Welcome to the final installment of our series on Microsoft Defender for Identity, presented by Orlox. In this entry, we delve into the strategic use of honeytokens—a form of defensive deception that can significantly enhance your security posture. Honeytokens are decoy credentials designed to detect and expose attackers by alerting your security team the moment they are accessed. In this blog, we’ll guide you through creating, deploying, and monitoring honeytokens, utilizing Defender for Identity along with some useful open-source tools.
Honeytokens
Introduction
Honeytokens are a type of deception technique that can help you detect and respond to attackers who are trying to compromise your identity infrastructure. A honeytoken is a fake credential, such as a user account, a service account, or a password, which is intentionally planted in your network to lure attackers. If an attacker tries to use a honeytoken, it will generate an alert in Defender for Identity, which is a cloud-based security solution that monitors and protects your Active Directory (AD) from advanced threats.
In this blogpost, we will show you how to create and deploy honeytokens in your network using Defender for Identity and some open-source tools. We will also explain how to monitor and investigate honeytoken alerts using the Defender for Identity portal and the Microsoft 365 Defender portal. By following this guide, you will be able to enhance your security posture and gain valuable insights into the tactics and techniques of your adversaries.
Why use honeytokens?
Honeytokens can provide several benefits for your security operations, such as:
- Early detection: Honeytokens can help you identify attackers who are already inside your network and are trying to escalate their privileges, move laterally, or exfiltrate data. By creating honeytokens that are attractive and realistic, you can increase the chances of baiting the attackers and triggering an alert.
- Reduced false positives: Honeytokens are designed to be used only by attackers, not by legitimate users or applications. Therefore, any attempt to use a honeytoken is a clear indication of malicious activity and can be treated as a high-confidence alert.
- Threat intelligence: Honeytokens can help you collect valuable information about the attackers, such as their IP addresses, tools, techniques, and objectives. You can use this information to enrich your threat intelligence, improve your threat hunting, and fine-tune your security policies and controls.
- Deterrence: Honeytokens can also have a psychological effect on the attackers, who may become more cautious and less aggressive when they realize that they are being deceived and monitored. This can slow down their operations and increase their costs and risks.
How to create honeytokens?
There are several types of honeytokens that you can create and deploy in your network, depending on your goals and scenarios. Some of the most common ones are:
- User accounts: These are fake user accounts that are created in AD and have some level of access to sensitive resources or information. They can be used to mimic employees, contractors, or administrators.
- Service accounts: These are fake accounts that are used by applications or services to access other resources or perform tasks. They can be used to mimic backup services, database services, or cloud services.
- Passwords: These are fake passwords that are stored in plaintext or encrypted form in various locations, such as files, registry keys, databases, or memory. They can be used to mimic credentials that are accidentally or intentionally leaked or exposed.
To create honeytokens, you can use some open-source tools that are available online, such as:
- ADAPE-Script: This is a PowerShell script that can create realistic user accounts and service accounts in AD, along with their attributes, group memberships, and permissions. It can also create honeytokens for Kerberoasting and password spraying attacks. You can download it from undefined.
- Invoke-Honeytoken: This is another PowerShell script that can create various types of honeytokens, such as passwords, tokens, tickets, hashes, and keys. It can also inject them into different locations, such as files, registry keys, databases, or memory. You can download it from undefined.
When creating honeytokens, you should follow some best practices, such as:
- Make them realistic: Your honeytokens should blend in with your environment and look like legitimate credentials. You can use realistic names, attributes, permissions, and behaviors for your honeytokens, and avoid using obvious or suspicious indicators, such as “honey”, “fake”, or “test”.
- Make them attractive: Your honeytokens should be appealing and enticing for the attackers, who are looking for easy and valuable targets. You can assign your honeytokens some level of access to sensitive or critical resources or information, such as financial data, intellectual property, or domain admin rights.
- Make them isolated: Your honeytokens should be isolated and segregated from your normal operations and activities. You should avoid using your honeytokens for any legitimate purpose or function and prevent any accidental or authorized access to them. You should also monitor and audit your honeytokens regularly and ensure that they are not compromised or modified.
How to deploy honeytokens?
Once you have created your honeytokens, you need to deploy them in your network and make them accessible and discoverable for the attackers. You can use different methods and techniques to deploy your honeytokens, depending on your goals and scenarios. Some of the most common ones are:
- Network shares: You can create network shares that contain files or folders with honeytokens, such as passwords, tokens, tickets, hashes, or keys. You can also use network share names that are enticing or misleading, such as “Finance”, “Backup”, or “Admin”.
- Emails: You can send emails that contain honeytokens, such as passwords, tokens, tickets, hashes, or keys, to your own or external accounts. You can also use email subjects, bodies, or attachments that are enticing or misleading, such as “Invoice”, “Report”, or “Password Reset”.
- Web pages: You can create web pages that contain honeytokens, such as passwords, tokens, tickets, hashes, or keys, and host them on your own or external domains. You can also use web page titles, contents, or links that are enticing or misleading, such as “Login”, “Download”, or “Update”.
When deploying honeytokens, you should follow some best practices, such as:
- Make them visible: Your honeytokens should be visible and reachable for the attackers, who are scanning and enumerating your network and assets. You can use common or popular protocols, ports, or services to expose your honeytokens, and avoid using obscure or hidden methods, such as steganography, encryption, or compression.
- Make them tempting: Your honeytokens should be tempting and irresistible for the attackers, who are looking for quick and easy wins. You can use common or popular formats, extensions, or names to present your honeytokens, and avoid using complex or unfamiliar ones, such as binary, hexadecimal, or base64.
- Make them safe: Your honeytokens should be safe and harmless for your network and assets, and not cause any disruption or damage. You should avoid using honeytokens that can execute code, modify settings, or delete data, and use read-only or non-persistent ones, such as plaintext, encrypted, or ephemeral.
How to monitor honeytokens?
Once you have deployed your honeytokens, you need to monitor them and detect any attempts to use them by the attackers. You can use Defender for Identity to monitor and protect your identity infrastructure and alert you to any suspicious or malicious activity. Defender for Identity can detect various types of attacks that involve honeytokens, such as:
- Reconnaissance: These are attacks that aim to discover and enumerate your network and assets, such as users, groups, computers, or services. Defender for Identity can detect reconnaissance activities that use honeytokens, such as LDAP queries, SAMR queries, or network share enumeration.
- Credential theft: These are attacks that aim to steal or obtain your credentials, such as passwords, tokens, tickets, hashes, or keys. Defender for Identity can detect credential theft activities that use honeytokens, such as pass-the-hash, pass-the-ticket, Kerberoasting, or Mimikatz.
- Lateral movement: These are attacks that aim to move from one compromised asset to another and gain access to more resources or information. Defender for Identity can detect lateral movement activities that use honeytokens, such as remote execution, SMB session, or RDP session.
- Privilege escalation: These are attacks that aim to elevate the privileges of the compromised account or asset and gain more control or access. Defender for Identity can detect privilege escalation activities that use honeytokens, such as DC sync, DC shadow, or golden ticket.
To monitor honeytokens using Defender for Identity, you need to enable the “Deception” feature in the Defender for Identity portal. This feature allows you to mark your honeytokens as “deceptive” entities and generate high-severity alerts when they are accessed or used. To enable the “Deception” feature, you need to follow these steps:
- Log in to the Defender for Identity portal using your credentials.
- Go to the “Configuration” page and select the “Deception” tab.
- Click on the “Add” button and select the type of honeytoken that you want to mark as deceptive, such as user, computer, or service account.
- Enter the name or the SID of the honeytoken that you want to mark as deceptive and click on the “Verify” button.
- Click on the “Save” button to confirm your selection.
- Repeat the steps for each honeytoken that you want to mark as deceptive.
After you have enabled the “Deception” feature, you can view and manage your deceptive entities in the Defender for Identity portal. You can also view and manage the alerts that are generated by the deceptive entities in the Defender for Identity portal and the Microsoft 365 Defender portal. To view and manage the alerts, you need to follow these steps:
- Log in to the Defender for Identity portal or the Microsoft 365 Defender portal using your credentials.
- Go to the “Alerts” page and filter the alerts by the “Deception” category.
- Select the alert that you want to view or manage and click on the “Investigate” button.
- Review the alert details, such as the alert name, description, severity, status, and timeline.
- Review the alert entities, such as the deceptive entity, the attacker, the target, and the evidence.
- Review the alert actions, such as the alert context, the alert investigation, the alert response, and the alert feedback.
- Take the appropriate actions, such as assign, dismiss, resolve, or escalate the alert.
Conclusion
Honeytokens are a powerful and effective deception technique that can help you detect and respond to attackers who are trying to compromise your identity infrastructure. By creating and deploying realistic and attractive honeytokens in your network, you can lure and bait the attackers and trigger high-confidence alerts in Defender for Identity. By monitoring and investigating the alerts using the Defender for Identity portal and the Microsoft 365 Defender portal, you can gain valuable insights into the attackers’ tactics and techniques and improve your security posture and resilience.