{"id":17954921,"url":"https://github.com/samratashok/deploy-deception","last_synced_at":"2026-03-17T15:28:49.885Z","repository":{"id":81143337,"uuid":"153327058","full_name":"samratashok/Deploy-Deception","owner":"samratashok","description":"A PowerShell module to deploy active directory decoy objects.","archived":false,"fork":false,"pushed_at":"2019-11-17T13:01:37.000Z","size":18,"stargazers_count":233,"open_issues_count":1,"forks_count":53,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-09-01T01:15:26.125Z","etag":null,"topics":["activedirectory","blueteam","deception","redteam"],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/samratashok.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-10-16T17:33:15.000Z","updated_at":"2025-07-26T19:02:22.000Z","dependencies_parsed_at":null,"dependency_job_id":"799098e4-d55f-4cc5-b107-ccaa5fe983a8","html_url":"https://github.com/samratashok/Deploy-Deception","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/samratashok/Deploy-Deception","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samratashok%2FDeploy-Deception","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samratashok%2FDeploy-Deception/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samratashok%2FDeploy-Deception/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samratashok%2FDeploy-Deception/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/samratashok","download_url":"https://codeload.github.com/samratashok/Deploy-Deception/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/samratashok%2FDeploy-Deception/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30626814,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-17T14:16:03.965Z","status":"ssl_error","status_checked_at":"2026-03-17T14:16:03.380Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["activedirectory","blueteam","deception","redteam"],"created_at":"2024-10-29T10:20:59.999Z","updated_at":"2026-03-17T15:28:49.831Z","avatar_url":"https://github.com/samratashok.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Deploy-Deception\n\n### Deploy-Deception is a PowerShell module to deploy active directory decoy objects.\nBy [nikhil_mitt](https://twitter.com/nikhil_mitt)\n\n### Usage\n\nImport the module in the current PowerShell session.\n\nPS C:\\\\\u003e Import-Module C:\\Deploy-Deception\\Deploy-Deception.psd1\n\nUse the script with dot sourcing.\n\nPS C:\\\\\u003e . C:\\Deploy-Deception\\Deploy-Deception.ps1\n\nTo get help about any function, use:\n\nPS C:\\\\\u003e Get-Help [functionname] -Full\n\nFor example, to see the help about Deploy-UserDeception, use\n\nPS C:\\\\\u003e Get-Help Deploy-UserDeception -Full\n\n### Functions\nDeploy-Deception currently has following functions:\n\nAll the functions must be run on a DC with domain admin privileges. There are multiple attributes and flags\nwhich can be set while deploying a decoy. These attributes and flags make the decoy interesting for an attacker. \nWhen a right, say, ReadProperty is used to access the decoy, a Security Event 4662 is logged. \n\nNote that Windows Settings|Security Settings|Advanced Audit Policy Configuration|DS Access|Audit Directory Service Access\nGroup Policy needs to be configured to enable 4662 logging. \n\n### Deploy-UserDeception\nThis function sets up auditing when a specified Right is used by a specifed principal against the decoy user object.\n\nEXAMPLE\n\nPS C:\\\\\u003e Create-DecoyUser -UserFirstName user -UserLastName manager -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -Verbose\n\nCreates a decoy user whose password never expires and a 4662 is logged whenever ANY property of the user is read. Very verbose!\n\nEXAMPLE\n\nPS C:\\\\\u003e Create-DecoyUser -UserFirstName user -UserLastName manager -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose\n\nCreates a decoy user whose password never expires and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property of the user is read.\n\nThis property is not read by net.exe, WMI classes (like Win32_UserAccount) and ActiveDirectory module.\n\nBut LDAP based tools like PowerView and ADExplorer trigger the logging.\n\nEXAMPLE\n\nPS C:\\\\\u003e Create-DecoyUser -UserFirstName user -UserLastName manager-control -Password Pass@123 | Deploy-UserDeception -UserFlag AllowReversiblePasswordEncryption -Right ReadControl -Verbose \n\nCreates a decoy user which has Allow Reverisble Password Encrpytion property set. \n\nA 4662 is logged whenever DACL of the user is read.\n\nThis property is not read by enumeration tools unless specifically DACL or all properties for the decoy user are force read.\n\n### Deploy-SlaveDeception\nThis function sets up auditing when a specified Right is used over the slave user by a master user who has FUllControl/GenericALl over the slave user.\n\nEXAMPLE\n\nPS C:\\\\\u003e Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123 \n\nPS C:\\\\\u003e Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 | Deploy-SlaveDeception -DecoySamAccountName masteruser -Verbose\n\nThe first command creates a deocy user 'masteruser'.\n\nThe second command creates a decoy user 'slaveuser' and provides masteruser GenericAll rights over slaveuser.\n\nFor both the users a 4662 is logged whenever there is any interaction with them.\n\nEXAMPLE\n\nPS C:\\\\\u003e Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose\n\nPS C:\\\\\u003e Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 | Deploy-SlaveDeception -DecoySamAccountName masteruser -Verbose\n\nPS C:\\\\\u003e Deploy-SlaveDeception -SlaveSamAccountName slaveuser -DecoySamAccountName masteruser -Verbose \n\nThe first command creates a decoy user 'masteruser' whose password never expires and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property of the user is read.\n\nThe second command creates a decoy user 'slaveuser' whose password never expires and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property of the user is read.\n\nThe third command grants masteruser GenericAll rights over slaveuser.\n\nThe above three commands make masteruser and slaveuser attractive for an attacker and the logging is triggered only for aggressive enumeration.\n\nEXAMPLE\n\nPS C:\\\\\u003e Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123\n\nPS C:\\\\\u003e Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 \n\nPS C:\\\\\u003e Deploy-SlaveDeception -SlaveSamAccountName slaveuser -DecoySamAccountName masteruser -Verbose \n\nPS C:\\\\\u003e Deploy-UserDeception -DecoySamAccountName slaveuser -Principal masteruser -Right WriteDacl -Verbose\n\nThe first three commands create a slaveuser, create a master user and provide masteruser GenericAll rights on slaveuser.\n\nThe foruth command triggers a 4662 log only when masteruser is used change DACL (WirteDacl) of the slaveuser. \n\nThis is useful when targeting lateral movement and it is assumed that an adversary will get access to masteruser.\nFor example, masteruser could be a honeyuser whose credentials are left on multipe machines or masteruser can have its\nusable password in Description.\n\n### Deploy-PrivilegedUserDeception\nThis function deploys a decoy user which has high privileges like membership of the Domain Admins group. \nEXAMPLE\n\nPS C:\\\\\u003e Create-DecoyUser -UserFirstName dec -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception -Technique DomainAdminsMemebership -Protection DenyLogon -Verbose\n\nCreate a decoy user named decda and make it a member of the Domain Admins group. As a protection against potential abuse,\nDeny logon to the user on any machine. Please be aware that if another DA gets comprimised the DenyLogon setting can be removed.\n\nIf there is any attempt to use the user credentials (password or hashes) a 4768 is logged.\n\nAny enumeration which reads DACL or all properties for the user will result in a 4662 logging. \n\nEXAMPLE\n\nPS C:\\\\\u003e Deploy-PrivilegedUserDeception -DecoySamaccountName decda -Technique DomainAdminsMemebership -Protection LogonWorkStation nonexistent -Verbose\n\nUse existing user decda and make it a member of the Domain Admins group. As a protection against potential abuse,\nset LogonWorkstation for the user to a nonexistent machine.\n\nIf there is any attempt to use the user credentials (password or hashes) a 4768 is logged.\n\nAny enumeration which reads DACL or all properties for the user will result in a 4662 logging. \n\nEXAMPLE\n\nPS C:\\\\\u003e Deploy-PrivilegedUserDeception -DecoySamaccountName decda -Technique DCSyncRights -Protection LogonWorkStation nonexistent -Verbose\n\nUse existing user decda and make provide it DCSyncRights. As a protection against potential abuse, set LogonWorkstation for the user to a nonexistent machine.\n\nIf there is any attempt to use the user credentials (password or hashes) a 4768 is logged.\n\nAny enumeration which reads DACL or all properties for the user will result in a 4662 logging. \n\nEXAMPLE\n\nPS C:\\\\\u003e Create-DecoyUser -UserFirstName test -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception -Technique DomainAdminsMemebership -Protection LogonWorkStation -LogonWorkStation revert-dc -CreateLogon -Verbose \n\nCreate a decoy user named decda and make it a member of the Domain Admins group. \nAs a protection against potential abuse, set LogonWorkstation for the user to the DC where this function is executed. \n\nTo avoid detection of the decoy which relies on logoncount use the CreateLogon option which starts and stops a process as the\ndecoy user on the DC. A user profile is created on the DC when this parameter is used. \n\nIf there is any attempt to use the user credentials (password or hashes) a 4768 is logged.\n\nAny enumeration which reads DACL or all properties for the user will result in a 4662 logging. \n\n### Deploy-ComputerDeception\nThis function sets up auditing when a specified Right is used by a specifed principal against the decoy computer object.\n\nPS C:\\\\\u003e Create-DecoyComputer -ComputerName revert-web -Verbose | Deploy-ComputerDeception -PropertyFlag TrustedForDelegation -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a  -Verbose\n\nCreates a decoy computer that has Unconstrained Delegation enabled and a 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property or all the properties\nof the computer are read.\n\nEXAMPLE\n\nPS C:\\\\\u003e Deploy-ComputerDeception -DecoyComputerName comp1 -PropertyFlag TrustedForDelegation -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a  -Verbose\n\nUses an existing computer object and set Unconstrained Delegation on it. A 4662 is logged whenever x500uniqueIdentifier - d07da11f-8a3d-42b6-b0aa-76c962be719a property or all the properties\nof the computer are read.\n\nUsing a real machine for the decoy is always recommended as it is harder to identify as a decoy. \n\n\nEXAMPLE\n\nPS C:\\\\\u003e Deploy-ComputerDeception -DecoyComputerName comp1 -OperatingSystem \"Windows Server 2003\" -Right ReadControl -Verbose\nUses an existing computer object and set its Operating System property to Windows Server 2003. \n\nA 4662 is logged whenever DACL or all the properties of the computer are read.\n\nUsing a real machine for the decoy is always recommended as it is harder to identify as a decoy. \n\n### Deploy-GroupDeception\nThis function sets up auditing when a specified Right is used by a specifed principal against the decoy group object.\n\nEXAMPLE\n\nPS C:\\\\\u003e Create-DecoyGroup -GroupName 'Forest Admins' -Verbose | Deploy-GroupDeception -AddMembers slaveuser -AddToGroup dnsadmins -Right ReadControl -Verbose \n\nCreates a decoy Group 'Forest Admins', adds slaveuser as a member and makes the group part of the dnsadmins group. \nA 4662 is logged whenever DACL or all the properties of the group are read.\n\nEXAMPLE\n\nPS C:\\\\\u003e Create-DecoyGroup -GroupName \"Forest Admins\" -Verbose | Deploy-GroupDeception -AddMembers slaveuser -AddToGroup -dnsadmins -GUID bc0ac240-79a9-11d0-9020-00c04fc2d4cf -Verbose\n\nCreates a decoy Group 'Forest Admins',adds slaveuser as a member and makes the group part of the dnsadmins group.\nA 4662 is logged whenever membership of the Forest Admins group is listed. \n\n### Bugs, Feedback and Feature Requests\nPlease raise an issue if you encounter a bug or have a feature request. \n\n### Contributing\nYou can contribute by fixing bugs or contributing to the code. If you cannot code, you can test the deployment in your network and share the results about false positives with me to help improve the project.\n\n### Blog Posts\nhttps://www.labofapenetrationtester.com/2018/10/deploy-deception.html\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamratashok%2Fdeploy-deception","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsamratashok%2Fdeploy-deception","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsamratashok%2Fdeploy-deception/lists"}