Task 4.3: Honeytoken activity

A honeytoken account should be attractive for attackers, using an attractive name or a sensitive group membership, and should be left unused by your organization. Any activity from a honeytoken account might indicate malicious behavior, such as LDAP, NTLM or Kerberos sign-in attempts.

To configure an account as a honeytoken, make sure to tag it accordingly. For more information, review Defender for Identity entity tags in Microsoft Defender XDR.

1. In the DC01 RDP session, logged in as MSMDI\Administrator using the password Passw0rd!

2. In the browser, if you are not already, go to https://security.microsoft.com.

3. Scroll down and select Settings, and then select Identities.

4. In Microsoft Defender for Identity, under Entity tags, select Honeytoken.

5. Select Tag users.

6. Search for and then select HoneyTokenTest, and select Add selection.

   To test your honeytoken, try signing in to your honeytoken account.

7. Open a new RDP session to WIN6 using the WIN6.rdp file in the downloads folder, and then select More choices/Use a different account and sign in using MSMDI\HoneyTokenTest using the password Passw0rd12!@

8. Once you have successfully logged in as HoneyTokenTest, you can Sign out as HoneyTokenTest.

For more information, review Honeytoken activity (external ID 2014).