.
7. Copy windows_token.exe and the res directory to the MyFiles directory.
8. Create a batch file named Lure.bat with the following commands. In this example, the domain is FDC.com.

   set SFolder=\\FDC.COM\SysVol\FDC.COM\scripts\MyFiles

   set DFolder=%UserProfile%

   xcopy /H /K /F /C /Y /I "%SFolder%\windows_token.exe" "%DFolder%\windows_token.exe*"

   xcopy /E /S /H /K /F /C /Y /I "%SFolder%\res" "%DFolder%\res"

   start /B /WAIT /MIN "windows_token" "%DFolder%\windows_token.exe" )

   exit

Configuring the GPO logon script

To configure the GPO logon script:

1. Log into the AD server and open the Group Policy Management tool.

   You can also open this tool using the CLI gpmc.msc.

2. Right-click the top-level domain object (in this example, FDC.COM) and select Create a GPO in this domain, and link it here.

   This creates a new group policy object.

   

3. Enter a name for the new group policy object. Do not use a name that has any association with a deception technology.

   

4. Right-click the new group policy object and select Edit.
5. Go to User configuration > Policies > Windows Settings > Scripts (Logon/Logoff).
6. In the right pane, double click the Logon script to configure the Logon script properties.

   

7. In the Logon Properties dialog box, click Show Files.
8. Copy the batch file Lure.bat that you have prepared.

   

9. In In the Logon Properties dialog box, click Add to open the Add a Scriptdialog box.
10. Click Browse, locate the Lure.bat batch file and add it to Scripts (Logon/Logoff).

    

11. Click Apply and then click OK to close this window.

To enforce the group policy:

1. In the Group Policy Management console, select the new group policy object. In this example, FDC.COM.
2. In the Scope tab, verify that FDC.COM is linked.
3. In the Security Filtering section, add and remove the user groups to get the deception lure package through the logon script.
4. In the left pane, right-click the FDC group policy object and select Enforced.