creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 07:53:18 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/deploying-active-directory-honeytokens/references/api-reference.md
T

327 lines
12 KiB
Markdown
Raw Blame History

# API Reference: Active Directory Honeytoken Deployment
## PowerShellGenerator
Generates PowerShell scripts for AD honeytoken deployment operations.
### Methods
#### `generate_create_honeytoken_account(...)`
Generate PowerShell to create a honeytoken AD account with AdminCount=1, backdated password, group memberships, and SACL audit rules.
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| `sam_account_name` | `str` | required | sAMAccountName for the honeytoken |
| `display_name` | `str` | required | Display name |
| `description` | `str` | required | Description field |
| `ou_dn` | `str` | required | Distinguished Name of target OU |
| `password_length` | `int` | `128` | Random password length |
| `set_admin_count` | `bool` | `True` | Set AdminCount=1 |
| `account_age_days` | `int` | `5475` | Days to backdate password (~15 years) |
**Returns:** `str` -- Complete PowerShell script.
**AD Operations Performed:**
- Creates AD user account with strong random password
- Sets AdminCount=1 (appears as privileged account to BloodHound)
- Backdates pwdLastSet to simulate aged service account
- Adds to Remote Desktop Users group
- Configures SACL audit rule (Everyone/ReadProperty/Success)
**Detection:** Event ID 4662 (directory service object accessed)
#### `generate_add_honey_spn(...)`
Generate PowerShell to add a fake SPN for Kerberoasting detection (honeyroasting).
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| `sam_account_name` | `str` | required | Account to add SPN to |
| `service_class` | `str` | `"MSSQLSvc"` | SPN service class |
| `hostname` | `str` | required | Fake hostname |
| `port` | `int` | `1433` | Service port |
**Returns:** `str` -- PowerShell script that registers the SPN and enables RC4+AES encryption.
**Detection:** Event ID 4769 (Kerberos TGS ticket requested) where ServiceName matches the honeytoken account. Any TGS request for this SPN is definitively malicious.
#### `generate_decoy_gpo(...)`
Generate PowerShell to create a decoy GPO with cpassword credential trap in SYSVOL.
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| `gpo_name` | `str` | required | GPO display name |
| `decoy_username` | `str` | required | Username in cpassword trap |
| `decoy_domain` | `str` | required | Short domain name (e.g., CORP) |
| `sysvol_path` | `str` | required | SYSVOL Policies path |
| `enable_sacl` | `bool` | `True` | Set SACL audit on GPO folder |
**Returns:** `str` -- PowerShell script that creates GPO folder structure, plants Groups.xml with cpassword, creates trap AD account with different password, and sets SACL.
**Detection Chain:**
1. Event ID 4663 (SYSVOL folder read)
2. Offline: Attacker decrypts cpassword
3. Event ID 4625 (failed logon with decoy credentials)
4. Correlation: 4663 + 4625 from same source IP = confirmed attacker
#### `generate_deceptive_bloodhound_path(...)`
Generate PowerShell to create fake BloodHound attack paths leading to monitored honeytokens.
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| `honeytoken_sam` | `str` | required | Honeytoken account name |
| `target_group` | `str` | `"Domain Admins"` | High-value group for deceptive path |
| `intermediate_ou` | `str` | `"OU=Service Accounts"` | OU for intermediate objects |
**Returns:** `str` -- PowerShell script that creates GenericAll ACE, deceptive intermediate group, and WriteDacl edge with deny safety net.
**BloodHound Path Created:**
```
Remote Desktop Users -[GenericAll]-> honeytoken_account
honeytoken_account -[MemberOf]-> IT-Infrastructure-Admins
honeytoken_account -[WriteDacl]-> Domain Admins (blocked by deny ACE)
```
#### `generate_validation_script(sam_account_name)`
Generate PowerShell to validate honeytoken deployment integrity.
**Checks Performed:**
| Check | Pass Criteria |
|-------|---------------|
| Account Exists | Account found in AD |
| Account Enabled | Enabled = True |
| AdminCount=1 | AdminCount attribute is 1 |
| SPN Configured | At least one SPN registered |
| Password Age | > 365 days |
| SACL Audit | At least one audit rule configured |
| Group Memberships | Lists all group memberships |
| RC4 Supported | msDS-SupportedEncryptionTypes includes 0x4 |
| Kerberos Audit | auditpol shows Kerberos TGS auditing enabled |
---
## SIEMRuleGenerator
Generates detection rules for SIEM platforms targeting honeytoken activity.
### Methods
#### `generate_detection_rules(honeytoken_accounts, honey_spns, gpo_trap_accounts, siem="sigma")`
| Parameter | Type | Description |
|-----------|------|-------------|
| `honeytoken_accounts` | `list[str]` | Account names to monitor |
| `honey_spns` | `list[str]` | SPN values to monitor |
| `gpo_trap_accounts` | `list[str]` | GPO credential trap usernames |
| `siem` | `str` | Target platform: `sigma`, `splunk`, or `sentinel` |
**Returns:** `list[dict]` -- Each rule contains `title`, `detection_logic`, and `rule` (full query text).
### Generated Rules by Platform
**Sigma Rules:**
| Rule | Event ID | MITRE Technique |
|------|----------|-----------------|
| Honeytoken Kerberoast Detected | 4769 | T1558.003 |
| Honeytoken GPO Credential Use Detected | 4624, 4625 | T1552.006 |
| Honeytoken AD Object Accessed | 4662 | T1087.002 |
**Splunk SPL Rules:**
| Rule | Description |
|------|-------------|
| Honeytoken Kerberoast Detection | Index wineventlog EventCode=4769 with ServiceName filter |
| Honeytoken GPO Credential Use | EventCode 4624/4625 with TargetUserName filter |
| Attack Chain Correlation | SYSVOL enum (4663) -> credential use (4625) by same source IP |
**Microsoft Sentinel KQL Rules:**
| Rule | Description |
|------|-------------|
| Honeytoken Kerberoast Detection | SecurityEvent EventID 4769 with ServiceName filter |
| Honeytoken GPO Credential Use | SecurityEvent EventID 4624/4625 with TargetUserName filter |
#### `export_rules(output_dir, format="json")`
Export all generated rules to files on disk.
**Returns:** `list[str]` of saved file paths.
---
## ADHoneytokenMonitor
Monitors Windows Event Logs for honeytoken interactions and generates alerts.
### Constructor
```python
ADHoneytokenMonitor(config_path=None)
```
### Methods
#### `register_honeytoken(identifier, token_type="admin_account", metadata=None)`
Register a honeytoken for monitoring.
| Token Type | Description |
|------------|-------------|
| `admin_account` | Fake privileged AD account |
| `spn` | Fake Service Principal Name |
| `gpo_credential` | Decoy GPO cpassword trap account |
#### `analyze_event_log(events)`
Analyze Windows Event Log entries for honeytoken interactions.
| Event ID | Alert Type | Severity |
|----------|------------|----------|
| 4769 | `KERBEROAST_HONEYTOKEN` | critical |
| 4624 | `HONEYTOKEN_LOGON` | critical |
| 4625 | `HONEYTOKEN_LOGON_FAILED` | critical |
| 4662 | `HONEYTOKEN_DACL_READ` | high |
| 5136 | `HONEYTOKEN_GPO_MODIFIED` | critical |
**Returns:** `list[dict]` -- Alerts with `alert_id`, `alert_type`, `severity`, `description`, `mitre_technique`, `source_ip`, `source_host`.
#### `generate_detection_rules(siem="sigma")`
Generate SIEM detection rules for all registered honeytokens.
#### `get_alert_summary()`
Get aggregated summary of all alerts by severity, type, and source IP.
---
## HoneytokenDeployer
Orchestrates full honeytoken deployment and generates all artifacts.
### Constructor
```python
HoneytokenDeployer(domain="corp.example.com",
service_account_ou="OU=Service Accounts",
sysvol_path="")
```
### Methods
#### `generate_realistic_name()`
Generate a realistic service account name using templates matching common organizational patterns.
**Returns:** `dict` with `sam_account_name`, `display_name`, `hostname`.
#### `deploy_full_suite(...)`
Generate complete deployment artifacts for a full honeytoken suite.
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| `token_count` | `int` | `3` | Number of honeytoken accounts |
| `include_spn` | `bool` | `True` | Add fake SPNs |
| `include_gpo` | `bool` | `True` | Create decoy GPO |
| `include_bloodhound` | `bool` | `True` | Create deceptive BloodHound paths |
| `siem_type` | `str` | `"sigma"` | Target SIEM for detection rules |
**Returns:** `dict` with `deployment_id`, `tokens`, `scripts`, `detection_rules`.
#### `save_deployment(deployment, output_dir)`
Save all deployment artifacts (PowerShell scripts, detection rules, manifest) to disk.
**Returns:** `list[str]` of saved file paths.
---
## PowerShell Module: Deploy-ADHoneytokens.ps1
### Exported Functions
| Function | Description |
|----------|-------------|
| `New-HoneytokenAdmin` | Create honeytoken AD account with AdminCount=1, SACL, backdated password |
| `Add-HoneytokenSPN` | Register fake SPN for Kerberoasting detection |
| `New-DecoyGPO` | Create decoy GPO with cpassword trap in SYSVOL |
| `New-DeceptiveBloodHoundPath` | Create fake BloodHound attack paths |
| `Test-HoneytokenDeployment` | Validate honeytoken deployment integrity |
| `Deploy-FullHoneytokenSuite` | Deploy complete honeytoken suite |
### Prerequisites
```powershell
#Requires -Modules ActiveDirectory
#Requires -Version 5.1
```
---
## Windows Event IDs for Honeytoken Detection
| Event ID | Description | Honeytoken Use |
|----------|-------------|----------------|
| 4769 | Kerberos TGS ticket requested | Kerberoast against honey SPN |
| 4768 | Kerberos TGT requested | AS-REP roasting of honey account |
| 4625 | Failed logon attempt | Credential use from decoy GPO |
| 4624 | Successful logon | Honeytoken account compromise |
| 4662 | Directory service object accessed | DACL read on honeytoken user |
| 4648 | Logon with explicit credentials | Pass-the-hash detection |
| 5136 | Directory service object modified | GPO modification |
| 5137 | Directory service object created | GPO creation |
| 4663 | Attempt to access object | SYSVOL decoy file read |
---
## CLI Usage
```bash
# Full deployment (generates all scripts, rules, and manifest)
python agent.py --action full_deploy \
--domain corp.example.com \
--ou "OU=Service Accounts" \
--token-count 3 \
--siem sigma \
--output-dir honeytoken_deployment
# Generate detection rules only
python agent.py --action generate_rules \
--account-name svc_sqlbackup_legacy \
--siem splunk
# Generate single account creation script
python agent.py --action deploy_account \
--account-name svc_sqlbackup_legacy \
--domain corp.example.com
# Generate SPN addition script
python agent.py --action deploy_spn \
--account-name svc_sqlbackup_legacy
# Generate decoy GPO script
python agent.py --action deploy_gpo \
--domain corp.example.com
# Generate BloodHound deception script
python agent.py --action deploy_bloodhound \
--account-name svc_sqlbackup_legacy
# Validate deployment
python agent.py --action validate \
--account-name svc_sqlbackup_legacy
# Analyze event logs for honeytoken alerts
python agent.py --action analyze_logs \
--account-name svc_sqlbackup_legacy \
--event-log events.json
```
### CLI Arguments
| Argument | Default | Description |
|----------|---------|-------------|
| `--action` | `full_deploy` | Action to perform |
| `--domain` | `corp.example.com` | AD domain FQDN |
| `--ou` | `OU=Service Accounts` | OU for honeytoken accounts |
| `--sysvol` | auto | SYSVOL Policies path |
| `--account-name` | `svc_sqlbackup_legacy` | Honeytoken account name |
| `--token-count` | `3` | Number of honeytokens to deploy |
| `--siem` | `sigma` | Target SIEM: `sigma`, `splunk`, `sentinel` |
| `--output-dir` | `honeytoken_deployment` | Output directory |
| `--include-spn` | `True` | Include fake SPNs |
| `--include-gpo` | `True` | Include decoy GPO |
| `--include-bloodhound` | `True` | Include BloodHound deception |
| `--event-log` | `None` | Path to event log JSON for analysis |
Reference in New Issue View Git Blame Copy Permalink