Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

No Honeytoken Activity on DC login ?

Copper Contributor



I have noticed that i do not receive an alert when logging to a Domain Controller with a Honeytoken account.

Is that the normal behavior? (I do receive them on workstation logon..)


Thank You.

10 Replies

@CloudMe , This is a  for a DC that is being monitored by a Sensor/ Gateway?

Are you using ATA or AATP ?

Were proper events turned on as recommended in the docs?


@Eli Ofek 


Its a sensor monitored DC using AATP with audit event enabled according to this document:


@Eli Ofek Yes, but there is no change.

Can you confirm that on your side Honeytoken activity is being generated when Honeytoken accounts are being used to login to Domain Controllers?


best response confirmed by CloudMe (Copper Contributor)

@CloudMe , I just confirmed that in case of a local kerberos login, we won't see it as there is no network traffic for it...

@Eli Ofek , Thank you for looking into it.


Is there any plan to monitor these local DC events by the ATP agent?

Its a bit strange that we will receive an Alert once a HoneyToken activity occurs on a regular windows client, But will see nothing if for example The HoneyToken account connects by RDP to a Domain Controller.


@CloudMe , I am pretty sure connecting via RDP will  alert as the authentication is over network.

you mentioned a local login, which is different.

@Tali Ash  

@Eli Ofek , @Tali Ash 


Testing on my side did not show any HoneyToken activity when connecting by RDP to a DC.

It makes sense as everything is happening over the encrypted RDP channel and there is no need for the rdp-server(DC) to authenticate the credentials over the network.



We tested this in our lab.

Logging with a honeytoken to the DC via RDP from another machine, triggers the alert.

Logging in locally from the console of the DC does not trigger the alert (as expected).


Test procedure:

Administrator in taged as honey token
log in to client machine with a simple user account
mstsc -v dc1 [and then input administrator credentials]
honey token SA had triggered
Are  you doing anything different on the way you open the RDP session ?

@Eli Ofek 


It is indeed working now using the 2.100. version of the sensor.


Thank you.