Forum Discussion

DefenderAdmin's avatar
DefenderAdmin
Brass Contributor
Nov 29, 2022

Honeytoken alerts FP

Hi!   We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and ...
Jacampbell's avatar
Jacampbell
Icon for Microsoft rankMicrosoft
Jan 27, 2023

DefenderAdmin 

 

So LDAP and SAMR detections were added to the Honeytoken tagged entities. 
 
Points to note with this:
  1. There will never be a false positive scenario for the honey token despite that being an option under the manage alert drop down in M365.
  2. We cannot exclude the device for this Honeytoken activity 
Please review EVERY tool that is associated with LDAP and SAMR and queries users. If any tool or service queries a Honeytoken tagged account, it will create and activity. So based on the frequency of your activity, you should be able to narrow down what service/tool is querying the users on these trusted domains. Does any service/tool come to mind?
waydaws's avatar
waydaws
Copper Contributor
Jan 30, 2023

Jacampbell 

This change moves honeytoken accounts into something that one knew was unlikely to be a false positive to one which will have many false positives, going by the SAM-R and LDAP alerts that are populated by vulnerability scanners, products like tanium, and users the use the /domain switch to the net command.  

You already had reconnaissance alerts.   The honeytoken accounts were for direct authentication attempts using them, which is the traditional purpose for them.   I can't see a good reason to do this.  

  • DefenderAdmin's avatar
    DefenderAdmin
    Brass Contributor
    Jan 30, 2023
    Thanks for your let's say support on that. 😉

    For me, the honeytoken functionality has become useless as it is right now. That is very sad, because honeytoken alerts were one of the alerts that popped up when we did internal penetration tests and they were(!) always accurate. Now, in our case, they are useless 😞
    • Daniel Naim's avatar
      Daniel Naim
      Former Employee
      Jan 31, 2023

      DefenderAdmin 

       

      MDI will only trigger alert when a honey token is specifically being scanned. Scanning identities specifically shouldn't be ever the case as this should act as a honeypot. Even for vulnerability scanners.

      If that's not the case (in example, triggering an alert when it's domain wide queries) I'd love to know. 

       

      Having said that, we are splitting the honeytoken alerts to different alerts, so they will be able to exclude the honeytoken specifically from query alert. Let me know if they want us to jump on a call and show that live. 

      The alerts will be (name can change in the GA release)

      • Honeytoken was queried
      • Honeytoken group membership change
      • Honeytoken logon attempts
      • Honeytoken attribute change
      • MichaelG666's avatar
        MichaelG666
        Brass Contributor
        Feb 03, 2023

        Daniel Naim our Lansweeper server is generating these false positive honeytoken alerts every time it does a regular "domain wide" full AD scan which happens 3 times a day:

        This started on November 30th and there is no way to exclude the Lansweeper server from setting off that alert. This essentially made the honeytoken alert completely useless and we are forced to turn it off. So by introducing this new "feature" (really a bug), you made it completely useless for the majority of your customers. How can I whitelist this particularly query from this particular server (using a specific service account)?

        This is not a query specifically for the honeytoken account - this is a domain wide query. It's easily reproducible by installing a trial of Lansweeper and doing a general AD scan like pictured in the screenshot. We have the same issue with the Netwrix Auditor software. It's generating a false positive alert every time it does a domain wide query.