Deploying Active Directory Honeytokens When to Use - When deploying deception-based detection in Active Directory environments - When detecting Kerberoasting attacks via fake SPN honeytokens (honeyroasting) - When creating tripwire accounts to detect credential theft and lateral movement - When building decoy GPOs to detect Group Policy Preference password harvesting - When creating deceptive BloodHound paths to misdirect and detect attackers - When supplementing existing AD monitoring with high-fidelity detection signals Prerequisites - Domain Admin or delegated AD administration privileges…

\n condition: selection and not filter_machine_accounts\nfalsepositives:\n - None expected - any match is suspicious\nlevel: critical\"\"\",\n })\n\n # Rule 2: Logon attempt with GPO trap credentials\n if gpo_accounts:\n gpo_list = \"\\n\".join(f\" - '{a}'\" for a in gpo_accounts)\n rules.append({\n \"title\": \"Honeytoken GPO Credential Use Detected\",\n \"id\": str(uuid.uuid4()),\n \"status\": \"production\",\n \"level\": \"critical\",\n \"description\": \"Failed or successful logon using credentials from decoy GPO. \"\n \"Attacker has harvested Group Policy Preference passwords.\",\n \"detection_logic\": f\"EventID IN (4624, 4625) AND TargetUserName IN {gpo_accounts}\",\n \"rule\": f\"\"\"title: Honeytoken GPO Credential Use Detected\nid: {uuid.uuid4()}\nstatus: production\nlevel: critical\ndescription: >\n Logon attempt detected using credentials planted in a decoy Group Policy\n Preference XML. The attacker has enumerated SYSVOL and decrypted the\n cpassword value.\nreferences:\n - https://trustedsec.com/blog/weaponizing-group-policy-objects-access\nauthor: Honeytoken Detection Agent\ndate: {datetime.utcnow().strftime('%Y/%m/%d')}\ntags:\n - attack.credential_access\n - attack.t1552.006\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID:\n - 4624\n - 4625\n TargetUserName:\n{gpo_list}\n condition: selection\nfalsepositives:\n - None expected\nlevel: critical\"\"\",\n })\n\n # Rule 3: DACL access on honeytoken object\n if accounts:\n rules.append({\n \"title\": \"Honeytoken AD Object Accessed\",\n \"id\": str(uuid.uuid4()),\n \"status\": \"production\",\n \"level\": \"high\",\n \"description\": \"Directory service read on honeytoken account DACL detected. \"\n \"Indicates AD reconnaissance or enumeration.\",\n \"detection_logic\": f\"EventID 4662 AND ObjectName contains honeytoken DN\",\n \"rule\": f\"\"\"title: Honeytoken AD Object Accessed\nid: {uuid.uuid4()}\nstatus: production\nlevel: high\ndescription: >\n A read operation was performed on a honeytoken AD object's DACL.\n This indicates Active Directory reconnaissance (BloodHound, ADRecon, etc).\nreferences:\n - https://apt29a.blogspot.com/2019/11/deploying-honeytokens-in-active.html\nauthor: Honeytoken Detection Agent\ndate: {datetime.utcnow().strftime('%Y/%m/%d')}\ntags:\n - attack.discovery\n - attack.t1087.002\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 4662\n ObjectName|contains:\n{\"\\n\".join(f\" - '{a}'\" for a in accounts)}\n condition: selection\nfalsepositives:\n - Legitimate AD administration tools\nlevel: high\"\"\",\n })\n\n return rules\n\n def _generate_splunk_rules(self, accounts: list[str],\n spns: list[str],\n gpo_accounts: list[str]) -> list[dict]:\n \"\"\"Generate Splunk SPL detection queries.\"\"\"\n rules = []\n\n if accounts:\n account_filter = \" OR \".join(f'ServiceName=\"{a}\"' for a in accounts)\n rules.append({\n \"title\": \"Honeytoken Kerberoast Detection (Splunk)\",\n \"detection_logic\": f\"EventCode=4769 AND ({account_filter})\",\n \"rule\": f\"\"\"| `Notable` title=\"Honeytoken Kerberoast Detected\"\nindex=wineventlog sourcetype=\"WinEventLog:Security\" EventCode=4769\n ({account_filter})\n| eval ticket_type=case(\n Ticket_Encryption_Type==\"0x17\", \"RC4-HMAC (weak)\",\n Ticket_Encryption_Type==\"0x12\", \"AES256\",\n Ticket_Encryption_Type==\"0x11\", \"AES128\",\n true(), Ticket_Encryption_Type\n)\n| eval alert_severity=\"critical\"\n| eval alert_type=\"honeytoken_kerberoast\"\n| eval mitre_technique=\"T1558.003\"\n| table _time, src_ip, Account_Name, ServiceName, ticket_type, Client_Address\n| sort - _time\"\"\",\n })\n\n if gpo_accounts:\n gpo_filter = \" OR \".join(f'TargetUserName=\"{a}\"' for a in gpo_accounts)\n rules.append({\n \"title\": \"Honeytoken GPO Credential Use (Splunk)\",\n \"detection_logic\": f\"EventCode IN (4624,4625) AND ({gpo_filter})\",\n \"rule\": f\"\"\"index=wineventlog sourcetype=\"WinEventLog:Security\"\n (EventCode=4624 OR EventCode=4625)\n ({gpo_filter})\n| eval alert_severity=\"critical\"\n| eval alert_type=\"honeytoken_gpo_credential_use\"\n| eval mitre_technique=\"T1552.006\"\n| eval logon_result=if(EventCode=4624, \"SUCCESS - INVESTIGATE IMMEDIATELY\", \"Failed\")\n| table _time, src_ip, TargetUserName, EventCode, logon_result, Logon_Type, Workstation_Name\n| sort - _time\"\"\",\n })\n\n # Correlation rule: SYSVOL access followed by credential use\n if gpo_accounts:\n rules.append({\n \"title\": \"Honeytoken Attack Chain: SYSVOL Enum + Credential Use (Splunk)\",\n \"detection_logic\": \"Correlation: EventCode 4663 (SYSVOL read) -> 4625 (failed logon)\",\n \"rule\": f\"\"\"index=wineventlog sourcetype=\"WinEventLog:Security\"\n (EventCode=4663 ObjectName=\"*SYSVOL*Policies*Groups.xml*\")\n OR (EventCode=4625 ({\" OR \".join(f'TargetUserName=\"{a}\"' for a in gpo_accounts)}))\n| eval stage=case(\n EventCode=4663, \"1_sysvol_enum\",\n EventCode=4625, \"2_credential_use\"\n)\n| stats earliest(_time) as first_seen, latest(_time) as last_seen,\n values(stage) as attack_stages, dc(EventCode) as event_types\n by src_ip\n| where event_types >= 2\n| eval alert_type=\"honeytoken_attack_chain_confirmed\"\n| eval alert_severity=\"critical\"\n| sort - last_seen\"\"\",\n })\n\n return rules\n\n def _generate_sentinel_rules(self, accounts: list[str],\n spns: list[str],\n gpo_accounts: list[str]) -> list[dict]:\n \"\"\"Generate Microsoft Sentinel KQL detection rules.\"\"\"\n rules = []\n\n if accounts:\n account_list = \", \".join(f'\"{a}\"' for a in accounts)\n rules.append({\n \"title\": \"Honeytoken Kerberoast Detection (Sentinel)\",\n \"detection_logic\": f\"EventID == 4769 AND ServiceName in ({account_list})\",\n \"rule\": f\"\"\"// Honeytoken Kerberoast Detection\n// MITRE ATT&CK: T1558.003 - Kerberoasting\n// Severity: Critical - ANY match is malicious\nSecurityEvent\n| where EventID == 4769\n| where ServiceName in ({account_list})\n| extend EncryptionType = case(\n TicketEncryptionType == \"0x17\", \"RC4-HMAC (weak - easy to crack)\",\n TicketEncryptionType == \"0x12\", \"AES256 (strong)\",\n TicketEncryptionType == \"0x11\", \"AES128\",\n true(), tostring(TicketEncryptionType)\n)\n| extend AlertSeverity = \"Critical\"\n| extend AlertType = \"Honeytoken Kerberoast\"\n| extend MitreTechnique = \"T1558.003\"\n| project TimeGenerated, Computer, Account, ServiceName,\n IpAddress, EncryptionType, AlertSeverity, AlertType\n| sort by TimeGenerated desc\"\"\",\n })\n\n if gpo_accounts:\n gpo_list = \", \".join(f'\"{a}\"' for a in gpo_accounts)\n rules.append({\n \"title\": \"Honeytoken GPO Credential Use (Sentinel)\",\n \"detection_logic\": f\"EventID in (4624,4625) AND TargetUserName in ({gpo_list})\",\n \"rule\": f\"\"\"// Honeytoken GPO Credential Trap Triggered\n// MITRE ATT&CK: T1552.006 - Group Policy Preferences\n// Severity: Critical\nSecurityEvent\n| where EventID in (4624, 4625)\n| where TargetUserName in ({gpo_list})\n| extend LogonResult = iff(EventID == 4624,\n \"SUCCESS - IMMEDIATE INVESTIGATION REQUIRED\", \"Failed\")\n| extend AlertSeverity = \"Critical\"\n| extend AlertType = \"Honeytoken GPO Credential Use\"\n| extend MitreTechnique = \"T1552.006\"\n| project TimeGenerated, Computer, TargetUserName, EventID,\n LogonResult, IpAddress, LogonTypeName, WorkstationName\n| sort by TimeGenerated desc\"\"\",\n })\n\n return rules\n\n def export_rules(self, output_dir: str, format: str = \"json\") -> list[str]:\n \"\"\"Export all generated rules to files.\"\"\"\n out_path = Path(output_dir)\n out_path.mkdir(parents=True, exist_ok=True)\n saved = []\n\n for i, rule in enumerate(self.rules):\n if format == \"json\":\n filename = f\"rule_{i+1}_{rule['title'].lower().replace(' ', '_')[:40]}.json\"\n filepath = out_path / filename\n filepath.write_text(json.dumps(rule, indent=2))\n elif format == \"yaml\" and \"rule\" in rule:\n filename = f\"rule_{i+1}.yml\"\n filepath = out_path / filename\n filepath.write_text(rule[\"rule\"])\n saved.append(str(filepath))\n\n return saved\n\n\n# ===========================================================================\n# AD Honeytoken Monitor (Python-based log analysis)\n# ===========================================================================\n\nclass ADHoneytokenMonitor:\n \"\"\"Monitors Windows Event Logs for honeytoken interactions.\"\"\"\n\n def __init__(self, config_path: str | None = None):\n self.config = {}\n if config_path and Path(config_path).exists():\n with open(config_path) as f:\n self.config = json.load(f)\n self.honeytokens: dict[str, dict] = {}\n self.alerts: list[dict] = []\n\n def register_honeytoken(self, identifier: str,\n token_type: str = \"admin_account\",\n metadata: dict | None = None) -> dict:\n \"\"\"Register a honeytoken for monitoring.\"\"\"\n token = {\n \"identifier\": identifier,\n \"type\": token_type,\n \"registered_at\": datetime.utcnow().isoformat(),\n \"token_id\": f\"HT-AD-{uuid.uuid4().hex[:8].upper()}\",\n \"metadata\": metadata or {},\n \"alert_count\": 0,\n }\n self.honeytokens[identifier] = token\n return token\n\n def analyze_event_log(self, events: list[dict]) -> list[dict]:\n \"\"\"Analyze Windows Event Log entries for honeytoken interactions.\"\"\"\n alerts = []\n\n for event in events:\n event_id = event.get(\"EventID\") or event.get(\"EventCode\")\n if not event_id:\n continue\n event_id = int(event_id)\n\n # Check for Kerberoasting (Event 4769)\n if event_id == 4769:\n service_name = event.get(\"ServiceName\", \"\")\n if service_name in self.honeytokens:\n enc_type = event.get(\"TicketEncryptionType\", \"unknown\")\n alerts.append(self._create_alert(\n event=event,\n alert_type=\"KERBEROAST_HONEYTOKEN\",\n severity=\"critical\",\n description=f\"Kerberoasting detected against honeytoken SPN: {service_name}\",\n mitre_technique=\"T1558.003\",\n encryption_type=KERBEROS_ENCRYPTION.get(\n int(enc_type, 16) if isinstance(enc_type, str) else enc_type,\n str(enc_type)\n ),\n ))\n\n # Check for logon attempts (Event 4624/4625)\n elif event_id in (4624, 4625):\n target_user = event.get(\"TargetUserName\", \"\")\n if target_user in self.honeytokens:\n alerts.append(self._create_alert(\n event=event,\n alert_type=\"HONEYTOKEN_LOGON\" if event_id == 4624 else \"HONEYTOKEN_LOGON_FAILED\",\n severity=\"critical\",\n description=f\"{'Successful' if event_id == 4624 else 'Failed'} \"\n f\"logon attempt with honeytoken account: {target_user}\",\n mitre_technique=\"T1078\" if event_id == 4624 else \"T1552.006\",\n ))\n\n # Check for directory object access (Event 4662)\n elif event_id == 4662:\n object_name = event.get(\"ObjectName\", \"\")\n for ht_id, ht_info in self.honeytokens.items():\n if ht_id in object_name:\n alerts.append(self._create_alert(\n event=event,\n alert_type=\"HONEYTOKEN_DACL_READ\",\n severity=\"high\",\n description=f\"Directory service read on honeytoken object: {ht_id}\",\n mitre_technique=\"T1087.002\",\n ))\n\n # Check for GPO modifications (Event 5136)\n elif event_id == 5136:\n object_dn = event.get(\"ObjectDN\", \"\")\n for ht_id, ht_info in self.honeytokens.items():\n if ht_info.get(\"type\") == \"gpo_credential\" and ht_id in object_dn:\n alerts.append(self._create_alert(\n event=event,\n alert_type=\"HONEYTOKEN_GPO_MODIFIED\",\n severity=\"critical\",\n description=f\"Decoy GPO modification detected: {object_dn}\",\n mitre_technique=\"T1484.001\",\n ))\n\n self.alerts.extend(alerts)\n return alerts\n\n def _create_alert(self, event: dict, alert_type: str,\n severity: str, description: str,\n mitre_technique: str, **kwargs) -> dict:\n \"\"\"Create a structured alert from an event.\"\"\"\n alert = {\n \"alert_id\": f\"ALERT-{uuid.uuid4().hex[:12].upper()}\",\n \"alert_type\": alert_type,\n \"severity\": severity,\n \"description\": description,\n \"mitre_technique\": mitre_technique,\n \"source_ip\": event.get(\"IpAddress\") or event.get(\"src_ip\", \"unknown\"),\n \"source_host\": event.get(\"Computer\") or event.get(\"Workstation\", \"unknown\"),\n \"account\": event.get(\"TargetUserName\") or event.get(\"ServiceName\", \"unknown\"),\n \"event_id\": event.get(\"EventID\") or event.get(\"EventCode\"),\n \"timestamp\": event.get(\"TimeGenerated\") or datetime.utcnow().isoformat(),\n \"raw_event\": event,\n }\n alert.update(kwargs)\n return alert\n\n def generate_detection_rules(self, siem: str = \"sigma\") -> list[dict]:\n \"\"\"Generate SIEM detection rules for all registered honeytokens.\"\"\"\n generator = SIEMRuleGenerator()\n\n accounts = [ht_id for ht_id, info in self.honeytokens.items()\n if info[\"type\"] in (\"admin_account\", \"spn\")]\n spns = [ht_id for ht_id, info in self.honeytokens.items()\n if info[\"type\"] == \"spn\"]\n gpo_accounts = [ht_id for ht_id, info in self.honeytokens.items()\n if info[\"type\"] == \"gpo_credential\"]\n\n return generator.generate_detection_rules(accounts, spns, gpo_accounts, siem)\n\n def get_alert_summary(self) -> dict:\n \"\"\"Get a summary of all triggered alerts.\"\"\"\n summary = {\n \"total_alerts\": len(self.alerts),\n \"by_severity\": {},\n \"by_type\": {},\n \"by_source_ip\": {},\n \"honeytokens_triggered\": set(),\n }\n\n for alert in self.alerts:\n sev = alert[\"severity\"]\n summary[\"by_severity\"][sev] = summary[\"by_severity\"].get(sev, 0) + 1\n\n atype = alert[\"alert_type\"]\n summary[\"by_type\"][atype] = summary[\"by_type\"].get(atype, 0) + 1\n\n src = alert[\"source_ip\"]\n summary[\"by_source_ip\"][src] = summary[\"by_source_ip\"].get(src, 0) + 1\n\n summary[\"honeytokens_triggered\"].add(alert[\"account\"])\n\n summary[\"honeytokens_triggered\"] = list(summary[\"honeytokens_triggered\"])\n return summary\n\n\n# ===========================================================================\n# Deployment Orchestrator\n# ===========================================================================\n\nclass HoneytokenDeployer:\n \"\"\"Orchestrates full honeytoken deployment and generates all artifacts.\"\"\"\n\n def __init__(self, domain: str = \"corp.example.com\",\n service_account_ou: str = \"OU=Service Accounts\",\n sysvol_path: str = \"\"):\n self.domain = domain\n self.service_account_ou = service_account_ou\n self.sysvol_path = sysvol_path or f\"\\\\\\\\{domain}\\\\SYSVOL\\\\{domain}\\\\Policies\"\n self.ps_gen = PowerShellGenerator()\n self.siem_gen = SIEMRuleGenerator()\n self.deployed_tokens = []\n\n def generate_realistic_name(self) -> dict:\n \"\"\"Generate a realistic service account name.\"\"\"\n template = secrets.choice(SERVICE_ACCOUNT_TEMPLATES)\n service = secrets.choice(template[\"services\"])\n sam = f\"{template['prefix']}{service}\"\n\n # Generate a realistic hostname for SPN\n service_abbrev = service[:3].lower()\n hostname = f\"{service_abbrev}-legacy-{secrets.randbelow(99):02d}.{self.domain}\"\n\n return {\n \"sam_account_name\": sam,\n \"display_name\": f\"{service.replace('_', ' ').title()} Service\",\n \"hostname\": hostname,\n }\n\n def deploy_full_suite(self, token_count: int = 3,\n include_spn: bool = True,\n include_gpo: bool = True,\n include_bloodhound: bool = True,\n siem_type: str = \"sigma\") -> dict:\n \"\"\"Generate complete deployment artifacts for a full honeytoken suite.\"\"\"\n deployment = {\n \"deployment_id\": f\"DEPLOY-{uuid.uuid4().hex[:8].upper()}\",\n \"generated_at\": datetime.utcnow().isoformat(),\n \"domain\": self.domain,\n \"tokens\": [],\n \"scripts\": [],\n \"detection_rules\": [],\n }\n\n all_accounts = []\n all_spns = []\n gpo_accounts = []\n\n for i in range(token_count):\n naming = self.generate_realistic_name()\n sam = naming[\"sam_account_name\"]\n ou_dn = f\"{self.service_account_ou},DC={',DC='.join(self.domain.split('.'))}\"\n\n # Generate admin account script\n account_script = self.ps_gen.generate_create_honeytoken_account(\n sam_account_name=sam,\n display_name=naming[\"display_name\"],\n description=f\"Legacy {naming['display_name'].lower()} - DO NOT DELETE\",\n ou_dn=ou_dn,\n password_length=128,\n set_admin_count=True,\n )\n deployment[\"scripts\"].append({\n \"type\": \"create_account\",\n \"filename\": f\"01_create_{sam}.ps1\",\n \"content\": account_script,\n })\n all_accounts.append(sam)\n\n token_info = {\n \"name\": sam,\n \"type\": \"admin_account\",\n \"display_name\": naming[\"display_name\"],\n \"ou\": ou_dn,\n }\n\n # Generate SPN script\n if include_spn:\n spn_class = secrets.choice(SPN_SERVICE_CLASSES)\n port = secrets.choice([1433, 443, 8080, 5432, 3306, 27017])\n spn_script = self.ps_gen.generate_add_honey_spn(\n sam_account_name=sam,\n service_class=spn_class,\n hostname=naming[\"hostname\"],\n port=port,\n )\n deployment[\"scripts\"].append({\n \"type\": \"add_spn\",\n \"filename\": f\"02_add_spn_{sam}.ps1\",\n \"content\": spn_script,\n })\n spn_value = f\"{spn_class}/{naming['hostname']}:{port}\"\n all_spns.append(spn_value)\n token_info[\"spn\"] = spn_value\n\n deployment[\"tokens\"].append(token_info)\n\n # Generate GPO decoy\n if include_gpo:\n gpo_username = f\"admin_maintenance_{secrets.randbelow(99):02d}\"\n domain_short = self.domain.split(\".\")[0].upper()\n gpo_script = self.ps_gen.generate_decoy_gpo(\n gpo_name=\"Server Maintenance Policy (Legacy)\",\n decoy_username=gpo_username,\n decoy_domain=domain_short,\n sysvol_path=self.sysvol_path,\n )\n deployment[\"scripts\"].append({\n \"type\": \"decoy_gpo\",\n \"filename\": \"03_create_decoy_gpo.ps1\",\n \"content\": gpo_script,\n })\n gpo_accounts.append(gpo_username)\n deployment[\"tokens\"].append({\n \"name\": gpo_username,\n \"type\": \"gpo_credential\",\n \"description\": \"Decoy GPO cpassword trap\",\n })\n\n # Generate BloodHound deception\n if include_bloodhound and all_accounts:\n bh_script = self.ps_gen.generate_deceptive_bloodhound_path(\n honeytoken_sam=all_accounts[0],\n )\n deployment[\"scripts\"].append({\n \"type\": \"bloodhound_deception\",\n \"filename\": \"04_create_bloodhound_paths.ps1\",\n \"content\": bh_script,\n })\n\n # Generate validation script\n if all_accounts:\n val_script = self.ps_gen.generate_validation_script(all_accounts[0])\n deployment[\"scripts\"].append({\n \"type\": \"validation\",\n \"filename\": \"05_validate_deployment.ps1\",\n \"content\": val_script,\n })\n\n # Generate SIEM detection rules\n rules = self.siem_gen.generate_detection_rules(\n all_accounts, all_spns, gpo_accounts, siem_type\n )\n deployment[\"detection_rules\"] = rules\n\n self.deployed_tokens = deployment[\"tokens\"]\n return deployment\n\n def save_deployment(self, deployment: dict, output_dir: str) -> list[str]:\n \"\"\"Save all deployment artifacts to disk.\"\"\"\n out_path = Path(output_dir)\n out_path.mkdir(parents=True, exist_ok=True)\n saved = []\n\n # Save PowerShell scripts\n scripts_dir = out_path / \"scripts\"\n scripts_dir.mkdir(exist_ok=True)\n for script in deployment.get(\"scripts\", []):\n filepath = scripts_dir / script[\"filename\"]\n filepath.write_text(script[\"content\"], encoding=\"utf-8\")\n saved.append(str(filepath))\n\n # Save detection rules\n rules_dir = out_path / \"detection_rules\"\n rules_dir.mkdir(exist_ok=True)\n for i, rule in enumerate(deployment.get(\"detection_rules\", [])):\n filename = f\"rule_{i+1}_{rule['title'][:40].lower().replace(' ', '_')}.json\"\n filepath = rules_dir / filename\n filepath.write_text(json.dumps(rule, indent=2), encoding=\"utf-8\")\n saved.append(str(filepath))\n\n # Save deployment manifest\n manifest = {\n \"deployment_id\": deployment[\"deployment_id\"],\n \"generated_at\": deployment[\"generated_at\"],\n \"domain\": deployment[\"domain\"],\n \"tokens\": deployment[\"tokens\"],\n \"scripts\": [s[\"filename\"] for s in deployment[\"scripts\"]],\n \"detection_rules\": [r[\"title\"] for r in deployment[\"detection_rules\"]],\n }\n manifest_path = out_path / \"deployment_manifest.json\"\n manifest_path.write_text(json.dumps(manifest, indent=2))\n saved.append(str(manifest_path))\n\n return saved\n\n\n# ===========================================================================\n# CLI Entry Point\n# ===========================================================================\n\ndef main():\n parser = argparse.ArgumentParser(\n description=\"Active Directory Honeytoken Deployment Agent\"\n )\n parser.add_argument(\n \"--action\",\n choices=[\n \"deploy_account\", \"deploy_spn\", \"deploy_gpo\", \"deploy_bloodhound\",\n \"full_deploy\", \"generate_rules\", \"validate\", \"analyze_logs\",\n ],\n default=\"full_deploy\",\n help=\"Action to perform\",\n )\n parser.add_argument(\"--domain\", default=\"corp.example.com\")\n parser.add_argument(\"--ou\", default=\"OU=Service Accounts\")\n parser.add_argument(\"--sysvol\", default=\"\")\n parser.add_argument(\"--account-name\", default=\"svc_sqlbackup_legacy\")\n parser.add_argument(\"--token-count\", type=int, default=3)\n parser.add_argument(\"--siem\", choices=[\"sigma\", \"splunk\", \"sentinel\"], default=\"sigma\")\n parser.add_argument(\"--output-dir\", default=\"honeytoken_deployment\")\n parser.add_argument(\"--include-spn\", action=\"store_true\", default=True)\n parser.add_argument(\"--include-gpo\", action=\"store_true\", default=True)\n parser.add_argument(\"--include-bloodhound\", action=\"store_true\", default=True)\n parser.add_argument(\"--event-log\", help=\"Path to event log JSON for analysis\")\n args = parser.parse_args()\n\n print(\"=\" * 60)\n print(\"Active Directory Honeytoken Deployment Agent\")\n print(\"=\" * 60)\n\n deployer = HoneytokenDeployer(\n domain=args.domain,\n service_account_ou=args.ou,\n sysvol_path=args.sysvol,\n )\n\n if args.action == \"full_deploy\":\n print(f\"\\n[+] Generating full honeytoken deployment for: {args.domain}\")\n print(f\"[+] Token count: {args.token_count}\")\n print(f\"[+] SIEM target: {args.siem}\")\n\n deployment = deployer.deploy_full_suite(\n token_count=args.token_count,\n include_spn=args.include_spn,\n include_gpo=args.include_gpo,\n include_bloodhound=args.include_bloodhound,\n siem_type=args.siem,\n )\n\n saved_files = deployer.save_deployment(deployment, args.output_dir)\n\n print(f\"\\n[+] Deployment ID: {deployment['deployment_id']}\")\n print(f\"[+] Tokens generated: {len(deployment['tokens'])}\")\n for token in deployment[\"tokens\"]:\n print(f\" - {token['name']} ({token['type']})\"\n + (f\" SPN: {token.get('spn', 'N/A')}\" if token.get('spn') else \"\"))\n\n print(f\"\\n[+] Scripts generated: {len(deployment['scripts'])}\")\n for script in deployment[\"scripts\"]:\n print(f\" - {script['filename']} ({script['type']})\")\n\n print(f\"\\n[+] Detection rules generated: {len(deployment['detection_rules'])}\")\n for rule in deployment[\"detection_rules\"]:\n print(f\" - {rule['title']}\")\n\n print(f\"\\n[+] Files saved to: {args.output_dir}\")\n for f in saved_files:\n print(f\" {f}\")\n\n elif args.action == \"generate_rules\":\n print(f\"\\n[+] Generating {args.siem} detection rules...\")\n monitor = ADHoneytokenMonitor()\n monitor.register_honeytoken(args.account_name, \"admin_account\")\n\n rules = monitor.generate_detection_rules(args.siem)\n for rule in rules:\n print(f\"\\n--- {rule['title']} ---\")\n print(rule.get(\"rule\", rule.get(\"detection_logic\", \"\")))\n\n elif args.action == \"analyze_logs\":\n if not args.event_log:\n print(\"[-] --event-log required for log analysis\")\n return\n\n print(f\"\\n[+] Analyzing event log: {args.event_log}\")\n monitor = ADHoneytokenMonitor()\n monitor.register_honeytoken(args.account_name, \"admin_account\")\n\n log_path = Path(args.event_log)\n if not log_path.exists():\n print(f\"[-] Log file not found: {args.event_log}\")\n return\n\n with open(log_path) as f:\n events = json.load(f)\n\n alerts = monitor.analyze_event_log(events)\n print(f\"\\n[+] Alerts generated: {len(alerts)}\")\n for alert in alerts:\n print(f\" [{alert['severity'].upper()}] {alert['alert_type']}: \"\n f\"{alert['description']}\")\n print(f\" Source: {alert['source_ip']} | \"\n f\"Account: {alert['account']} | \"\n f\"MITRE: {alert['mitre_technique']}\")\n\n summary = monitor.get_alert_summary()\n print(f\"\\n[+] Summary: {summary['total_alerts']} alerts, \"\n f\"sources: {list(summary['by_source_ip'].keys())}\")\n\n elif args.action == \"deploy_account\":\n ps_gen = PowerShellGenerator()\n ou_dn = f\"{args.ou},DC={',DC='.join(args.domain.split('.'))}\"\n script = ps_gen.generate_create_honeytoken_account(\n sam_account_name=args.account_name,\n display_name=\"Legacy Backup Service\",\n description=\"Legacy backup service account - DO NOT DELETE\",\n ou_dn=ou_dn,\n )\n print(script)\n\n elif args.action == \"deploy_spn\":\n ps_gen = PowerShellGenerator()\n script = ps_gen.generate_add_honey_spn(\n sam_account_name=args.account_name,\n )\n print(script)\n\n elif args.action == \"deploy_gpo\":\n ps_gen = PowerShellGenerator()\n script = ps_gen.generate_decoy_gpo(\n gpo_name=\"Server Maintenance Policy (Legacy)\",\n decoy_username=\"admin_maintenance\",\n decoy_domain=args.domain.split(\".\")[0].upper(),\n sysvol_path=deployer.sysvol_path,\n )\n print(script)\n\n elif args.action == \"deploy_bloodhound\":\n ps_gen = PowerShellGenerator()\n script = ps_gen.generate_deceptive_bloodhound_path(\n honeytoken_sam=args.account_name,\n )\n print(script)\n\n elif args.action == \"validate\":\n ps_gen = PowerShellGenerator()\n script = ps_gen.generate_validation_script(args.account_name)\n print(script)\n\n print(\"\\n\" + \"=\" * 60)\n print(\"[+] Honeytoken agent complete.\")\n print(\"=\" * 60)\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":53930,"content_sha256":"822cc64f2dc87c19f3414692ff671410d48d346dc4edce165f0e7f3da65b6ca4"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Deploying Active Directory Honeytokens","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When deploying deception-based detection in Active Directory environments","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When detecting Kerberoasting attacks via fake SPN honeytokens (honeyroasting)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When creating tripwire accounts to detect credential theft and lateral movement","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When building decoy GPOs to detect Group Policy Preference password harvesting","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When creating deceptive BloodHound paths to misdirect and detect attackers","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When supplementing existing AD monitoring with high-fidelity detection signals","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Domain Admin or delegated AD administration privileges","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Active Directory domain (Windows Server 2016+ recommended)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Windows Event Log forwarding to SIEM (Splunk, Sentinel, Elastic)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"PowerShell 5.1+ with ActiveDirectory module","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Group Policy Management Console (GPMC)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Understanding of AD security, Kerberos, and BloodHound attack paths","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Background","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Why AD Honeytokens","type":"text"}]},{"type":"paragraph","content":[{"text":"Traditional signature-based detection misses novel attack techniques. Honeytokens provide high-fidelity detection with near-zero false positives because any interaction with a decoy object is inherently suspicious. In Active Directory:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Fake privileged accounts","type":"text","marks":[{"type":"strong"}]},{"text":" detect credential dumping (DCSync, NTDS.dit extraction)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Fake SPNs","type":"text","marks":[{"type":"strong"}]},{"text":" detect Kerberoasting reconnaissance (TGS requests for nonexistent services)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Decoy GPOs","type":"text","marks":[{"type":"strong"}]},{"text":" detect Group Policy Preference password harvesting","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Fake BloodHound paths","type":"text","marks":[{"type":"strong"}]},{"text":" mislead attackers using graph-based AD analysis","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Key Detection Event IDs","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Event ID","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Honeytoken Use","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"4769","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Kerberos TGS ticket requested","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Detect Kerberoast against honey SPN","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"4625","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Failed logon attempt","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Detect use of fake credentials from decoy GPO","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"4662","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Directory service object accessed","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Detect DACL read on honeytoken user","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5136","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Directory service object modified","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Detect modification of decoy GPO","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5137","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Directory service object created","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Detect GPO creation mimicking decoy","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"4768","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Kerberos TGT requested","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Detect AS-REP roasting of honey account","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Making Honeytokens Realistic","type":"text"}]},{"type":"paragraph","content":[{"text":"Per Trimarc Security research, effective honeytokens must appear legitimate:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Age the account","type":"text","marks":[{"type":"strong"}]},{"text":": Repurpose old inactive accounts (10-15 year old accounts in similarly aged domains appear authentic)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Set AdminCount=1","type":"text","marks":[{"type":"strong"}]},{"text":": Flags the account as having elevated AD rights, making it an attractive Kerberoasting target","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use realistic naming","type":"text","marks":[{"type":"strong"}]},{"text":": Match organizational naming conventions (svc_sqlbackup, admin.maintenance, svc_exchange_legacy)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Set old password date","type":"text","marks":[{"type":"strong"}]},{"text":": Password age of 10+ years with an SPN looks like a high-value, neglected service account to attackers","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Add group memberships","type":"text","marks":[{"type":"strong"}]},{"text":": Place in visible groups like \"Remote Desktop Users\" or a custom \"Backup Operators\" to increase attacker interest","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Avoid detection tells","type":"text","marks":[{"type":"strong"}]},{"text":": Attackers check creation date vs. last logon vs. password change date for consistency","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Instructions","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Deploy Fake Privileged Admin Account","type":"text"}]},{"type":"paragraph","content":[{"text":"Create a honeytoken account that mimics a legacy privileged service account.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"powershell"},"content":[{"text":"# Import the deployment module\nImport-Module .\\scripts\\Deploy-ADHoneytokens.ps1\n\n# Create a honeytoken admin account\n$honeyAdmin = New-HoneytokenAdmin `\n -SamAccountName \"svc_sqlbackup_legacy\" `\n -DisplayName \"SQL Backup Service (Legacy)\" `\n -Description \"Legacy SQL Server backup service account - DO NOT DELETE\" `\n -OU \"OU=Service Accounts,DC=corp,DC=example,DC=com\" `\n -PasswordLength 128 `\n -SetAdminCount $true\n\nWrite-Host \"Honeytoken admin created: $($honeyAdmin.DistinguishedName)\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Deploy Fake SPN for Kerberoasting Detection","type":"text"}]},{"type":"paragraph","content":[{"text":"Assign a realistic but fake SPN to the honeytoken account. Any TGS request for this SPN is definitively malicious (honeyroasting).","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"powershell"},"content":[{"text":"# Add fake SPN to honeytoken account\n$honeySPN = Add-HoneytokenSPN `\n -SamAccountName \"svc_sqlbackup_legacy\" `\n -ServiceClass \"MSSQLSvc\" `\n -Hostname \"sql-legacy-bak01.corp.example.com\" `\n -Port 1433\n\nWrite-Host \"Honey SPN registered: $($honeySPN.SPN)\"\nWrite-Host \"Monitor Event ID 4769 for TGS requests targeting this SPN\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Deploy Decoy GPO with Credential Trap","type":"text"}]},{"type":"paragraph","content":[{"text":"Create a fake GPO in SYSVOL with an embedded cpassword (Group Policy Preference password). Attackers using tools like Get-GPPPassword or gpp-decrypt will find and attempt to use these credentials, triggering detection.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"powershell"},"content":[{"text":"# Create decoy GPO with cpassword trap\n$decoyGPO = New-DecoyGPO `\n -GPOName \"Server Maintenance Policy (Legacy)\" `\n -DecoyUsername \"admin_maintenance\" `\n -DecoyDomain \"CORP\" `\n -SYSVOLPath \"\\\\corp.example.com\\SYSVOL\\corp.example.com\\Policies\" `\n -EnableAuditSACL $true\n\nWrite-Host \"Decoy GPO created: $($decoyGPO.GPOGuid)\"\nWrite-Host \"SACL audit enabled - any read attempt will generate Event ID 4663\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: Create Deceptive BloodHound Paths","type":"text"}]},{"type":"paragraph","content":[{"text":"Set ACL permissions that create fake attack paths visible to BloodHound/SharpHound reconnaissance, leading attackers toward monitored honeytokens.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"powershell"},"content":[{"text":"# Create fake BloodHound attack path\n$deceptivePath = New-DeceptiveBloodHoundPath `\n -HoneytokenSamAccount \"svc_sqlbackup_legacy\" `\n -TargetHighValueGroup \"Domain Admins\" `\n -IntermediateOU \"OU=Service Accounts,DC=corp,DC=example,DC=com\"\n\nWrite-Host \"Deceptive path created: $($deceptivePath.PathDescription)\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 5: Configure Detection Rules","type":"text"}]},{"type":"paragraph","content":[{"text":"Set up SIEM detection rules to alert on any honeytoken interaction.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"python"},"content":[{"text":"# Using the Python detection agent\nfrom agent import ADHoneytokenMonitor\n\nmonitor = ADHoneytokenMonitor(config_path=\"honeytoken_config.json\")\n\n# Register all honeytokens for monitoring\nmonitor.register_honeytoken(\"svc_sqlbackup_legacy\", token_type=\"admin_account\")\nmonitor.register_honeytoken(\"MSSQLSvc/sql-legacy-bak01.corp.example.com:1433\", token_type=\"spn\")\nmonitor.register_honeytoken(\"admin_maintenance\", token_type=\"gpo_credential\")\n\n# Generate SIEM detection rules\nsplunk_rules = monitor.generate_detection_rules(siem=\"splunk\")\nsentinel_rules = monitor.generate_detection_rules(siem=\"sentinel\")\nsigma_rules = monitor.generate_detection_rules(siem=\"sigma\")\n\nfor rule in sigma_rules:\n print(f\"Rule: {rule['title']}\")\n print(f\" Detection: {rule['detection_logic']}\")","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 6: Validate Deployment","type":"text"}]},{"type":"paragraph","content":[{"text":"Test the honeytokens to ensure detection fires correctly.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"powershell"},"content":[{"text":"# Validate honeytoken deployment\n$validation = Test-HoneytokenDeployment `\n -SamAccountName \"svc_sqlbackup_legacy\" `\n -ValidateAdminCount `\n -ValidateSPN `\n -ValidateGPODecoy `\n -ValidateAuditPolicy\n\n$validation | Format-Table Check, Status, Details -AutoSize","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Examples","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Full Deployment Pipeline","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"powershell"},"content":[{"text":"Import-Module .\\scripts\\Deploy-ADHoneytokens.ps1\n\n# Deploy complete honeytoken suite\n$deployment = Deploy-FullHoneytokenSuite `\n -Environment \"Production\" `\n -ServiceAccountOU \"OU=Service Accounts,DC=corp,DC=example,DC=com\" `\n -SYSVOLPath \"\\\\corp.example.com\\SYSVOL\\corp.example.com\\Policies\" `\n -TokenCount 3 `\n -IncludeSPN $true `\n -IncludeGPODecoy $true `\n -IncludeBloodHoundPath $true `\n -SIEMType \"Splunk\"\n\n# Output deployment report\n$deployment.Tokens | Format-Table Name, Type, SPN, DetectionRule -AutoSize\n$deployment | Export-Csv \"honeytoken_deployment_report.csv\" -NoTypeInformation","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Kerberoasting Detection Query (Splunk)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"spl"},"content":[{"text":"index=wineventlog EventCode=4769 ServiceName=\"svc_sqlbackup_legacy\"\n| eval alert_severity=\"critical\"\n| eval alert_type=\"honeytoken_kerberoast\"\n| table _time, src_ip, Account_Name, ServiceName, Ticket_Encryption_Type\n| sort - _time","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Microsoft Sentinel KQL Detection","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"kql"},"content":[{"text":"SecurityEvent\n| where EventID == 4769\n| where ServiceName in (\"svc_sqlbackup_legacy\", \"svc_exchange_legacy\")\n| extend AlertType = \"Honeytoken Kerberoast Detected\"\n| project TimeGenerated, Computer, Account, ServiceName, IpAddress, TicketEncryptionType","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Trimarc Security - The Art of the Honeypot Account: https://www.hub.trimarcsecurity.com/post/the-art-of-the-honeypot-account-making-the-unusual-look-normal","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ADSecurity.org - Detecting Kerberoasting Activity Part 2 (Honeypot): https://adsecurity.org/?p=3513","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Microsoft Defender for Identity Honeytokens: https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/deceptive-defense-best-practices-for-identity-based-honeytokens-in-microsoft-def/3851641","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SpecterOps - Kerberoasting and AES-256: https://specterops.io/blog/2025/10/21/is-kerberoasting-still-a-risk-when-aes-256-kerberos-encryption-is-enabled/","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"APT29a Blog - Deploying Honeytokens in AD: https://apt29a.blogspot.com/2019/11/deploying-honeytokens-in-active.html","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ADSecurity.org - Detecting Kerberoasting Activity: https://adsecurity.org/?p=3458","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"deploying-active-directory-honeytokens","tags":["active-directory","honeytokens","kerberoasting","deception","detection","bloodhound","gpo"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":13207,"repo_name":"anthropic-cybersecurity-skills","origin_url":"https://github.com/mukul975/anthropic-cybersecurity-skills/blob/HEAD/skills/deploying-active-directory-honeytokens/SKILL.md","repo_owner":"mukul975","body_sha256":"c9ca7e033dac6a726ae0070ca5b597e3ab4f59c8f1cac0ccc59bde090b858902","cluster_key":"e1fc7a02d5128450d0a1ab85ae20c3dc7744d0892de7147450d9976f45ba2488","clean_bundle":{"format":"clean-skill-bundle-v1","source":"mukul975/anthropic-cybersecurity-skills/skills/deploying-active-directory-honeytokens/SKILL.md","attachments":[{"id":"1f1fc055-5f94-5c65-8378-63790546496c","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/1f1fc055-5f94-5c65-8378-63790546496c/attachment.md","path":"references/api-reference.md","size":12004,"sha256":"ffcd34ba4f29024846d10a006f8b0069eef22a411111e527dd672571c83b8102","contentType":"text/markdown; charset=utf-8"},{"id":"16da19fa-7fa7-5e6b-b033-6c628c2d3a70","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/16da19fa-7fa7-5e6b-b033-6c628c2d3a70/attachment.ps1","path":"scripts/Deploy-ADHoneytokens.ps1","size":22762,"sha256":"2728607e00356e5afc4ebb2c0c08bb000c62ac522a217fc02d6009d4c738a5af","contentType":"text/plain; charset=utf-8"},{"id":"ada60b9d-9ae7-54fa-b459-1118e385f515","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/ada60b9d-9ae7-54fa-b459-1118e385f515/attachment.py","path":"scripts/agent.py","size":53930,"sha256":"822cc64f2dc87c19f3414692ff671410d48d346dc4edce165f0e7f3da65b6ca4","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"8cc15dd711367312433a0e662a3523d35129822b73bcbffcbf17046ebd84dc93","attachment_count":3,"text_attachments":3,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/deploying-active-directory-honeytokens/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"license":"Apache-2.0","version":"v1","category":"security","nist_csf":["DE.CM-01","DE.AE-06","PR.IR-01"],"subdomain":"deception-technology","import_tag":"clean-skills-v1","description":"Deploys deception-based honeytokens in Active Directory including fake privileged accounts with AdminCount=1, fake SPNs for Kerberoasting detection (honeyroasting), decoy GPOs with cpassword traps, and fake BloodHound paths. Monitors Windows Security Event IDs 4769, 4625, 4662, 5136 for honeytoken interaction. Use when implementing AD deception defenses for detecting lateral movement, credential theft, and reconnaissance.\n"}},"renderedAt":1782981654947}

Deploying Active Directory Honeytokens When to Use - When deploying deception-based detection in Active Directory environments - When detecting Kerberoasting attacks via fake SPN honeytokens (honeyroasting) - When creating tripwire accounts to detect credential theft and lateral movement - When building decoy GPOs to detect Group Policy Preference password harvesting - When creating deceptive BloodHound paths to misdirect and detect attackers - When supplementing existing AD monitoring with high-fidelity detection signals Prerequisites - Domain Admin or delegated AD administration privileges…