Microsoft Defender for Endpoint (MDE) Endpoint Deception capability for Advanced Threat Detection

Flock of ducks with sunlight shining in stall at countryside

Introduction to Microsoft Defender for Endpoint (MDE) Endpoint Deception Capability

Microsoft Defender for Endpoint (MDE) introduces Endpoint Deception, an advanced security feature designed to detect and deter cyber threats by deploying deceptive elements within an organization’s network. These elements, including decoy accounts, hosts, and lures, appear valuable to attackers but are actually traps that trigger alerts upon interaction.

MDE Microsoft Defender for Endpoint Deception

Why is Deception in MDE important?

Attackers rely on reconnaissance techniques to identify valuable assets before launching attacks. By integrating deceptive elements into an environment, organizations can detect potential threats early and mitigate risks before they escalate. This proactive approach enhances defenses against advanced persistent threats (APTs), ransomware, and lateral movement tactics.

Benefits of Endpoint Deception in MDE

BenefitDescription
Early threat detectionDecoys expose attackers before an actual breach occurs, allowing teams to react faster.
Minimal false positivesSince legitimate users do not access decoys, deception alerts have high accuracy.
Lateral movement IidentificationDecoys placed in different segments track unauthorized access attempts across networks.
Enhanced threat intelligenceSecurity teams gain insights into attacker techniques, supporting better detection rules.
Seamless integrationWorks natively with Microsoft Defender for Endpoint and Microsoft Sentinel for improved incident response.

Prerequisites and Licensing for MDE Endpoint Deception

Licensing overview

ComponentLicensing Requirement
Microsoft Defender for EndpointDefender for Endpoint Plan 2
Microsoft 365 E5 / Security E5Required for full deception capabilities
Microsoft Entra IntegrationDevices must be joined or hybrid joined

Supported platforms and configuration requirements

  • Supported Operating Systems: Windows 10 RS5 (version 1809) and later
  • PowerShell: Must be enabled for endpoint decoy management
  • Microsoft Entra integration: Required for full Endpoint Deception support
  • Required role permissions: Global Administrator or Security Administrator

Enabling the Deception Capability in MDE

  1. Open the Microsoft Defender Portal and sign in with administrator credentials
  2. Enable Deception in Advanced Features:
    • Navigate to Settings > Endpoints > Advanced Features
    • Locate Deception and toggle it On
    • Click Save preferences

Configuring Basic Lures and Decoys

Steps to configure Basic Lures and Decoys

  • Navigate to Settings > Endpoints > Deception Rules
  • First disable the Default deception rule (recommended)
  • Click Add deception rule
  • Provide a name and description
  • Select Basic Lures (good one to start with):
  • Assign the deception rule to all devices or specific tagged devices:
  • Leave the prefilled Decoys and Hosts as-is (this is generated by Microsoft based on Company information like users and known hosts:
  • Use autogenerated lures (in the chapter I will cover the custom setup):
  • Click Next, review settings, and deploy:

Configuring Advanced Lures (more control and flexibility)

Steps to configure Advanced Lures

  • Navigate to Settings > Endpoints > Deception Rules
  • Click Add deception rule
  • Provide a name and description
  • Select Basic Lures and Advanced Lures:
  • Assign the deception rule to all devices or specific tagged devices:
  • Click Add new and enter fake usernames or hostnames e.g. (you can leave it pre-filled as before / In my example I add custom ones for the sake of the demo):
finance.admin (Decoy account)
administration (Decoy host)
  • Use custom lures only (this is for deploying custom crafted information):
  • Select the custom lures like documents, password files, some tempting information that could be attractive for a hacker (and specify to be hidden). You can also use Honeytokens or Canary’s here:
  • Review and save:
  • Now wait for the lures to get deployed (this can take a while)

Tools and Techniques for Testing Endpoint Deception

Simulating Lateral Movement with PsExec

PsExec.exe \\devicename -u hr.admin -p FakePassword cmd.exe

Validates if deception alerts trigger when lateral movement is attempted

Simulating Unauthorized Decoy Account Access

net use \\devicename\C$ /user:hr.admin FakePassword

Checks for unauthorized login alerts in Defender

Simulating Network Reconnaissance

nmap -sV -Pn corpfinance-01.hostname.xx

Tests for network scanning detection

Integrating MDE Decoy alerts with Microsoft Sentinel

Setting up Data Connectors

  1. Enable Microsoft Defender for Endpoint in Sentinel
  2. Enable Microsoft Defender for Identity for tracking Active Directory decoys
  3. Create custom analytic rules to map deception alerts into Sentinel dashboards

Sentinel KQL Query for Decoy Alerts

SecurityAlert
| where ProviderName == "MDATP"
| where AlertName contains "deceptive" or AlertName contains "Decoy"
| project TimeGenerated, AlertName, CompromisedEntity, AlertSeverity, Tactics, Techniques, Entities, AlertLink
| order by TimeGenerated desc

Detects all deception-related alerts from Defender for Endpoint

Automating Response with Sentinel Playbooks

  1. Isolate compromised devices using Defender API and/or playbooks
  2. Trigger an incident response ticket in Sentinel
  3. Send alerts to security teams

Additional Resources

https://learn.microsoft.com/en-us/defender-xdr/deception-overview

https://learn.microsoft.com/en-us/shows/microsoft-sentinel-defender-xdr-virtual-ninja-training/microsoft-defender-for-endpoint-deception

Conclusion

Microsoft Defender for Endpoint’s Endpoint Deception capability enhances security by detecting threats early, preventing lateral movement, and providing high-confidence alerts. Integrating deception tactics with Microsoft Sentinel strengthens incident response and threat intelligence.

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post
Microsoft deprecates NTLM

Microsoft deprecates NTLM and why this is an important step

Next Post
Active Directory Security Hardening

Detecting and mitigating Active Directory compromises

Related Posts