Deploying tokens using AD GPO logon script
FortiDeceptor generates a deception lure package based on the decoy service configuration. For example, deploying a Windows server decoy with the services RDP and SMB, and Linux desktop decoy with the services SSH and SAMBA generates a deception lure package named FDC_TokenPKG_XXXXXXXXX
that contains the deception lure files.
The deception lure package is a zip file that has three directories containing all the relevant data and configuration for each OS.
The deception lure for each OS uses the same concept: binary files with several JSON files that provide the decoy fake access parameters for the lure.
There are two ways to assign logon scripts. The first is on the Profile tab of the user properties dialog in the Active Directory Users and Computers (ADUC). The second is via Group Policy Objects (GPO).
This section provides in-depth instructions on how to deploy Windows lures using the second option via AD GPO logon script.
The main idea for the GPO logon script distribution is:
- Place the deception lure package in a network directory that is accessible to all endpoints.
- Generate a batch file that runs under the logon script and runs each time the end user logs into the network domain.
- The batch file copies the deception lure package to the endpoint and executes it.
- After execution, the endpoint has the deception lure in place.
To prepare the GPO logon script:
- Download the deception lure package from the FortiDeceptor Admin Console.
- Unzip the downloaded file to a temporary location.
- Open the unzipped file and access the
windows
directory. - Copy all the files and directories, except uninstall.bat, from the
windows
directory:windows_token.exe
- Config.json
- res directory (if it is there)
Honeydocs
directory (if it is there)
- On the AD server, go to
\\%UserDNSDomain%\SysVol\domain\scripts
In this example, the domain is FDC.COM so the location is
\\FDC.COM\SysVol\FDC.COM\scripts
. - In the
scripts
directory, create a new directory and name itMyFiles
. - Copy
windows_token.exe
and theres
directory to theMyFiles
directory. - Create a batch file named
Lure.bat
with the following commands. In this example, the domain is FDC.com.set SFolder=\\FDC.COM\SysVol\FDC.COM\scripts\MyFiles
set DFolder=%UserProfile%
xcopy /E /S /H /K /F /C /Y /I "%SFolder%" "%DFolder%\MyFiles"
start /B /WAIT /MIN "windows_token" "%DFolder%\windows_token.exe" "--non-interactive"
exit
A similar script for token installation is:
set SFolder=\\FDC.COM\SysVol\FDC.COM\scripts\MyFiles
start /B /WAIT /MIN "windows_token" "%SFolder%\windows_token.exe" "--keep-files" "--non-interactive"
exit
Syntax example:
windows_token.exe "[optional command]" "<optional parameters>"...
Command - (blank): The default command both uninstalls previous lures (if applicable), and installs the new lures.
uninstall
: Uninstalls all previous installed lures (if applicable) for the current user.
Parameters --non-interactive
: (Optional) Used with any command, this parameter prevents any user interface from being displayed while the command is being executed.--keep-files
(Optional) Keep the installation files/directories. Otherwise, all files and directories in the current folder will be wiped out. - (Optional) *The default installation process both uninstalls previous lures (if applicable), and installs the new lures.
To uninstall tokens without installation:
- Copy
windows_token.exe
from the windows directory to the MyFiles\Uninstall directory. - Create a batch file named
uninstall_lure.bat
with the following commands.In the following example, the domain is FDC.com:
set SFolder=\\fdc.com\SYSVOL\fdc.com\scripts\MyFiles\Uninstall start /B /WAIT /MIN "uninstall_windows_token" "%SFolder%\windows_token.exe" "uninstall" "--non-interactive" exit
- Copy
Configuring the GPO logon script
To configure the GPO logon script:
- Log into the AD server and open the Group Policy Management tool.
- Right-click the top-level domain object (in this example, FDC.COM) and select Create a GPO in this domain, and link it here.
This creates a new group policy object.
- Enter a name for the new group policy object. Do not use a name that has any association with a deception technology.
- Right-click the new group policy object and select Edit.
- Go to User configuration > Policies > Windows Settings > Scripts (Logon/Logoff).
- In the right pane, double click the Logon script to configure the Logon script properties.
- In the Logon Properties dialog box, click Show Files.
- Copy the batch file
Lure.bat
that you have prepared. - In the Logon Properties dialog box, click Add to open the Add a Scriptdialog box.
- Click Browse, locate the
Lure.bat
batch file and add it to Scripts (Logon/Logoff). - Click Apply and then click OK to close this window.
To enforce the group policy:
- In the Group Policy Management console, select the new group policy object. In this example, FDC.COM.
- In the Scope tab, verify that FDC.COM is linked.
- In the Security Filtering section, add and remove the user groups to get the deception lure package through the logon script.
- In the left pane, right-click the FDC group policy object and select Enforced.