Any honeytoken program thoughts to share?

%3CLINGO-SUB%20id%3D%22lingo-sub-2089810%22%20slang%3D%22en-US%22%3EAny%20honeytoken%20program%20thoughts%20to%20share%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2089810%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20looking%20to%20utilize%20the%20MDI%20honeytoken%20feature%20and%20looking%20for%20any%20suggestions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20terms%20of%20enticement%20or%20effort%20to%20minimize%20suspicion%2C%20here%20are%20my%20initial%20thoughts%20but%20am%20certainly%20open%20to%20any%20input.%3C%2FP%3E%3CUL%3E%3CLI%3EHow%20many%3C%2FLI%3E%3CLI%3EType%20(person%2C%20computer%2C%20service%2C%20resource)%3C%2FLI%3E%3CLI%3EPermissions%3C%2FLI%3E%3CLI%3ELocation%3C%2FLI%3E%3CLI%3ECreate%20date%3C%2FLI%3E%3CLI%3ELogon%20count%2Flast%20logon%20(automation%20opportunity)%3C%2FLI%3E%3CLI%3EGroup%20membership%3C%2FLI%3E%3CLI%3ETitle%2Fdescription%3C%2FLI%3E%3CLI%3EMail%20enabled%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThanks%20in%20advance%20for%20your%20considerations!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2089866%22%20slang%3D%22en-US%22%3ERe%3A%20Any%20honeytoken%20program%20thoughts%20to%20share%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2089866%22%20slang%3D%22en-US%22%3E%3CP%3E%F0%9D%98%9E%F0%9D%98%A6%20%F0%9D%98%A2%F0%9D%98%B3%F0%9D%98%A6%20%F0%9D%98%B4%F0%9D%98%B0%F0%9D%98%B3%F0%9D%98%B3%F0%9D%98%BA%20%F0%9D%98%A7%F0%9D%98%B0%F0%9D%98%B3%20%F0%9D%98%B5%F0%9D%98%A9%F0%9D%98%A6%20%F0%9D%98%AA%F0%9D%98%AF%F0%9D%98%A4%F0%9D%98%B0%F0%9D%98%AF%F0%9D%98%B7%F0%9D%98%A6%F0%9D%98%AF%F0%9D%98%AA%F0%9D%98%A6%F0%9D%98%AF%F0%9D%98%A4%F0%9D%98%A6.%20%F0%9D%98%97%F0%9D%98%AD%F0%9D%98%A6%F0%9D%98%A2%F0%9D%98%B4%F0%9D%98%A6%20%F0%9D%98%A4%F0%9D%98%A2%F0%9D%98%AD%F0%9D%98%AD%20%F0%9D%98%94%F0%9D%98%AA%F0%9D%98%A4%F0%9D%98%B3%F0%9D%98%B0%F0%9D%98%B4%F0%9D%98%B0%F0%9D%98%A7%F0%9D%98%B5%20%F0%9D%98%B4%F0%9D%98%B6%F0%9D%98%B1%F0%9D%98%B1%F0%9D%98%B0%F0%9D%98%B3%F0%9D%98%B5%20%F0%9D%98%AF%F0%9D%98%B6%F0%9D%98%AE%F0%9D%98%A3%F0%9D%98%A6%F0%9D%98%B3%201-888-366-0222%2C%20%F0%9D%98%B5%F0%9D%98%B0%20%F0%9D%98%A8%F0%9D%98%A6%F0%9D%98%B5%20%F0%9D%98%AA%F0%9D%98%AF%20%F0%9D%98%B5%F0%9D%98%B0%F0%9D%98%B6%F0%9D%98%A4%F0%9D%98%A9%20%F0%9D%98%B8%F0%9D%98%AA%F0%9D%98%B5%F0%9D%98%A9%20%F0%9D%98%B0%F0%9D%98%B6%F0%9D%98%B3%20%F0%9D%98%A6%F0%9D%98%B9%F0%9D%98%B1%F0%9D%98%A6%F0%9D%98%B3%F0%9D%98%B5%20%F0%9D%98%A2%F0%9D%98%AF%F0%9D%98%A5%20%F0%9D%98%BA%F0%9D%98%B0%F0%9D%98%B6%F0%9D%98%B3%20%F0%9D%98%B1%F0%9D%98%B3%F0%9D%98%B0%F0%9D%98%A3%F0%9D%98%AD%F0%9D%98%A6%F0%9D%98%AE%20%F0%9D%98%B8%F0%9D%98%AA%F0%9D%98%AD%F0%9D%98%AD%20%F0%9D%98%A3%F0%9D%98%A6%20%F0%9D%98%B3%F0%9D%98%A6%F0%9D%98%B4%F0%9D%98%B0%F0%9D%98%AD%F0%9D%98%B7%F0%9D%98%A6%F0%9D%98%A5.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2134424%22%20slang%3D%22en-US%22%3ERe%3A%20Any%20honeytoken%20program%20thoughts%20to%20share%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2134424%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F195461%22%20target%3D%22_blank%22%3E%40MarshMadness%3C%2FA%3E%26nbsp%3BYou%20should%20configure%20your%20honeytoken%20account%20in%20the%20same%20manner%20as%20your%20other%20privileged%20accounts.%20Same%20naming%20convention%2C%20same%20OU%2C%20etc.%20The%20account%20should%20never%20be%20used%20to%20logon.%20If%20assigning%20domain%20admin%20or%20other%20privileges%20make%20sure%20to%20use%20long%20complex%20passwords%20and%20have%20mitigation%20in%20place%20or%20be%20prepared%20to%20respond%20in%20the%20event%20of%20any%20alerts.%20It%20depends%20on%20the%20size%20of%20your%20organization%20and%20domain%20but%20I%20would%20suggest%20starting%20with%20a%20single%20account%20so%20as%20to%20not%20be%20overexposed.%20You%20have%20to%20take%20into%20account%20all%20of%20your%20existing%20privileged%20accounts%2C%20which%20while%20real%20and%20in%20use%2C%20are%20also%20targets%20for%20attackers%20and%20contribute%20to%20your%20attack%20surface.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2134680%22%20slang%3D%22en-US%22%3ERe%3A%20Any%20honeytoken%20program%20thoughts%20to%20share%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2134680%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F871065%22%20target%3D%22_blank%22%3E%40edinili84%3C%2FA%3E%26nbsp%3BTYVM%20for%20your%20input.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2157051%22%20slang%3D%22en-US%22%3ERe%3A%20Any%20honeytoken%20program%20thoughts%20to%20share%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2157051%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20should%20create%20as%20many%20honeytoken%20users%20and%20devices%20to%20make%20them%20spread%20around%20interesting%20OUs%20in%20AD.%20I%20suggest%20that%20you%20give%20honeytoken%20users%20the%20same%20permissions%20and%20group%20memberships%20as%20other%20users%20in%20the%20specific%20OU%20have%20but%20be%20sure%20to%20be%20able%20to%20respond%20to%20honeytoken%20alerts%20quickly%20in%20that%20case.%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20testing%20honeytoken%20users%20and%20devices%20I%20ran%20into%20an%20issue.%20The%20alert%20was%20triggered%20only%20when%20the%20honeytoken%20user%20or%20the%20device%20made%20an%20action%20and%20not%20when%20I%20did%20reconnaissance%26nbsp%3Bon%20the%20device%20or%20user.%20For%20example%20when%20I%20tried%20to%20authenticate%20using%20honeytoken%20user%20and%20wrong%20password%20the%20alert%20was%20not%20triggered.%3CBR%20%2F%3EThis%20got%20me%20thinking%20about%20how%20an%20adversary%20would%20even%20get%20an%20access%20to%20a%20honeytoken%20user%2Fdevice.%20If%20a%20honeytoken%20user%20is%20not%20logged%20on%20any%20computer%20it%20is%20possible%20to%20get%20its%20password%20hash%20only%20from%20DC%20from%20ntds.dit%20file%20for%20which%20to%20access%20you%20need%20domain%20admin%20privileges.%20From%20this%20conclusion%20honeytokens%20are%20not%20very%20useful...%3CBR%20%2F%3E%3CBR%20%2F%3EDid%20you%20have%20other%20experience%20when%20testing%20honeytokens%20or%20do%20you%20have%20other%20opinion%20or%20ideas%20for%20their%20usage%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am looking to utilize the MDI honeytoken feature and looking for any suggestions.

 

In terms of enticement or effort to minimize suspicion, here are my initial thoughts but am certainly open to any input.

  • How many
  • Type (person, computer, service, resource)
  • Permissions
  • Location
  • Create date
  • Logon count/last logon (automation opportunity)
  • Group membership
  • Title/description
  • Mail enabled?

Thanks in advance for your considerations!

4 Replies

@MarshMadness You should configure your honeytoken account in the same manner as your other privileged accounts. Same naming convention, same OU, etc. The account should never be used to logon. If assigning domain admin or other privileges make sure to use long complex passwords and have mitigation in place or be prepared to respond in the event of any alerts. It depends on the size of your organization and domain but I would suggest starting with a single account so as to not be overexposed. You have to take into account all of your existing privileged accounts, which while real and in use, are also targets for attackers and contribute to your attack surface.

 

 

 

@edinili84 TYVM for your input.

You should create as many honeytoken users and devices to make them spread around interesting OUs in AD. I suggest that you give honeytoken users the same permissions and group memberships as other users in the specific OU have but be sure to be able to respond to honeytoken alerts quickly in that case.

When testing honeytoken users and devices I ran into an issue. The alert was triggered only when the honeytoken user or the device made an action and not when I did reconnaissance on the device or user. For example when I tried to authenticate using honeytoken user and wrong password the alert was not triggered.
This got me thinking about how an adversary would even get an access to a honeytoken user/device. If a honeytoken user is not logged on any computer it is possible to get its password hash only from DC from ntds.dit file for which to access you need domain admin privileges. From this conclusion honeytokens are not very useful...

Did you have other experience when testing honeytokens or do you have other opinion or ideas for their usage?