Skip to content

AD Tripwires — Disguising Tripwires

This guide describes optional, post‑provision steps to help tripwire accounts created by the AD Utility blend in with real users—without affecting detection. You will set only non‑privileged, commonly populated attributes so tripwires maintain authenticity while remaining safe.

Who this is for

Audience: AD admins performing manual touch‑ups after the AD Utility provisions tripwire accounts.

Goal: Apply common, low‑risk attributes so tripwires resemble typical user accounts while preserving AD Tripwires behavior.

Note: The utility already configures tripwire characteristics and generates natural logon artifacts. This guide focuses on "persona" details seen on real users.

When to Use This

  • After AD Utility finishes creating tripwire accounts.
  • Before broad visibility (e.g., before blue team reviews or attacker simulations).

Principles

  • Only set non‑privileged, commonly-populated attributes.
  • Match your org’s naming, UPN, OU, and group conventions.

Health check failures if critical decoy settings are altered

Altering required decoy metadata or disabling required protocol settings will cause related tripwire accounts to fail health checks and reduce detection coverage.

  • Kerberoastable: Do not remove all SPNs from the account.
  • AS-REP roastable: Do not change the account's pre-authentication requirement configured by the utility.
  • Exposed credential: Do not change utility‑set decoy metadata on the account.

Password changes

If required, you may change a tripwire user account password; it should not cause issues or pose any security risk as long as the new password meets or exceeds the strength of the existing 20‑character complex password.

Critical: AD Tripwire service account password

Do not manually change the AD Tripwire service account password; it is managed by the utility/agent.

If you're unsure about a change

If you're unsure whether modifying a specific attribute is safe or could impact tripwire detection or health checks, contact Horizon3 support through the NodeZero portal or your account team before making changes.

  • Identity and contact
    • displayName, givenName, sn, initials
    • userPrincipalName (UPN suffix must match org standard)
    • mail (only if all users have one)
    • telephoneNumber, mobile
    • physicalDeliveryOfficeName (Office), company
    • title, department
  • Org graph
    • manager (DN of a real manager used by peers)
  • Description
    • Exposed credential tripwire: Do not modify the description; preserve the utility‑set decoy text.
    • Other tripwire accounts: You may append normal descriptors if desired, but preserve any utility‑set decoy metadata.
  • Group membership
    • Keep default Domain Users membership.
    • Optionally add to low-priv distribution or departmental groups common to peers (no admin/sensitive groups).
  • SPNs (Kerberoastable tripwire only)
    • servicePrincipalName with a plausible entry (e.g., HTTP/<service-host>.<domain>) consistent with your environment. You may modify the SPN value(s) to match your naming standards, but the Kerberoastable account must always have at least one SPN configured; removing all SPNs disables Kerberoast detection for this account.

Optional Modifications

  • Email system attributes
    • proxyAddresses, mailNickname
  • Profile/home settings
    • homeDirectory, homeDrive, profilePath, scriptPath
  • Office/geo metadata
    • streetAddress, l (city), st (state), postalCode, c/co (country), countryCode
  • Logon restrictions
    • userWorkstations, logonHours (only where broadly enforced)

Prohibited Modifications

  • Account naming/identifier
    • Do not rename tripwire accounts after initial provisioning. The AD Agent relies on the original identifier for health checks and detections.
  • AD Tripwire service account credentials
    • Do not manually change the service account password; it is managed by the utility/agent.
  • Privilege-bearing or unusual account control flags
    • PasswordNeverExpires, SmartcardRequired, AccountNotDelegated, TrustedForDelegation, UseDESKeyOnly, etc.
    • Exception: AS‑REP decoy requires DoesNotRequirePreAuth (already handled by the utility).
  • Mailbox attributes if no mailbox will exist (inconsistent state can look suspicious).

OU Placement

  • Place accounts in the same OU as typical users for your org (not just CN=Users) if that matches real provisioning practices.
  • Avoid special “service” or “quarantine” OUs unless that’s normal for the persona you’re mimicking.

Step-by-Step Procedure

1) Identify the target persona for each tripwire

  • displayName, title, department, office, phone, UPN, manager DN, baseline groups, OU.

2) Set identity and contact attributes

# Identity and contact (example placeholders)
Set-ADUser -Identity <user> \
  -GivenName "<GivenName>" \
  -Surname "<Surname>" \
  -DisplayName "<Display Name>" \
  -Title "<Job Title>" \
  -Department "<Department>" \
  -Company "<Company>" \
  -Office "<Office>" \
  -EmailAddress "<user>@<your-domain>" \
  -OfficePhone "<phone>"

3) Align UPN and manager

# UPN and manager
Set-ADUser -Identity <user> \
  -UserPrincipalName "<user>@<your-domain>" \
  -Manager "<manager distinguishedName>"

4) Add to baseline low-priv groups

# Example distribution/department group
Add-ADGroupMember -Identity "<distribution-or-dept-group>" -Members <user>

5) (Kerberoast tripwire only) Add plausible SPN

# Add SPN consistent with your environment
Set-ADUser -Identity <service-account> -ServicePrincipalNames @{Add="HTTP/<service-host>.<domain>"}

6) (Optional) Set environment-dependent attributes

# Only if your org uses these widely
Set-ADUser -Identity <user> -Add @{
  proxyAddresses = "SMTP:<user>@<your-domain>"
} -ErrorAction SilentlyContinue

7) Move to standard user OU (if applicable)

# Move user to the OU where typical users reside
Get-ADUser <user> | Move-ADObject -TargetPath "<OU path for typical users>"

Validation Checklist

  • User appears in the same OU as peers.
  • UPN matches org suffix and naming convention.
  • Persona attributes (title, department, office) look consistent with similar users.
  • Group membership limited to baseline/non-priv groups.
  • For Kerberoast tripwire, SPN looks plausible and consistent.
  • No privileged account control flags were added.

Quick Audit Commands

# Review key attributes
Get-ADUser <user> -Properties DisplayName,Title,Department,Office,UserPrincipalName,Manager,mail,proxyAddresses | Format-List

# Review group memberships
Get-ADPrincipalGroupMembership <user> | Select-Object Name | Sort-Object Name

# Review OU location
(Get-ADUser <user>).DistinguishedName

Notes on AD Tripwires Behavior

  • The utility triggers natural updates to logon metadata (e.g., lastLogon/lastLogonTimestamp) via legitimate authentications; these values update automatically as part of normal operations.
  • For AS‑REP tripwire, the utility sets DoesNotRequirePreAuth as designed; do not undo this.

See Also