Forum Discussion

Copper Contributor

Oct 13, 2019

Solved

No Honeytoken Activity on DC login ?

Hi, I have noticed that i do not receive an alert when logging to a Domain Controller with a Honeytoken account. Is that the normal behavior? (I do receive them on workstation logon..) Thank...

EliOfek
Oct 23, 2019
CloudMe , I just confirmed that in case of a local kerberos login, we won't see it as there is no network traffic for it...

CloudMe

Copper Contributor

Oct 26, 2019

EliOfek , Thank you for looking into it.

Is there any plan to monitor these local DC events by the ATP agent?

Its a bit strange that we will receive an Alert once a HoneyToken activity occurs on a regular windows client, But will see nothing if for example The HoneyToken account connects by RDP to a Domain Controller.

EliOfek

Microsoft

Oct 26, 2019

CloudMe , I am pretty sure connecting via RDP will alert as the authentication is over network.

you mentioned a local login, which is different.

+ Tali Ash

CloudMe
Copper Contributor
Nov 20, 2019
EliOfek

It is indeed working now using the 2.100. version of the sensor.

Thank you.
EliOfek
Microsoft
Nov 17, 2019
CloudMe

We tested this in our lab.

Logging with a honeytoken to the DC via RDP from another machine, triggers the alert.

Logging in locally from the console of the DC does not trigger the alert (as expected).

Test procedure:

Administrator in taged as honey token

log in to client machine with a simple user account

mstsc -v dc1 [and then input administrator credentials]

honey token SA had triggered

Are you doing anything different on the way you open the RDP session ?
CloudMe
Copper Contributor
Oct 27, 2019
EliOfek , @Tali Ash

Testing on my side did not show any HoneyToken activity when connecting by RDP to a DC.
It makes sense as everything is happening over the encrypted RDP channel and there is no need for the rdp-server(DC) to authenticate the credentials over the network.