FortiDeceptor generates a deception lure package based on the decoy service configuration. For example, deploying a Windows server decoy with the services RDP and SMB, and Linux desktop decoy with the services SSH and SAMBA generates a deception lure package named
FDC_TokenPKG_XXXXXXXXX that contains the deception lure files.
The deception lure package is a zip file that has three directories containing all the relevant data and configuration for each OS.
The deception lure for each OS uses the same concept: binary files with several JSON files that provide the decoy fake access parameters for the lure.
There are two ways to assign logon scripts. The first is on the Profile tab of the user properties dialog in the Active Directory Users and Computers (ADUC). The second is via Group Policy Objects (GPO).
This section provides in-depth instructions on how to deploy Windows lures using the second option via AD GPO logon script.
The main idea for the GPO logon script distribution is:
- Place the deception lure package in a network directory that is accessible to all endpoints.
- Generate a batch file that runs under the logon script and runs each time the end user logs into the network domain.
- The batch file copies the deception lure package to the endpoint and executes it.
- After execution, the endpoint has the deception lure in place.
- Download the deception lure package from the FortiDeceptor Admin Console.
- Unzip the downloaded file to a temporary location.
- Open the unzipped file and access the
- Copy the following from the
- On the AD server, go to
In this example, the domain is FDC.COM so the location is
- In the
scriptsdirectory, create a new directory and name it
resdirectory to the
- Create a batch file named
Lure.batwith the following commands. In this example, the domain is FDC.com.
set DFolder=%UserProfile% xcopy /H /K /F /C /Y /I "%SFolder%\windows_token.exe" "%DFolder%\windows_token.exe"
xcopy /E /S /H /K /F /C /Y /I "%SFolder%\res" "%DFolder%\res" start /B /WAIT /MIN "windows_token" "%DFolder%\windows_token.exe" "-non-interactive"
A similar script for token installation is:
start /B /WAIT /MIN "windows_token"
"\\fdc.com\SYSVOL\fdc.com\scripts\MyFiles\windows_token.exe" "-non-interactive" exit
- To uninstall tokens:
windows_token.exefrom the windows directory to the MyFiles\Uninstall directory.
- Create a batch file named
uninstall_lure.batwith the following commands.
In the following example, the domain is FDC.com:
set SFolder=\\fdc.com\SYSVOL\fdc.com\scripts\MyFiles\Uninstall start /B /WAIT /MIN "uninstall_windows_token" "SFolder\windows_token.exe" "uninstall" "-non-interactive" exit
- Log into the AD server and open the Group Policy Management tool.
- Right-click the top-level domain object (in this example, FDC.COM) and select Create a GPO in this domain, and link it here.
This creates a new group policy object.
- Enter a name for the new group policy object. Do not use a name that has any association with a deception technology.
- Right-click the new group policy object and select Edit.
- Go to User configuration > Policies > Windows Settings > Scripts (Logon/Logoff).
- In the right pane, double click the Logon script to configure the Logon script properties.
- In the Logon Properties dialog box, click Show Files.
- Copy the batch file
Lure.batthat you have prepared.
- In In the Logon Properties dialog box, click Add to open the Add a Scriptdialog box.
- Click Browse, locate the
Lure.batbatch file and add it to Scripts (Logon/Logoff).
- Click Apply and then click OK to close this window.
- In the Group Policy Management console, select the new group policy object. In this example, FDC.COM.
- In the Scope tab, verify that FDC.COM is linked.
- In the Security Filtering section, add and remove the user groups to get the deception lure package through the logon script.
- In the left pane, right-click the FDC group policy object and select Enforced.