Active Directory Honey Tokens

A common tactic attackers use is to enumerate information from Active Directory. One way of detecting tools such as BloodHound is to insert Honey Users into Active Directory, and to generate a SIEM alerts if these accounts are queried. An audit ACL can be configured to detect attackers enumerating these accounts.

Configure Group Policy Audit Settings

  • Use Group Policy Management editor to ensure object access is audited: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
  • Set “Audit Object Access” to success
  • Run “auditpol /get /category:*” to ensure the audit policy is correct:
Administrator: Command Prompt 
"get 'category:• 
x 
ysten 
vat cn 
Security System Extension 
S cten Integrity 
Driver 
S yet en Events 
State 
go n 'Logof f 
gon 
Account Lockout 
c main "ode 
I Psec Quick Node 
1 Pcec Extended Mde 
Special 
Other Logon/Logoff Events 
Policy 
user Device C Iains 
b ect Access 
Systen 
Re g is t r 
db.iect 
Ke n e I 
Certification 
Application 
Handle hanipulation 
File 
Setting 
No Auditing 
e Failm 
No in 
Failm 
No 
NO 
Rudi t ing 
Audit ing 
Ruditin 
8 Failm 
Ruditing 
Suc ce ss 
Suc ce ss

Set User Audit Policy

  • Open Active Directory Users and Computers (ADUC), click “View” > “Enabled Advanced Features”
  • Using ADUC create an organisational unit for monitored users.
  • Right click on a user > Select “Properties” > “Security” > “Advanced” > “Auditing”Click “Add” > set Object Name to “Everyone”
  • Set the “List Contents” successful checkmark

Test Event Generation

Run Adfind to perform an LDAP lookup of users in the domain:

AdFind.exe -b dc=bordergate,dc=local -f "objectcategory=user" cn objectGUID
C:\Users\user.BORDERGATE\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image002.png

Check the event viewer on the DC. An 4662 audit event should have been generated, showing the source user performing enumeration:

C:\Users\user.BORDERGATE\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image003.png

This event can then be forwarded to a SIEM system to generate an alert.