deploying-active-directory-honeytokens

Featured

Deploys deception-based honeytokens in Active Directory including fake privileged accounts with AdminCount=1, fake SPNs for Kerberoasting detection (honeyroasting), decoy GPOs with cpassword traps, and fake BloodHound paths. Monitors Windows Security Event IDs 4769, 4625, 4662, 5136 for honeytoken interaction. Use when implementing AD deception defenses for detecting lateral movement, credential theft, and reconnaissance.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%

100

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Deploying Active Directory Honeytokens ## When to Use - When deploying deception-based detection in Active Directory environments - When detecting Kerberoasting attacks via fake SPN honeytokens (honeyroasting) - When creating tripwire accounts to detect credential theft and lateral movement - When building decoy GPOs to detect Group Policy Preference password harvesting - When creating deceptive BloodHound paths to misdirect and detect attackers - When supplementing existing AD monitoring with high-fidelity detection signals ## Prerequisites - Domain Admin or delegated AD administration privileges - Active Directory domain (Windows Server 2016+ recommended) - Windows Event Log forwarding to SIEM (Splunk, Sentinel, Elastic) - PowerShell 5.1+ with ActiveDirectory module - Group Policy Management Console (GPMC) - Understanding of AD security, Kerberos, and BloodHound attack paths ## Background ### Why AD Honeytokens Traditional signature-based detection misses novel attack techniques. Honeytokens provide high-fidelity detection with near-zero false positives because any interaction with a decoy object is inherently suspicious. In Active Directory: - **Fake privileged accounts** detect credential dumping (DCSync, NTDS.dit extraction) - **Fake SPNs** detect Kerberoasting reconnaissance (TGS requests for nonexistent services) - **Decoy GPOs** detect Group Policy Preference password harvesting - **Fake BloodHound paths** mislead attackers using graph-based AD analysis ###...

Details

Author: mukul975
Repository: mukul975/Anthropic-Cybersecurity-Skills
Created: 3 months ago
Last Updated: today
Language: Python
License: Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-deception-technology-deployment

Deploys deception technology including honeypots, honeytokens, and decoy systems to detect attackers who have bypassed perimeter defenses, providing high-fidelity alerts with near-zero false positive rates. Use when SOC teams need early warning of lateral movement, credential abuse, or internal reconnaissance by deploying convincing traps across the network.

12,642 Updated today

mukul975

AI & Automation Solid

active-directory-attacks

This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.

4,215 Updated today

zebbern

AI & Automation Listed

active-directory-attacks

36 Updated today

cleodin

AI & Automation Featured

implementing-network-deception-with-honeypots

Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance.

12,642 Updated today

mukul975

AI & Automation Solid

implementing-honeytokens-for-breach-detection

Deploys canary tokens and honeytokens (fake AWS credentials, DNS canaries, document beacons, database records) that trigger alerts when accessed by attackers. Uses the Canarytokens API and custom webhook integrations for breach detection. Use when building deception-based early warning systems for intrusion detection.

12,642 Updated today

mukul975