Forum Discussion

CloudMe's avatar
CloudMe
Copper Contributor
Oct 13, 2019
Solved

No Honeytoken Activity on DC login ?

Hi,   I have noticed that i do not receive an alert when logging to a Domain Controller with a Honeytoken account. Is that the normal behavior? (I do receive them on workstation logon..)   Thank...
  • EliOfek's avatar
    EliOfek
    Oct 23, 2019

    CloudMe , I just confirmed that in case of a local kerberos login, we won't see it as there is no network traffic for it...

CloudMe's avatar
CloudMe
Copper Contributor
Oct 26, 2019

EliOfek , @Tali Ash 

 

Testing on my side did not show any HoneyToken activity when connecting by RDP to a DC.

It makes sense as everything is happening over the encrypted RDP channel and there is no need for the rdp-server(DC) to authenticate the credentials over the network.

 

EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Nov 17, 2019

CloudMe 

We tested this in our lab.

Logging with a honeytoken to the DC via RDP from another machine, triggers the alert.

Logging in locally from the console of the DC does not trigger the alert (as expected).

 

Test procedure:

Administrator in taged as honey token
log in to client machine with a simple user account
mstsc -v dc1 [and then input administrator credentials]
honey token SA had triggered
 
Are  you doing anything different on the way you open the RDP session ?
  • CloudMe's avatar
    CloudMe
    Copper Contributor
    Nov 19, 2019

    EliOfek 

     

    It is indeed working now using the 2.100. version of the sensor.

     

    Thank you.