Kerberoasting a Honeytoken - Suspicious Activity Raised? RRS feed

  • Question

  • If an attacker requests a service ticket for a Honeytoken account (not attempting a logon, just asking for a service ticket) should that generate a suspicious activity?
    Thursday, August 29, 2019 7:52 PM

All replies

  • it should.
    Thursday, August 29, 2019 8:54 PM
  • Which log should I check for clues as to why it didn't?   I see the bee icon in the UI and I see the "accessed by" event, but no SA.

    Version 1.9.7412.9649

    • Edited by hukel Friday, August 30, 2019 12:00 PM
    Thursday, August 29, 2019 9:00 PM
  • Do you have an SA for that Honeytoken Logged in to a computer? 



    Tuesday, September 3, 2019 12:29 PM
  • The honeytoken account never logs into a computer in this scenario.   The action that should be triggering the SA (in my opinion) is the service ticket request itself.
    • Edited by hukel Friday, September 13, 2019 1:00 PM
    Friday, September 13, 2019 1:00 PM