Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Deploy the FortiDeceptor token package

Use a FortiDeceptor token package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within real endpoints and other IT assets on the network to maximize the deception surface.

For information about using FortiDeceptor to generate a deception lure package based on the decoy service configuration, see Deploying tokens using AD GPO logon script.

The following token types are available:

Token type Description

SMB (hidden mapped network disk)

Map the shared directory to a remote decoy that acts as file server while the shared disk is hidden. The username and password are saved in the Windows Vault (Credentials Manager).

SMB remote folders are Windows folders.

SAMBA (hidden mapped network disk)

Same as SMB but for Linux SAMBA shares. SAMBA remote folders are Linux folders.

RDP (Remote Desktop)

The username, password and the windows Decoy IP are saved in the Windows Vault (Credentials Manager).

Additionally, it creates RDP shortcuts in %USERPROFILE%\Documents. The file name format is rdp_USERNAME_IP.rdp and created files are hidden.

The RDP Lure username and password are saved in Windows Vault.

SSH (Secure Shell)

Create a hidden Putty shortcut in %USERPROFILE%\Documents.

If Putty (putty.exe) is not installed in the specified directory, no shortcut is created.

Credential Cache Lure

In Domain environment, add a new credentials entry to the real desktop or server process lsass.exe.

HoneyDocs

Add fake files (Word & PDF) to Windows directories. The default is to the most recent folder. You can specify the location in the Windows directory.

ODBC

The ODBC lure saves a DSN connection string using the Trusted Connection mechanism.

To deploy an effective ODBC token, the following is required:

  • Deploy with domain DNS and SQL SERVER service based on a custom windows image joining a domain. See, Custom Decoy Image > To deploy decoys with custom images–SQL Server.
  • Install ODBC lures into domain user accounts that are on the same domain as the custom Windows server.

SAP token

Add fake SAP configuration files to Windows SAP installation path that contains decoy IP and other SAP related configuration data.

To create a FortiDeceptor token campaign:
  1. Go to Deception > Deception Token > Token Campaign.
  2. Click +Campaign.
  3. Configure the campaign Name and Mode.

    Name Enter the campaign name.
    Mode
    • Offline: The complete Deception Tokens package will be downloaded from the FDC manager and copied to the endpoint using the external distribution system like the A/D logon script for deployment.
    • Online: A light Deception Tokens package will download from the FDC manager and copied to the endpoint using the external distribution system like the A/D logon script. The package will have the binary file and one configuration file that points to the endpoint to download the deception campaign from the FDC manager over a secure port.
      Tooltip

      Use Online mode to change the campaign at any time on the FortiDeceptor server. Any changes you make will be applied to the endpoint.

  4. Select the lures. At least one lure must be selected.
    Note

    You can only select lures with valid Static IP addresses.

    The related decoys must have a status of Initialized, Stopped, Running, or Failed. We recommend keeping the related decoys with a status of Running for successful lure deployment.

  5. (Optional) Click Generate API Auth Key to generate an API key.
  6. Click Save.

To view campaign list:
  1. Go to Deception > Deception Token.
  2. Select a campaign from the list. In the column:
    • Click Edit icon to edit the campaign.
    • Click Delete icon to delete the campaign.

    • Click Download icon to download the campaign.

To deploy FortiDeceptor token campaign on an existing endpoint:
  1. Download FortiDeceptortoken campaign package
  2. Copy the downloaded FortiDeceptor token campaign package to an endpoint such as a Windows or Linux endpoint.
  3. Unzip the FortiDeceptor token campaign package.
  4. In the OS folder, follow the instructions in README.txt file to install the token package.
    • Windows: Open the windows folder, and double-click the windows_token.exe to run it.
    • Ubuntu: Open Terminal and run python script ./ubuntu_token.py.
  5. In the OS folder, uninstall the token campaign package.
    • By default, the new token installation process will automatically clear the lure information before installing the new ones.

When the FortiDeceptor token package is installed on a real Windows or Ubuntu endpoint, it increases the deception attack surface and lures the attacker to a Decoy VM

To review Token Deployment Status:
  1. Go to Deception > Deception Token > Token Deployment Status.
  2. Expand the Endpoint Name to view the Token Deployment Details for the endpoint.

Deploy the FortiDeceptor token package

Use a FortiDeceptor token package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within real endpoints and other IT assets on the network to maximize the deception surface.

For information about using FortiDeceptor to generate a deception lure package based on the decoy service configuration, see Deploying tokens using AD GPO logon script.

The following token types are available:

Token type Description

SMB (hidden mapped network disk)

Map the shared directory to a remote decoy that acts as file server while the shared disk is hidden. The username and password are saved in the Windows Vault (Credentials Manager).

SMB remote folders are Windows folders.

SAMBA (hidden mapped network disk)

Same as SMB but for Linux SAMBA shares. SAMBA remote folders are Linux folders.

RDP (Remote Desktop)

The username, password and the windows Decoy IP are saved in the Windows Vault (Credentials Manager).

Additionally, it creates RDP shortcuts in %USERPROFILE%\Documents. The file name format is rdp_USERNAME_IP.rdp and created files are hidden.

The RDP Lure username and password are saved in Windows Vault.

SSH (Secure Shell)

Create a hidden Putty shortcut in %USERPROFILE%\Documents.

If Putty (putty.exe) is not installed in the specified directory, no shortcut is created.

Credential Cache Lure

In Domain environment, add a new credentials entry to the real desktop or server process lsass.exe.

HoneyDocs

Add fake files (Word & PDF) to Windows directories. The default is to the most recent folder. You can specify the location in the Windows directory.

ODBC

The ODBC lure saves a DSN connection string using the Trusted Connection mechanism.

To deploy an effective ODBC token, the following is required:

  • Deploy with domain DNS and SQL SERVER service based on a custom windows image joining a domain. See, Custom Decoy Image > To deploy decoys with custom images–SQL Server.
  • Install ODBC lures into domain user accounts that are on the same domain as the custom Windows server.

SAP token

Add fake SAP configuration files to Windows SAP installation path that contains decoy IP and other SAP related configuration data.

To create a FortiDeceptor token campaign:
  1. Go to Deception > Deception Token > Token Campaign.
  2. Click +Campaign.
  3. Configure the campaign Name and Mode.

    Name Enter the campaign name.
    Mode
    • Offline: The complete Deception Tokens package will be downloaded from the FDC manager and copied to the endpoint using the external distribution system like the A/D logon script for deployment.
    • Online: A light Deception Tokens package will download from the FDC manager and copied to the endpoint using the external distribution system like the A/D logon script. The package will have the binary file and one configuration file that points to the endpoint to download the deception campaign from the FDC manager over a secure port.
      Tooltip

      Use Online mode to change the campaign at any time on the FortiDeceptor server. Any changes you make will be applied to the endpoint.

  4. Select the lures. At least one lure must be selected.
    Note

    You can only select lures with valid Static IP addresses.

    The related decoys must have a status of Initialized, Stopped, Running, or Failed. We recommend keeping the related decoys with a status of Running for successful lure deployment.

  5. (Optional) Click Generate API Auth Key to generate an API key.
  6. Click Save.

To view campaign list:
  1. Go to Deception > Deception Token.
  2. Select a campaign from the list. In the column:
    • Click Edit icon to edit the campaign.
    • Click Delete icon to delete the campaign.

    • Click Download icon to download the campaign.

To deploy FortiDeceptor token campaign on an existing endpoint:
  1. Download FortiDeceptortoken campaign package
  2. Copy the downloaded FortiDeceptor token campaign package to an endpoint such as a Windows or Linux endpoint.
  3. Unzip the FortiDeceptor token campaign package.
  4. In the OS folder, follow the instructions in README.txt file to install the token package.
    • Windows: Open the windows folder, and double-click the windows_token.exe to run it.
    • Ubuntu: Open Terminal and run python script ./ubuntu_token.py.
  5. In the OS folder, uninstall the token campaign package.
    • By default, the new token installation process will automatically clear the lure information before installing the new ones.

When the FortiDeceptor token package is installed on a real Windows or Ubuntu endpoint, it increases the deception attack surface and lures the attacker to a Decoy VM

To review Token Deployment Status:
  1. Go to Deception > Deception Token > Token Deployment Status.
  2. Expand the Endpoint Name to view the Token Deployment Details for the endpoint.