Deploying Active Directory Honeytokens

What Is This

Deploying Active Directory Honeytokens is a cybersecurity skill focused on implementing high-fidelity deception mechanisms within an Active Directory (AD) environment. This technique involves creating and managing various types of honeytokens - decoy objects that appear valuable to attackers but have no legitimate use in day-to-day operations. These honeytokens are designed to trigger alerts when accessed, providing early detection of malicious activities such as credential theft, lateral movement, and internal reconnaissance.

The skill covers the deployment of several specific deception artifacts in AD, including:

• Fake privileged accounts with AdminCount=1 to attract attackers seeking elevated privileges.
• Fake Service Principal Names (SPNs), also known as "honeyroasting," for detecting Kerberoasting attempts.
• Decoy Group Policy Objects (GPOs) with embedded cpassword fields to identify unauthorized GPP password harvesting.
• Deceptive BloodHound paths to mislead and monitor adversaries using AD enumeration tools.
• Event monitoring for relevant Windows Security Event IDs (4769, 4625, 4662, 5136) to ensure prompt detection of honeytoken interactions.

Why Use It

Active Directory remains a critical target for attackers seeking to escalate privileges and move laterally within a network. Traditional detection methods often struggle to differentiate between legitimate administrative activities and malicious actions, especially when attackers use compromised credentials. Honeytokens provide a powerful, proactive defense by creating high-signal tripwires - any interaction with these decoys is almost always suspicious.

Benefits of deploying AD honeytokens include:

• Early Detection: Immediate alerts on adversary actions, often before actual damage or data exfiltration occurs.
• High Signal-to-Noise Ratio: Very few legitimate users or processes should interact with honeytokens, minimizing false positives.
• Attack Surface Mapping: Provides insight into the tools and techniques used by attackers in your environment.
• Deterrence and Misdirection: Increases attacker uncertainty and risk, potentially slowing or disrupting attack progress.

How to Use It

1. Deploying Fake Privileged

Accounts

Create disabled user accounts with properties that mimic real privileged accounts. Set AdminCount=1 to signal that the account is or was a member of a protected group (e.g., Domain Admins).

Example (PowerShell):

New-ADUser -Name "svc_honeyadmin" -SamAccountName "svc_honeyadmin" `
  -AccountPassword (ConvertTo-SecureString "RandomPassword123!" -AsPlainText -Force) `
  -Enabled $false -Description "Decoy account for detection" `
  -OtherAttributes @{'adminCount'=1}

Monitor for any authentication attempt or group membership change on this account as a high-severity event.

2. Deploying Fake

SPNs (Honeyroasting)

Create a decoy user or service account with a fake SPN. Attackers using Kerberoasting techniques will likely target these accounts.

Example (PowerShell):

New-ADUser -Name "svc_fakekerberoast" -SamAccountName "svc_fakekerberoast" `
  -AccountPassword (ConvertTo-SecureString "AnotherRandomP@ss!" -AsPlainText -Force) `
  -Enabled $false -ServicePrincipalNames "HTTP/fakekerberoast.lab.local"

Monitor for Event ID 4769 (Kerberos service ticket requests) for this SPN. Any attempt to request a ticket for this SPN should trigger an alert.

3. Creating Decoy

GPOs with cpassword

Deploy a GPO with a cpassword attribute - a historical weak spot attackers may target to obtain cleartext credentials.

Example (via Group Policy Management Console):

1. Create a new GPO named "DecoyGPP".
2. Configure a preference (e.g., Local Users and Groups) with a fake password.
3. Ensure the GPO applies to no legitimate computers.

Monitor for Event ID 4662 or 5136 (modification or read access to GPO objects) on this decoy GPO.

4. Deploying Fake BloodHound

Paths

Create dummy objects or relationships (e.g., fake group memberships) that appear valuable in BloodHound graphs.

Example:

• Add the decoy account to a fake "Tier 0" group.
• Ensure no legitimate access is granted, but the object appears attractive to attackers mapping privilege escalation paths.

5. Monitoring Honeytoken

Interactions

Configure Windows Event Log forwarding to your SIEM (Splunk, Sentinel, Elastic, etc.) and set up alerts for the following Event IDs:

• 4769: Kerberos service ticket requested (for honeyroasting SPNs)
• 4625: Failed logon attempts (for fake privileged accounts)
• 4662: Object access (for GPOs and other decoys)
• 5136: Directory object changes (indicative of reconnaissance or tampering)

When to Use It

• When building a layered Active Directory defense that includes proactive detection.
• When your organization faces advanced threats targeting credential theft and privilege escalation.
• When supplementing existing incident detection and response with high-fidelity signals.
• When you need to mislead, delay, or study adversary behavior in your AD environment.

Important Notes

• Authorization: Only deploy honeytokens with appropriate change control and authorization. Unauthorized additions to AD can cause confusion or interfere with legitimate operations.
• Naming Conventions: Use realistic but clearly documented naming schemes for honeytokens to prevent accidental use by legitimate administrators.
• Monitoring Coverage: Ensure your SIEM or monitoring solution reliably ingests and alerts on relevant event logs for honeytoken objects.
• Regular Review: Periodically review and update honeytokens to stay ahead of attacker detection and adapt to environmental changes.
• Legal and Privacy Considerations: Ensure compliance with organizational and regulatory policies when implementing deception technology.

By carefully deploying and monitoring Active Directory honeytokens, defenders can significantly improve detection capabilities, increase adversary risk, and gain valuable insight into attack techniques targeting their domain infrastructure.