Task 4.3: Honeytoken activity
A honeytoken account should be attractive for attackers, using an attractive name or a sensitive group membership, and should be left unused by your organization. Any activity from a honeytoken account might indicate malicious behavior, such as LDAP, NTLM or Kerberos sign-in attempts.
To configure an account as a honeytoken, make sure to tag it accordingly. For more information, review Defender for Identity entity tags in Microsoft Defender XDR.
-
In the DC01 RDP session, logged in as MSMDI\Administrator using the password Passw0rd!
-
In the browser, if you are not already, go to https://security.microsoft.com.
-
Scroll down and select Settings, and then select Identities.
-
In Microsoft Defender for Identity, under Entity tags, select Honeytoken.
-
Select Tag users.
-
Search for and then select HoneyTokenTest, and select Add selection.
To test your honeytoken, try signing in to your honeytoken account.
-
Open a new RDP session to WIN6 using the WIN6.rdp file in the downloads folder, and then select More choices/Use a different account and sign in using MSMDI\HoneyTokenTest using the password Passw0rd12!@
-
Once you have successfully logged in as HoneyTokenTest, you can Sign out as HoneyTokenTest.
For more information, review Honeytoken activity (external ID 2014).