Deception Token
Use a FortiDeceptor token package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within real endpoints and other IT assets on the network to maximize the deception surface.
For information about using FortiDeceptor to generate a deception lure package based on the decoy service configuration, see Deploying tokens using AD GPO logon script.
The following token types are available:
Token type | Description |
---|---|
SMB (hidden mapped network disk) |
Map the shared directory to a remote decoy that acts as file server while the shared disk is hidden. The username and password are saved in the Windows Vault (Credentials Manager). SMB remote folders are Windows folders. |
SAMBA (hidden mapped network disk) |
Same as SMB but for Linux SAMBA shares. SAMBA remote folders are Linux folders. |
RDP (Remote Desktop) |
The username, password and the windows Decoy IP are saved in the Windows Vault (Credentials Manager). Additionally, it creates RDP shortcuts in The RDP Lure username and password are saved in Windows Vault. |
Create a hidden Putty shortcut in If Putty (putty.exe) is not installed in the specified directory, no shortcut is created. |
|
Credential Cache Lure |
In Domain environment, add a new credentials entry to the real desktop or server process |
HoneyDocs |
Add fake files (Word, PDF, Excel) to Windows directories. The default is to the most recent folder. You can specify the location in the Windows directory. Please use the Linux decoy to deploy the HoneyDocs token campaign. |
ODBC |
The ODBC lure saves a DSN connection string using the Trusted Connection mechanism. To deploy an effective ODBC token, the following is required:
|
SAP token |
Add fake SAP configuration files to Windows SAP installation path that contains decoy IP and other SAP related configuration data. |
|
Add a JSON file including AWS Keys to Windows directories. You can specify the location in the Windows directory. The default location is the most recent folder. |
Azure Key | Add a JSON file including Azure Keys to Windows directories. You can specify the location in the Windows directory. The default location is the most recent folder. You can also specify a certificate with Azure Keys in the same directory. |
To create a FortiDeceptor token campaign:
- Go to Deception > Deception Token > Token Campaign.
- Click +Campaign.
- Configure the campaign Name and Mode.
Name Enter the campaign name. Mode - Offline: The complete Deception Tokens package will be downloaded from the FDC manager and copied to the endpoint using the external distribution system like the A/D logon script for deployment.
- Online: A light Deception Tokens package will download from the FDC manager and copied to the endpoint using the external distribution system like the A/D logon script. The package will have
the binary file and one configuration file that points to the endpoint to download the deception
campaign from the FDC manager over a secure port.
Use Online mode to change the campaign at any time on the FortiDeceptor server. Any changes you make will be applied to the endpoint.
- Select the lures. At least one lure must be selected.
You can only select lures with valid Static IP addresses.
The related decoys must have a status of Initialized, Stopped, Running, or Failed. We recommend keeping the related decoys with a status of Running for successful lure deployment.
- (Optional) Click Generate API Auth Key to generate an API key.
- Click Save.
To view campaign list:
- Go to Deception > Deception Token.
- Select a campaign from the list. In the column:
- Click Edit to edit the campaign.
Click Delete to delete the campaign.
Click Download to download the campaign.
To deploy FortiDeceptor token campaign on an existing endpoint:
- Download FortiDeceptor token campaign package
- Copy the downloaded FortiDeceptor token campaign package to an endpoint such as a Windows or Linux endpoint.
- Unzip the FortiDeceptor token campaign package.
- In the OS folder, follow the instructions in README.txt file to install the token package.
- Windows: Open the windows folder, and double-click the windows_token.exe to run it.
- Ubuntu: Open Terminal and run python script ./ubuntu_token.py.
- In the OS folder, uninstall the token campaign package.
- By default, the new token installation process will automatically clear the lure information before installing the new ones.
When the FortiDeceptor token package is installed on a real Windows or Ubuntu endpoint, it increases the deception attack surface and lures the attacker to a Decoy VM
To review Token Deployment Status:
- Go to Deception > Deception Token > Token Deployment Status.
- Expand the Endpoint Name to view the Deployment Details for the endpoint.