Forum Discussion
Honeytoken alerts FP
Hi! We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and ...
Jacampbell
Microsoft
MicrosoftHey - have you opened a support ticket
no, i didn't open a support ticket yet. i was hoping that an agent update will solve the issue, which didn't happened yet. But to be honest, i don't have the time or nerve right now for handling a Microsoft ticket case with some indian MS supporter...
- JacampbellSo LDAP and SAMR detections were added to the Honeytoken tagged entities.Points to note with this:
- There will never be a false positive scenario for the honey token despite that being an option under the manage alert drop down in M365.
- We cannot exclude the device for this Honeytoken activity
Please review EVERY tool that is associated with LDAP and SAMR and queries users. If any tool or service queries a Honeytoken tagged account, it will create and activity. So based on the frequency of your activity, you should be able to narrow down what service/tool is querying the users on these trusted domains. Does any service/tool come to mind?This change moves honeytoken accounts into something that one knew was unlikely to be a false positive to one which will have many false positives, going by the SAM-R and LDAP alerts that are populated by vulnerability scanners, products like tanium, and users the use the /domain switch to the net command.
You already had reconnaissance alerts. The honeytoken accounts were for direct authentication attempts using them, which is the traditional purpose for them. I can't see a good reason to do this.
- Thanks for your let's say support on that. 😉
For me, the honeytoken functionality has become useless as it is right now. That is very sad, because honeytoken alerts were one of the alerts that popped up when we did internal penetration tests and they were(!) always accurate. Now, in our case, they are useless 😞
- i didn't take a deep dive into that case yet. We got currently hundreds of clients triggering the alert, i'll have to try to find similarities. Like you said, some sort of software might cause that issue; so we'll have to find that LDAP and SAMR queries then... maybe i also try some debugging by using wireshark and look for LDAP network queries etc.
For now, i got an answer and now it's my turn to find out what exactly is causing these queries.
- JacampbellI am on the MDI team. I work EST hours. If you open a ticket you can request my assistance by putting my email in the case summary. Jacampbell@microsoft.com
I believe this is a deeper issue and I need another support ticket to show that. Please humor me, open a support ticket, and request to work with me. Jacampbell@microsoft.com / Microsoft Defender for Identity / Threat Analytics
