SOLVED

No Honeytoken Activity on DC login ?

%3CLINGO-SUB%20id%3D%22lingo-sub-911358%22%20slang%3D%22en-US%22%3ERe%3A%20No%20Honeytoken%20Activity%20on%20DC%20login%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-911358%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F409040%22%20target%3D%22_blank%22%3E%40CloudMe%3C%2FA%3E%26nbsp%3B%2C%20This%20is%20a%26nbsp%3B%20for%20a%20DC%20that%20is%20being%20monitored%20by%20a%20Sensor%2F%20Gateway%3F%3C%2FP%3E%0A%3CP%3EAre%20you%20using%20ATA%20or%20AATP%20%3F%3C%2FP%3E%0A%3CP%3EWere%20proper%20events%20turned%20on%20as%20recommended%20in%20the%20docs%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-911066%22%20slang%3D%22en-US%22%3ENo%20Honeytoken%20Activity%20on%20DC%20login%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-911066%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20noticed%20that%20i%20do%20not%20receive%20an%20alert%20when%20logging%20to%20a%20Domain%20Controller%20with%20a%20Honeytoken%20account.%3C%2FP%3E%3CP%3EIs%20that%20the%20normal%20behavior%3F%20(I%20do%20receive%20them%20on%20workstation%20logon..)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20You.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-914296%22%20slang%3D%22en-US%22%3ERe%3A%20No%20Honeytoken%20Activity%20on%20DC%20login%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-914296%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIts%20a%20sensor%20monitored%20DC%20using%20AATP%20with%20audit%20event%20enabled%20according%20to%20this%20document%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-advanced-audit-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-advanced-audit-policy%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-916180%22%20slang%3D%22en-US%22%3ERe%3A%20No%20Honeytoken%20Activity%20on%20DC%20login%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916180%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F409040%22%20target%3D%22_blank%22%3E%40CloudMe%3C%2FA%3E%26nbsp%3B%2C%20did%20you%20enable%20all%20the%20event%20id's%20that%20are%20mentioned%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fconfigure-windows-event-collection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fconfigure-windows-event-collection%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-916819%22%20slang%3D%22en-US%22%3ERe%3A%20No%20Honeytoken%20Activity%20on%20DC%20login%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916819%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3BYes%2C%20but%20there%20is%20no%20change.%3C%2FP%3E%3CP%3ECan%20you%20confirm%20that%20on%20your%20side%26nbsp%3BHoneytoken%20activity%20is%20being%20generated%20when%26nbsp%3BHoneytoken%20accounts%20are%20being%20used%20to%20login%20to%20Domain%20Controllers%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-933840%22%20slang%3D%22en-US%22%3ERe%3A%20No%20Honeytoken%20Activity%20on%20DC%20login%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-933840%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F409040%22%20target%3D%22_blank%22%3E%40CloudMe%3C%2FA%3E%26nbsp%3B%2C%20I%20just%20confirmed%20that%20in%20case%20of%20a%20local%20kerberos%20login%2C%20we%20won't%20see%20it%20as%20there%20is%20no%20network%20traffic%20for%20it...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-957094%22%20slang%3D%22en-US%22%3ERe%3A%20No%20Honeytoken%20Activity%20on%20DC%20login%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-957094%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F409040%22%20target%3D%22_blank%22%3E%40CloudMe%3C%2FA%3E%26nbsp%3B%2C%20I%20am%20pretty%20sure%20connecting%20via%20RDP%20will%26nbsp%3B%20alert%20as%20the%20authentication%20is%20over%20network.%3C%2FP%3E%0A%3CP%3Eyou%20mentioned%20a%20local%20login%2C%20which%20is%20different.%3C%2FP%3E%0A%3CP%3E%2B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-956623%22%20slang%3D%22en-US%22%3ERe%3A%20No%20Honeytoken%20Activity%20on%20DC%20login%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-956623%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%2C%20Thank%20you%20for%20looking%20into%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20plan%20to%20monitor%20these%20local%20DC%20events%20by%20the%20ATP%20agent%3F%3C%2FP%3E%3CP%3EIts%20a%20bit%20strange%20that%20we%20will%20receive%20an%20Alert%20once%20a%20HoneyToken%20activity%20occurs%20on%20a%20regular%20windows%20client%2C%20But%20will%20see%20nothing%20if%20for%20example%20The%20HoneyToken%20account%20connects%20by%20RDP%20to%20a%20Domain%20Controller.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-957371%22%20slang%3D%22en-US%22%3ERe%3A%20No%20Honeytoken%20Activity%20on%20DC%20login%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-957371%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Tali%20Ash%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETesting%20on%20my%20side%20did%20not%20show%20any%20HoneyToken%20activity%20when%20connecting%20by%20RDP%20to%20a%20DC.%3C%2FP%3E%3CP%3EIt%20makes%20sense%20as%20everything%20is%20happening%20over%20the%20encrypted%20RDP%20channel%20and%20there%20is%20no%20need%20for%20the%20rdp-server(DC)%20to%20authenticate%20the%20credentials%20over%20the%20network.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1013803%22%20slang%3D%22en-US%22%3ERe%3A%20No%20Honeytoken%20Activity%20on%20DC%20login%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013803%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F409040%22%20target%3D%22_blank%22%3E%40CloudMe%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20tested%20this%20in%20our%20lab.%3C%2FP%3E%0A%3CP%3ELogging%20with%20a%20honeytoken%20to%20the%20DC%20via%20RDP%20from%20another%20machine%2C%20triggers%20the%20alert.%3C%2FP%3E%0A%3CP%3ELogging%20in%20locally%20from%20the%20console%20of%20the%20DC%20does%20not%20trigger%20the%20alert%20(as%20expected).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETest%20procedure%3A%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%0A%3CDIV%20data-tid%3D%22messageBodyContainer%22%3E%0A%3CDIV%20data-tid%3D%22messageBodyContent%22%3E%0A%3CDIV%3EAdministrator%20in%20taged%20as%20honey%20token%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%20data-tid%3D%22messageBodyContainer%22%3E%0A%3CDIV%20data-tid%3D%22messageBodyContent%22%3E%0A%3CDIV%3Elog%20in%20to%20client%20machine%20with%20a%20simple%20user%20account%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%20data-tid%3D%22messageBodyContainer%22%3E%0A%3CDIV%20data-tid%3D%22messageBodyContent%22%3E%0A%3CDIV%3Emstsc%20-v%20dc1%20%5Band%20then%20input%20administrator%20credentials%5D%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%20data-tid%3D%22messageBodyContainer%22%3E%0A%3CDIV%20data-tid%3D%22messageBodyContent%22%3E%0A%3CDIV%3Ehoney%20token%20SA%20had%20triggered%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3EAre%26nbsp%3B%20you%20doing%20anything%20different%20on%20the%20way%20you%20open%20the%20RDP%20session%20%3F%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1019258%22%20slang%3D%22en-US%22%3ERe%3A%20No%20Honeytoken%20Activity%20on%20DC%20login%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1019258%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20indeed%20working%20now%20using%20the%26nbsp%3B2.100.%20version%20of%20the%20sensor.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

I have noticed that i do not receive an alert when logging to a Domain Controller with a Honeytoken account.

Is that the normal behavior? (I do receive them on workstation logon..)

 

Thank You.

10 Replies
Highlighted

@CloudMe , This is a  for a DC that is being monitored by a Sensor/ Gateway?

Are you using ATA or AATP ?

Were proper events turned on as recommended in the docs?

 

Highlighted

@Eli Ofek 

 

Its a sensor monitored DC using AATP with audit event enabled according to this document:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-advanced-audit-policy

 

Highlighted
Highlighted

@Eli Ofek Yes, but there is no change.

Can you confirm that on your side Honeytoken activity is being generated when Honeytoken accounts are being used to login to Domain Controllers?

 

Highlighted
Best Response confirmed by CloudMe (Occasional Contributor)
Solution

@CloudMe , I just confirmed that in case of a local kerberos login, we won't see it as there is no network traffic for it...

Highlighted

@Eli Ofek , Thank you for looking into it.

 

Is there any plan to monitor these local DC events by the ATP agent?

Its a bit strange that we will receive an Alert once a HoneyToken activity occurs on a regular windows client, But will see nothing if for example The HoneyToken account connects by RDP to a Domain Controller.

 

Highlighted

@CloudMe , I am pretty sure connecting via RDP will  alert as the authentication is over network.

you mentioned a local login, which is different.

@Tali Ash  

Highlighted

@Eli Ofek , @Tali Ash 

 

Testing on my side did not show any HoneyToken activity when connecting by RDP to a DC.

It makes sense as everything is happening over the encrypted RDP channel and there is no need for the rdp-server(DC) to authenticate the credentials over the network.

 

Highlighted

@CloudMe 

We tested this in our lab.

Logging with a honeytoken to the DC via RDP from another machine, triggers the alert.

Logging in locally from the console of the DC does not trigger the alert (as expected).

 

Test procedure:

Administrator in taged as honey token
log in to client machine with a simple user account
mstsc -v dc1 [and then input administrator credentials]
honey token SA had triggered
 
Are  you doing anything different on the way you open the RDP session ?
Highlighted

@Eli Ofek 

 

It is indeed working now using the 2.100. version of the sensor.

 

Thank you.