Skip to content

AD Tripwires - How It Works

AD Tripwires provides early attack detection in your Active Directory environment using strategically placed decoy accounts. This document addresses key architectural aspects that security teams typically evaluate.

Core Concept

AD Tripwires deploys three types of decoy accounts that attract common Active Directory attack techniques:

graph LR
    attacker@{ shape: circle, label: "Attacker"}
    attacker-->A[Exposed Credential Account]
    attacker-->B[Kerberoastable Account] 
    attacker-->C[AS-REP Roastable Account]
    A --> detection[Attack Detection]
    B --> detection
    C --> detection
    detection --> alerts[Security Alerts]

Why This Works: Legitimate users and applications have no reason to interact with these accounts. Any activity indicates reconnaissance or active compromise. Tripwire accounts are configured with long, complex, random passwords that are extremely unlikely to be cracked, even with dedicated hardware. These accounts are not used for legitimate logins and will not generate events for successful authentication—only failed attempts or suspicious activity are detected.

Security Architecture

Minimal Privileged Access

Service Account Permissions:

  • Read-only access to SYSVOL EventAnalytics directory
  • No privileged access to Active Directory objects
  • Cannot modify domain configuration or user accounts

AD Agent Isolation:

  • Runs on existing NodeZero runner (no additional infrastructure)
  • Outbound HTTPS only (no inbound network access required)
  • Processes only attack metadata, never actual credentials

Data Protection

What Gets Monitored:

  • Authentication attempts against tripwire accounts
  • Kerberos ticket requests for decoy service accounts
  • Account enumeration activities

What Stays Private:

  • No access to legitimate user credentials
  • No monitoring of production user activities
  • No collection of business data or communications

Deployment Footprint

Domain Controllers:

  • Single scheduled task (runs every 10 minutes)
  • Reads existing Windows Security logs
  • Writes minimal event metadata to SYSVOL

Active Directory Changes:

  • 3 decoy user accounts (customer defined usernames)
  • 1 service account for monitoring access
  • 1 directory in SYSVOL for event and config storage

How Detection Works

Event Collection Process

graph LR

    logs@{ shape: rectangle, label: "Windows\nSecurity Logs"} 
    logs --> task@{ shape: rectangle, label: "Scheduled\nTask"}
    task --> scan@{ shape: rectangle, label: "Scan for\nTripwire Events"}
    scan --> events@{ shape: rectangle, label: "Write\nEvent Metadata"}
    events --> sysvol@{ shape: rectangle, label: "EventAnalytics\nDirectory"}
    sysvol --> agent@{ shape: rectangle, label: "AD\nAgent"}
    agent --> portal@{ shape: rectangle, label: "Horizon3\nportal"}

Key Points:

  • Uses existing Windows logging (no additional log sources)
  • Only processes events related to tripwire accounts
  • Event data contains timestamps and attack indicators, not sensitive information

Windows Security Events

AD Tripwires monitors both account-specific and general security events. Some events are enabled by default in Windows, while others are specifically enabled by the IoA Domain Policy for detection coverage.

Event Coverage:

  • Events enabled by default in Windows:
  • 1100: Event Log service has shut down
    • Detection Use: Detects attempts to disable or tamper with event logging.
    • Logging Impact: Rare, but critical for identifying log tampering.
    • Microsoft Docs
  • 1101: Audit events dropped by transport
    • Detection Use: Indicates possible loss of audit data due to system or network issues.
    • Logging Impact: Rare, but signals potential audit data loss.
  • 1102: Audit log cleared
    • Detection Use: Alerts when the security log is cleared, which may indicate attacker log cleanup.
    • Logging Impact: Rare, but critical for detecting log clearing.
    • Microsoft Docs
  • 1104: Security log full
    • Detection Use: Warns when the security log is full and may stop recording new events.
    • Logging Impact: Indicates risk of missing future events.
    • Microsoft Docs
  • Events enabled by the IoA Domain Policy:
  • 4625: Failed logon attempt (Kerberos or NTLM)
    • Detection Use: Detects failed login attempts to tripwire accounts, such as password spraying or brute force attacks.
    • Logging Impact: Can be frequent in large environments; filter for tripwire accounts to reduce noise.
    • Microsoft Docs
  • 4768: Kerberos authentication ticket (TGT) was requested
    • Detection Use: Detects AS-REP roasting attempts against tripwire accounts with pre-authentication disabled.
    • Logging Impact: Can increase log volume; filter for tripwire accounts.
    • Microsoft Docs
  • 4769: Kerberos service ticket (TGS) was requested
    • Detection Use: Detects Kerberoasting attempts by monitoring TGS requests for tripwire service accounts.
    • Logging Impact: Can increase log volume; filter for tripwire accounts.
    • Microsoft Docs
  • 4771: Kerberos pre-authentication failed
    • Detection Use: Identifies failed Kerberos authentication attempts, including brute force or password guessing against tripwire accounts.
    • Logging Impact: Moderate; filter for tripwire accounts.
    • Microsoft Docs
  • 4776: NTLM authentication failed (NTLM credential validation failure)
    • Detection Use: Detects failed NTLM authentication attempts to tripwire accounts, such as brute force or password guessing using NTLM.
    • Logging Impact: Moderate; filter for tripwire accounts.
    • Microsoft Docs

Important Considerations: - Events 4768 and 4769 can significantly increase log volume in busy environments - May impact log storage and SIEM performance - Consider log retention policies and filtering strategies when enabling these events - The Event Collector only processes events related to tripwire accounts, reducing the data volume sent to the AD Agent

Attack Detection Types

Attack Type What Triggers Detection Why It Matters
Credential Harvesting Login attempts to exposed credential accounts Indicates password spraying or credential stuffing attacks
Kerberoasting TGS requests for tripwire service accounts Detects attempts to extract service account hashes for offline cracking
AS-REP Roasting Authentication requests to pre-auth disabled accounts Identifies reconnaissance for accounts with weak Kerberos configuration

Network and Infrastructure Requirements

Connectivity

  • Outbound Only: AD Agent requires HTTPS access to Horizon3 platform
  • No Inbound Access: No firewall changes or external access to your domain
  • Standard SYSVOL: Uses existing domain controller SYSVOL share

Performance Impact

  • Minimal Resource Usage: Event collection runs for seconds every 10 minutes
  • Low Network Overhead: Only attack metadata transmitted (typically < 1KB per event)
  • No Production Impact: Monitoring operates independently of business applications

Operational Considerations

Maintenance Requirements

  • Self-Contained: No ongoing configuration changes required
  • Automatic Updates: Event collection logic updates via standard Group Policy
  • Standard AD Tools: Managed using existing Active Directory administration tools

Audit and Compliance

  • Transparent Operation: All components visible in standard AD management consoles
  • Audit Trail: All system activities logged in Windows Event Logs
  • Removable: Complete removal possible through standard AD administrative procedures

False Positive Prevention

  • Targeted Monitoring: Only monitors explicitly created tripwire accounts
  • No Production User Impact: Legitimate user activities never trigger alerts
  • Clear Account Identification: Tripwire accounts use customer-defined usernames and are tracked via Portal