Oct 13 2019 03:06 AM - edited Oct 13 2019 11:11 PM
Hi,
I have noticed that i do not receive an alert when logging to a Domain Controller with a Honeytoken account.
Is that the normal behavior? (I do receive them on workstation logon..)
Thank You.
Oct 13 2019 01:57 PM
@CloudMe , This is a for a DC that is being monitored by a Sensor/ Gateway?
Are you using ATA or AATP ?
Were proper events turned on as recommended in the docs?
Oct 14 2019 03:59 PM
Its a sensor monitored DC using AATP with audit event enabled according to this document:
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-advanced-audit-policy
Oct 15 2019 01:32 PM
@CloudMe , did you enable all the event id's that are mentioned here:
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-windows-event-collection
?
Oct 16 2019 08:55 AM
@EliOfek Yes, but there is no change.
Can you confirm that on your side Honeytoken activity is being generated when Honeytoken accounts are being used to login to Domain Controllers?
Oct 23 2019 12:46 AM
Solution@CloudMe , I just confirmed that in case of a local kerberos login, we won't see it as there is no network traffic for it...
Oct 26 2019 10:11 AM - edited Oct 26 2019 09:24 PM
@EliOfek , Thank you for looking into it.
Is there any plan to monitor these local DC events by the ATP agent?
Its a bit strange that we will receive an Alert once a HoneyToken activity occurs on a regular windows client, But will see nothing if for example The HoneyToken account connects by RDP to a Domain Controller.
Oct 26 2019 01:41 PM
Oct 26 2019 09:31 PM - edited Oct 26 2019 09:43 PM
Nov 17 2019 06:31 AM
We tested this in our lab.
Logging with a honeytoken to the DC via RDP from another machine, triggers the alert.
Logging in locally from the console of the DC does not trigger the alert (as expected).
Test procedure:
Nov 19 2019 04:40 PM - edited Nov 19 2019 04:41 PM
Oct 23 2019 12:46 AM
Solution@CloudMe , I just confirmed that in case of a local kerberos login, we won't see it as there is no network traffic for it...