Forum Discussion

DefenderAdmin's avatar
DefenderAdmin
Brass Contributor
Nov 29, 2022

Honeytoken alerts FP

Hi!   We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and ...
Jacampbell's avatar
Jacampbell
Icon for Microsoft rankMicrosoft
Jan 27, 2023

DefenderAdmin 

 

So LDAP and SAMR detections were added to the Honeytoken tagged entities. 
 
Points to note with this:
  1. There will never be a false positive scenario for the honey token despite that being an option under the manage alert drop down in M365.
  2. We cannot exclude the device for this Honeytoken activity 
Please review EVERY tool that is associated with LDAP and SAMR and queries users. If any tool or service queries a Honeytoken tagged account, it will create and activity. So based on the frequency of your activity, you should be able to narrow down what service/tool is querying the users on these trusted domains. Does any service/tool come to mind?
waydaws's avatar
waydaws
Copper Contributor
Jan 30, 2023

Jacampbell 

This change moves honeytoken accounts into something that one knew was unlikely to be a false positive to one which will have many false positives, going by the SAM-R and LDAP alerts that are populated by vulnerability scanners, products like tanium, and users the use the /domain switch to the net command.  

You already had reconnaissance alerts.   The honeytoken accounts were for direct authentication attempts using them, which is the traditional purpose for them.   I can't see a good reason to do this.