XDR Deception

Copper Contributor

Hey, so I am currently testing everything that has to do with deception. I can successfully deploy the lures to all my targeted machines. However for testing purposes I want to act as the "hacker". I can find a deceptive host in one of the system files, but I cant seem to find the deceptive usernames. Does anyone know where these deceptive usernames are located on the system? I tried looking in lsass dump, but nothing found here. Thanks in advance!

1 Reply
Replying in case you haven't already figured it out.

I only just began my own testing, so I've barely touched the surface, but one place where deceptive user and credentials could be placed is in the default user directory.
So, that would be C:\Users\Default\ - And within this dir a deceptive file with one or more deceptive usernames plus credentials would be.

If you press export when having selected the deception rule, you'll get a .csv with a few more details.

Hope this helps