Ready to learn?

Active Directory Honeypot

๐Ÿ”’ Secure Bits ๐Ÿ’ก
๐—ช๐—ฎ๐—ป๐˜ ๐˜๐—ผ ๐—ฑ๐—ฒ๐˜๐—ฒ๐—ฐ๐˜ ๐—บ๐—ฎ๐—น๐—ถ๐—ฐ๐—ถ๐—ผ๐˜‚๐˜€ ๐—”๐—— ๐—ฒ๐—ป๐˜‚๐—บ๐—ฒ๐—ฟ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—ฏ๐—ฒ๐—ณ๐—ผ๐—ฟ๐—ฒ ๐—ฟ๐—ฒ๐—ฎ๐—น ๐—ฑ๐—ฎ๐—บ๐—ฎ๐—ด๐—ฒ ๐—ต๐—ฎ๐—ฝ๐—ฝ๐—ฒ๐—ป๐˜€?

๐Ÿชคย ๐—”๐—ฐ๐˜๐—ถ๐˜ƒ๐—ฒ ๐——๐—ถ๐—ฟ๐—ฒ๐—ฐ๐˜๐—ผ๐—ฟ๐˜† ๐—›๐—ผ๐—ป๐—ฒ๐˜†๐—ฝ๐—ผ๐˜ย โ€” Simple Detection for Enumeration
In this short guide, I show you how to set up aย Canary Userย in AD โ€” combined with auditing and a deny DACL โ€” to catch attackersย during the reconnaissance phase. Itโ€™s a lightweight honeypot tactic anyone can deploy.

๐Ÿ” ๐—ฌ๐—ผ๐˜‚โ€™๐—น๐—น ๐—น๐—ฒ๐—ฎ๐—ฟ๐—ป ๐—ต๐—ผ๐˜„ ๐˜๐—ผ:
โ–ช๏ธ Create the honeypot account
โ–ช๏ธ Set SACLs and DACLs
โ–ช๏ธ Enable proper audit policies
โ–ช๏ธ Test it with SharpHound

Great for internal detection, test labs, or as part of your AD monitoring toolkit.

Full PDF guide is here: Active Directory – Honeypot

 

๐—ฃ๐—ฆ: You can easily hide the honeypot account if you wish. I cover hiding techniques in my other posts.

โฌ‡๏ธย ๐—–๐—ต๐—ฒ๐—ฐ๐—ธ ๐—ผ๐˜‚๐˜ ๐—ฎ๐—น๐—น ๐—บ๐˜† ๐—ด๐˜‚๐—ถ๐—ฑ๐—ฒ๐˜€ ๐—ฟ๐—ฒ๐—น๐—ฎ๐˜๐—ฒ๐—ฑ ๐˜๐—ผ ๐˜€๐—ถ๐—บ๐—ถ๐—น๐—ฎ๐—ฟ ๐˜๐—ผ๐—ฝ๐—ถ๐—ฐ๐˜€:
Windows Infrastructure Security Guides | Horizon Secured – Academy

This creation was also inspired by An ACE Up the Sleeve by Andy Robbins and Will Schroeder. Their presentation is available online on the Black Hat website.

buy a course