Forum Discussion
Defender Deception Advance Lures - verification
Hello everyone,
I'm looking to deploy defender deception in our environment. I've successfully tested and verified the basic lures, but I'm having trouble with the advanced lures/decoys. Specifically, I can't find a way to verify the account-planted cached credentials. Initially, I thought dumping LSASS would show some reference, but I found nothing. Has anyone tried this, and what were the results?
Additionally, from an attacker's perspective, how would these account decoys be discovered?
Thank you in advance.
Hi bluecole,
You’re on the right track with testing the basic lures. For the advanced lures and account-planted cached credentials, they might not show up in LSASS directly. Instead, you may need to check other areas like the Local Security Authority or registry keys, which might store cached credentials.
From an attacker’s perspective, i guess discovering these decoys would typically involve searching for unusual accounts or attempting to interact with services that aren’t normally used in the environment. However, if Defender is set up correctly, these lures should remain hidden unless actively targeted by the attacker.
Hope this helps!
