DCEPT - Honeytokens for Active Directory

March 8th, 2016

James Bettke and I wrote a tool to detect attempts to escalate privileges on a Windows Active Directory domain. We read a SANS blog post suggesting an easy way to inject honeytokens into the credential cache on Windows in a way that Mimikatz or other credential-scraping tools could find it. We wrapped the idea in a server/agent model and made some tweaks - foremost being rotating the credentials per machine per day, in order to give an incident response team a timeframe and context to work from upon being alerted of an attempt to use the honeytoken credentials.

DCEPT screenshot

The project is available on Github, check it out here.