locked
How is Honeytoken suppose to work ? RRS feed

  • Question

  • I try to figure out, how a defined Honeytoken is supposed to work.

    I setup an account with a prominent name like "SQLADMIN" and for my understanding, any attempt to login using this account, false/positive, should raise an alert.

    I tried several login attempts using a wrong password, but no alert is triggered.

    Does it only match for positive logins ?

    Monday, October 29, 2018 12:52 PM

All replies

  • Hello,

    Based on my understanding, it should raise an alert whether the authentication with this account is successful or NOT. According to the introduction in the article below, it looks like it's not very clear.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide#honeytoken-activity

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 30, 2018 7:03 AM
  • Correct, it should alert regardless of the authentication result.
    Any chance you did the authentication against a DC which is currently not monitored?

    Are there any health alerts in the console?

    Wednesday, October 31, 2018 3:06 PM
  • Hello Eli,

    no there are no health alerts on the ATA.

    I tried several times to raise an alert by using the wrong password for a Honeytoken Account with no sucess - only if I use the correct password for RDP login, the ATA will alert.

    Friday, November 23, 2018 1:53 PM
  • Which authentication method did you use which was ignored?

    (you mentioned RDP worked, but not what you did that failed to alert).

    Also, did you make sure that you were working against a DC that was actually monitored by ATA ?

     
    Saturday, November 24, 2018 9:51 PM
  • Hello Eli,

    yea we are monitoring the correct DCs. I tried RDP login vs several servers with the user+wrong password, no alert raised. Only the moment when I use the correct login credentials and eventually successfully logged on, the ATA raise an alert.

    From my point of view, the alert should be raised regardless of success status, furthermore having the need to "share" a working login to have some honeytoken working is the wrong way.

    Monday, December 3, 2018 9:38 AM
  • It should log the login even for a failed attempt as far as I know.

    Does it alert on failed auth in other cases besides RDP?

    for example, what will happen if you are trying to login to a windows workstation locally with wrong credentials for this account, or do a net use command using this account ?

    Do you have full DC coverage in the forest with Gateways?

    Monday, December 3, 2018 12:28 PM