mukul975
12 KiB
API Reference: Active Directory Honeytoken Deployment
PowerShellGenerator
Generates PowerShell scripts for AD honeytoken deployment operations.
Methods
generate_create_honeytoken_account(...)
Generate PowerShell to create a honeytoken AD account with AdminCount=1, backdated password, group memberships, and SACL audit rules.
| Parameter | Type | Default | Description |
|---|---|---|---|
sam_account_name |
str |
required | sAMAccountName for the honeytoken |
display_name |
str |
required | Display name |
description |
str |
required | Description field |
ou_dn |
str |
required | Distinguished Name of target OU |
password_length |
int |
128 |
Random password length |
set_admin_count |
bool |
True |
Set AdminCount=1 |
account_age_days |
int |
5475 |
Days to backdate password (~15 years) |
Returns: str -- Complete PowerShell script.
AD Operations Performed:
- Creates AD user account with strong random password
- Sets AdminCount=1 (appears as privileged account to BloodHound)
- Backdates pwdLastSet to simulate aged service account
- Adds to Remote Desktop Users group
- Configures SACL audit rule (Everyone/ReadProperty/Success)
Detection: Event ID 4662 (directory service object accessed)
generate_add_honey_spn(...)
Generate PowerShell to add a fake SPN for Kerberoasting detection (honeyroasting).
| Parameter | Type | Default | Description |
|---|---|---|---|
sam_account_name |
str |
required | Account to add SPN to |
service_class |
str |
"MSSQLSvc" |
SPN service class |
hostname |
str |
required | Fake hostname |
port |
int |
1433 |
Service port |
Returns: str -- PowerShell script that registers the SPN and enables RC4+AES encryption.
Detection: Event ID 4769 (Kerberos TGS ticket requested) where ServiceName matches the honeytoken account. Any TGS request for this SPN is definitively malicious.
generate_decoy_gpo(...)
Generate PowerShell to create a decoy GPO with cpassword credential trap in SYSVOL.
| Parameter | Type | Default | Description |
|---|---|---|---|
gpo_name |
str |
required | GPO display name |
decoy_username |
str |
required | Username in cpassword trap |
decoy_domain |
str |
required | Short domain name (e.g., CORP) |
sysvol_path |
str |
required | SYSVOL Policies path |
enable_sacl |
bool |
True |
Set SACL audit on GPO folder |
Returns: str -- PowerShell script that creates GPO folder structure, plants Groups.xml with cpassword, creates trap AD account with different password, and sets SACL.
Detection Chain:
- Event ID 4663 (SYSVOL folder read)
- Offline: Attacker decrypts cpassword
- Event ID 4625 (failed logon with decoy credentials)
- Correlation: 4663 + 4625 from same source IP = confirmed attacker
generate_deceptive_bloodhound_path(...)
Generate PowerShell to create fake BloodHound attack paths leading to monitored honeytokens.
| Parameter | Type | Default | Description |
|---|---|---|---|
honeytoken_sam |
str |
required | Honeytoken account name |
target_group |
str |
"Domain Admins" |
High-value group for deceptive path |
intermediate_ou |
str |
"OU=Service Accounts" |
OU for intermediate objects |
Returns: str -- PowerShell script that creates GenericAll ACE, deceptive intermediate group, and WriteDacl edge with deny safety net.
BloodHound Path Created:
Remote Desktop Users -[GenericAll]-> honeytoken_account
honeytoken_account -[MemberOf]-> IT-Infrastructure-Admins
honeytoken_account -[WriteDacl]-> Domain Admins (blocked by deny ACE)
generate_validation_script(sam_account_name)
Generate PowerShell to validate honeytoken deployment integrity.
Checks Performed:
| Check | Pass Criteria |
|---|---|
| Account Exists | Account found in AD |
| Account Enabled | Enabled = True |
| AdminCount=1 | AdminCount attribute is 1 |
| SPN Configured | At least one SPN registered |
| Password Age | > 365 days |
| SACL Audit | At least one audit rule configured |
| Group Memberships | Lists all group memberships |
| RC4 Supported | msDS-SupportedEncryptionTypes includes 0x4 |
| Kerberos Audit | auditpol shows Kerberos TGS auditing enabled |
SIEMRuleGenerator
Generates detection rules for SIEM platforms targeting honeytoken activity.
Methods
generate_detection_rules(honeytoken_accounts, honey_spns, gpo_trap_accounts, siem="sigma")
| Parameter | Type | Description |
|---|---|---|
honeytoken_accounts |
list[str] |
Account names to monitor |
honey_spns |
list[str] |
SPN values to monitor |
gpo_trap_accounts |
list[str] |
GPO credential trap usernames |
siem |
str |
Target platform: sigma, splunk, or sentinel |
Returns: list[dict] -- Each rule contains title, detection_logic, and rule (full query text).
Generated Rules by Platform
Sigma Rules:
| Rule | Event ID | MITRE Technique |
|---|---|---|
| Honeytoken Kerberoast Detected | 4769 | T1558.003 |
| Honeytoken GPO Credential Use Detected | 4624, 4625 | T1552.006 |
| Honeytoken AD Object Accessed | 4662 | T1087.002 |
Splunk SPL Rules:
| Rule | Description |
|---|---|
| Honeytoken Kerberoast Detection | Index wineventlog EventCode=4769 with ServiceName filter |
| Honeytoken GPO Credential Use | EventCode 4624/4625 with TargetUserName filter |
| Attack Chain Correlation | SYSVOL enum (4663) -> credential use (4625) by same source IP |
Microsoft Sentinel KQL Rules:
| Rule | Description |
|---|---|
| Honeytoken Kerberoast Detection | SecurityEvent EventID 4769 with ServiceName filter |
| Honeytoken GPO Credential Use | SecurityEvent EventID 4624/4625 with TargetUserName filter |
export_rules(output_dir, format="json")
Export all generated rules to files on disk.
Returns: list[str] of saved file paths.
ADHoneytokenMonitor
Monitors Windows Event Logs for honeytoken interactions and generates alerts.
Constructor
ADHoneytokenMonitor(config_path=None)
Methods
register_honeytoken(identifier, token_type="admin_account", metadata=None)
Register a honeytoken for monitoring.
| Token Type | Description |
|---|---|
admin_account |
Fake privileged AD account |
spn |
Fake Service Principal Name |
gpo_credential |
Decoy GPO cpassword trap account |
analyze_event_log(events)
Analyze Windows Event Log entries for honeytoken interactions.
| Event ID | Alert Type | Severity |
|---|---|---|
| 4769 | KERBEROAST_HONEYTOKEN |
critical |
| 4624 | HONEYTOKEN_LOGON |
critical |
| 4625 | HONEYTOKEN_LOGON_FAILED |
critical |
| 4662 | HONEYTOKEN_DACL_READ |
high |
| 5136 | HONEYTOKEN_GPO_MODIFIED |
critical |
Returns: list[dict] -- Alerts with alert_id, alert_type, severity, description, mitre_technique, source_ip, source_host.
generate_detection_rules(siem="sigma")
Generate SIEM detection rules for all registered honeytokens.
get_alert_summary()
Get aggregated summary of all alerts by severity, type, and source IP.
HoneytokenDeployer
Orchestrates full honeytoken deployment and generates all artifacts.
Constructor
HoneytokenDeployer(domain="corp.example.com",
service_account_ou="OU=Service Accounts",
sysvol_path="")
Methods
generate_realistic_name()
Generate a realistic service account name using templates matching common organizational patterns.
Returns: dict with sam_account_name, display_name, hostname.
deploy_full_suite(...)
Generate complete deployment artifacts for a full honeytoken suite.
| Parameter | Type | Default | Description |
|---|---|---|---|
token_count |
int |
3 |
Number of honeytoken accounts |
include_spn |
bool |
True |
Add fake SPNs |
include_gpo |
bool |
True |
Create decoy GPO |
include_bloodhound |
bool |
True |
Create deceptive BloodHound paths |
siem_type |
str |
"sigma" |
Target SIEM for detection rules |
Returns: dict with deployment_id, tokens, scripts, detection_rules.
save_deployment(deployment, output_dir)
Save all deployment artifacts (PowerShell scripts, detection rules, manifest) to disk.
Returns: list[str] of saved file paths.
PowerShell Module: Deploy-ADHoneytokens.ps1
Exported Functions
| Function | Description |
|---|---|
New-HoneytokenAdmin |
Create honeytoken AD account with AdminCount=1, SACL, backdated password |
Add-HoneytokenSPN |
Register fake SPN for Kerberoasting detection |
New-DecoyGPO |
Create decoy GPO with cpassword trap in SYSVOL |
New-DeceptiveBloodHoundPath |
Create fake BloodHound attack paths |
Test-HoneytokenDeployment |
Validate honeytoken deployment integrity |
Deploy-FullHoneytokenSuite |
Deploy complete honeytoken suite |
Prerequisites
#Requires -Modules ActiveDirectory
#Requires -Version 5.1
Windows Event IDs for Honeytoken Detection
| Event ID | Description | Honeytoken Use |
|---|---|---|
| 4769 | Kerberos TGS ticket requested | Kerberoast against honey SPN |
| 4768 | Kerberos TGT requested | AS-REP roasting of honey account |
| 4625 | Failed logon attempt | Credential use from decoy GPO |
| 4624 | Successful logon | Honeytoken account compromise |
| 4662 | Directory service object accessed | DACL read on honeytoken user |
| 4648 | Logon with explicit credentials | Pass-the-hash detection |
| 5136 | Directory service object modified | GPO modification |
| 5137 | Directory service object created | GPO creation |
| 4663 | Attempt to access object | SYSVOL decoy file read |
CLI Usage
# Full deployment (generates all scripts, rules, and manifest)
python agent.py --action full_deploy \
--domain corp.example.com \
--ou "OU=Service Accounts" \
--token-count 3 \
--siem sigma \
--output-dir honeytoken_deployment
# Generate detection rules only
python agent.py --action generate_rules \
--account-name svc_sqlbackup_legacy \
--siem splunk
# Generate single account creation script
python agent.py --action deploy_account \
--account-name svc_sqlbackup_legacy \
--domain corp.example.com
# Generate SPN addition script
python agent.py --action deploy_spn \
--account-name svc_sqlbackup_legacy
# Generate decoy GPO script
python agent.py --action deploy_gpo \
--domain corp.example.com
# Generate BloodHound deception script
python agent.py --action deploy_bloodhound \
--account-name svc_sqlbackup_legacy
# Validate deployment
python agent.py --action validate \
--account-name svc_sqlbackup_legacy
# Analyze event logs for honeytoken alerts
python agent.py --action analyze_logs \
--account-name svc_sqlbackup_legacy \
--event-log events.json
CLI Arguments
| Argument | Default | Description |
|---|---|---|
--action |
full_deploy |
Action to perform |
--domain |
corp.example.com |
AD domain FQDN |
--ou |
OU=Service Accounts |
OU for honeytoken accounts |
--sysvol |
auto | SYSVOL Policies path |
--account-name |
svc_sqlbackup_legacy |
Honeytoken account name |
--token-count |
3 |
Number of honeytokens to deploy |
--siem |
sigma |
Target SIEM: sigma, splunk, sentinel |
--output-dir |
honeytoken_deployment |
Output directory |
--include-spn |
True |
Include fake SPNs |
--include-gpo |
True |
Include decoy GPO |
--include-bloodhound |
True |
Include BloodHound deception |
--event-log |
None |
Path to event log JSON for analysis |