Forum Discussion
No Honeytoken Activity on DC login ?
EliOfek Yes, but there is no change.
Can you confirm that on your side Honeytoken activity is being generated when Honeytoken accounts are being used to login to Domain Controllers?
CloudMe , I just confirmed that in case of a local kerberos login, we won't see it as there is no network traffic for it...
- CloudMeOct 26, 2019Copper Contributor
EliOfek , Thank you for looking into it.
Is there any plan to monitor these local DC events by the ATP agent?
Its a bit strange that we will receive an Alert once a HoneyToken activity occurs on a regular windows client, But will see nothing if for example The HoneyToken account connects by RDP to a Domain Controller.
- EliOfekOct 26, 2019Microsoft
CloudMe , I am pretty sure connecting via RDP will alert as the authentication is over network.
you mentioned a local login, which is different.
+ Tali Ash
- CloudMeOct 27, 2019Copper Contributor
Testing on my side did not show any HoneyToken activity when connecting by RDP to a DC.
It makes sense as everything is happening over the encrypted RDP channel and there is no need for the rdp-server(DC) to authenticate the credentials over the network.