Full Report
Deceptive-Auditing is a tool that deploys Active Directory honeypots and automatically enables auditing for those honeypots. The post Deceptive-Auditing: An Active Directory Honeypots Tool appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: Deceptive-Auditing
## Overview
Deceptive-Auditing is a tool, implemented as a set of PowerShell cmdlets, designed to deploy Active Directory (AD) honeypots and automatically enable auditing for these decoy objects (users, OUs, GPOs). Its primary purpose is to create deceptive environments to bait adversaries and record their actions.
## Technical Details
- Type: Tool (Security Utility/Honeypot Deployment Framework)
- Platform: Windows (Utilizes PowerShell)
- Capabilities: Automates the modification of System Access Control Lists (SACLs) on AD objects, files, and registry keys to enable auditing; deploys decoy users, Organizational Units (OUs), and Group Policy Objects (GPOs).
- First Seen: The announcement date of the article is January 7, 2026, referencing prior work by Nikhil Mittal (2018).
## MITRE ATT&CK Mapping
The tool's primary function maps to defense and deception tactics, specifically focusing on monitoring and baiting activity.
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Via related filesystem/registry auditing capabilities)
- **TA0005 - Defense Evasion**
- T1622 - Redirection to Decoy Location (Implicated by the nature of deploying deception)
- **TA0007 - Discovery**
- T1087.002 - Account (By creating highly noticeable, yet tempting, decoy accounts/objects)
- **TA0011 - Collection**
- T1005 - Data from Local System (Monitoring access attempts to deployed decoys)
- **TA0012 - Lateral Movement**
- T1078.001 - Valid Accounts: Domain Accounts (Monitoring interactions with decoy accounts)
*Note: As a defensive tool, its direct mapping focuses on the defensive counterpart to offensive techniques it aims to detect.*
## Functionality
### Core Capabilities
The tool is built around the core cmdlet `Set-AuditRule`, which automates the process of adding Access Control Entries (ACEs) to the SACL of objects.
1. **Auditing Automation:** Uses `Set-AuditRule` to modify SACLs on AD objects, registry keys, or files based on specified SIDs (`-WellKnownSidType`), rights (`-Rights`), inheritance, and audit flags (`-AuditFlags`).
2. **Honeypot Object Creation:** Provides functions to create decoy Active Directory objects:
* `New-DecoyUser`: Creates new user objects, optionally linking them to a specific OU.
* `New-DecoyOU`: Creates new Organizational Units.
* `New-DecoyGPO`: Creates new Group Policy Objects, with an optional flag (`-MakeReadable`) to ensure they are easily discoverable by automated scanning tools.
3. **Honeypot Auditing Deployment:** Uses deployment functions (e.g., `Deploy-UserDeception`, `Deploy-OUDeception`, `Deploy-GPODeception`) in conjunction with the auditing helper functions to ensure the newly created decoys are monitored.
### Advanced Features
* **Cross-Object Auditing Support:** `Set-AuditRule` supports auditing beyond AD objects, including Windows registry keys and arbitrary files.
* **File Auditing Specifics:** When auditing files, the command uses the `-FilePath` parameter, and successful reads (Event ID 4663) are logged.
* **GPO Baiting:** The `-MakeReadable` flag for GPOs is specifically designed to attract automated AD scanning and enumeration tools by making the configuration easily accessible.
* **Aggregation:** The tool merges and enhances functionality from previous projects (`Set-AuditRule` and `Deploy-Deception`).
## Indicators of Compromise
Since this is a defensive deployment tool, there are no inherent IoCs associated with the tool *itself* being used maliciously. The created decoys (which are the intended monitoring points) would generate the following *behavioral* indicators:
- File Hashes: N/A (Tool is PowerShell script/cmdlets)
- File Names: N/A (Relies on imported cmdlets)
- Registry Keys: N/A (Keys are user-defined for monitoring)
- Network Indicators: N/A (Tool functions primarily within the domain controller/AD context)
- Behavioral Indicators: **Successful access or modification** logged against the decoy objects (users, OUs, GPOs) configured with the auditing rules. These interactions trigger the audit logs.
## Associated Threat Actors
This tool is explicitly designed for **Blue Teams** and Domain Administrators to deploy deception infrastructure within their own environments.
## Detection Methods
Detection relies on monitoring the tool's execution or observing access attempts against the created deception assets.
- Signature-based detection: Detection of the specific PowerShell cmdlets being executed (e.g., `Set-AuditRule`, `New-DecoyUser`, `Deploy-UserDeception`).
- Behavioral detection: Monitoring for unusual modifications to AD object SACLs, especially those targeting generic principals like "Everyone" (`WorldSid`). Detection of unusual enumeration or interaction with newly created, non-functional decoy user accounts, OUs, or GPOs.
- YARA rules if available: Not specified in the text.
## Mitigation Strategies
Mitigation focuses on reducing unnecessary auditing configuration and securing native AD functionality.
- Prevention measures: Careful vetting of externally sourced PowerShell scripts before execution in production environments.
- Hardening recommendations: Regularly reviewing existing SACL and DACL configurations across critical AD objects to ensure unauthorized audit rule creation is promptly detected. Regularly auditing security logs for Event ID associated with SACL modification.
## Related Tools/Techniques
- Set-AuditRule (The helper function within Deceptive-Auditing)
- Deploy-Deception (Original tool developed by Nikhil Mittal)
- Roberto “Cyb3rWard0g” Rodriguez's earlier work.