Skip to content

AD Tripwires - Overview

AD Tripwires provides advanced detection capabilities for common Active Directory attack techniques by deploying decoy accounts and monitoring for suspicious authentication activities. This system creates honeypot-style traps that detect attackers attempting to enumerate domain users, perform credential-based attacks, and exploit Kerberos vulnerabilities.

Detection Capabilities

AD Tripwires monitors and detects the following attack patterns:

Domain User Scraping Detection

  • Mechanism: Decoy credential exposure in user account descriptions
  • Detection: Monitors for access attempts to accounts with exposed credentials
  • Attack Vector: Detects attackers who scrape user descriptions to find embedded passwords or credential hints

Kerberoasting Detection

  • Mechanism: Service Principal Name (SPN) configured on decoy accounts
  • Detection: Monitors for TGS (Ticket Granting Service) requests against honeypot service accounts
  • Attack Vector: Detects attempts to request Kerberos service tickets for offline password cracking

AS-REP Roasting Detection

  • Mechanism: Pre-authentication disabled on specific decoy accounts
  • Detection: Monitors for AS-REP (Authentication Server Response) requests against vulnerable accounts
  • Attack Vector: Detects attempts to request authentication responses for accounts without pre-authentication

Components

graph TB
    domain_policy("Domain Policy")
    ad_agent("`AD Agent`")
    event_collector("`Event Collector`")

AD Domain Policy

An Active Directory domain policy which enables additional Kerberos logging events required for detecting Kerberoasting and AS-REP Roasting attacks against AD Tripwires. This policy specifically enables enhanced audit logging for authentication events and creates a scheduled task on Domain Controllers to run the Event Collector.

Note: The AD Tripwires domain policy does not enable "Audit account management" events. Only authentication-related events required for attack detection are enabled.

The policy enables Windows Security Events 4625, 4768, 4769, 4771, and 4776 to provide the necessary audit trail for attack detection. Note that some of these events can generate significant log volume in busy environments.

For detailed information about specific events and their logging impact, see Windows Security Events.

Provisioning Process

What it does:

  • Creates and manages decoy user accounts with built-in vulnerabilities
  • Sets up the monitoring infrastructure required for detection
  • Configures the necessary permissions for secure event collection
  • Provides easy removal and cleanup when needed

Tripwire Accounts (3 total)

  • Exposed Credential Account: Appears to contain credentials that attackers might try to use
  • Kerberoastable Account: Attracts attackers attempting Kerberos-based attacks
  • AS-REP Roastable Account: Targets a specific type of Kerberos vulnerability exploitation

Note: Tripwire accounts are configured with long, complex, random passwords that are extremely unlikely to be cracked, even with dedicated hardware. These accounts are not used for legitimate logins and will not generate events for successful authentication. Only failed login attempts or suspicious activity will trigger detection events.

System Account

  • AD Agent Service Account: Used by the AD Agent to securely access Active Directory and SYSVOL (not a decoy account)

AD Agent

The AD Agent is a monitoring service that runs on your selected NodeZero host to provide centralized threat detection and alerting. It continuously monitors your tripwire accounts, analyzes potential threats, and delivers immediate alerts through your Horizon3 portal.

Key Capabilities:

  • Monitors Activity: Continuously watches for suspicious activity targeting your tripwire accounts
  • Sends Alerts: Delivers immediate notifications when threats are detected
  • Provides Context: Gives you detailed information about attack methods and timelines
  • Integrates Seamlessly: Works directly with your Horizon3 portal for unified security visibility

Event Collector

The Event Collector is a PowerShell component that runs as a scheduled task on Domain Controllers to gather security events related to AD Tripwire activities. It collects and caches IoA (Indicators of Attack) events for retrieval by the AD Agent for analysis and threat detection.

Key Functions:

  • Event Harvesting: Collects security events from Domain Controller logs related to tripwire account activities
  • Data Filtering: Focuses on authentication events that indicate potential attacks on decoy accounts
  • IoA Event Caching: Stores Indicators of Attack events for secure access by the AD Agent
  • Secure Transfer: Enables the AD Agent to retrieve cached events for centralized processing
  • Automated Execution: Runs on a scheduled basis to ensure continuous monitoring coverage

For a detailed explanation of the detection process, see How It Works.

Benefits

  • Early Detection: Identifies attacks in progress before significant damage occurs
  • Low False Positives: Decoy accounts should never be accessed by legitimate users
  • Comprehensive Coverage: Detects multiple attack vectors within a single deployment
  • Minimal Infrastructure Impact: Lightweight monitoring with negligible performance overhead
  • Real-time Alerting: Immediate notification of suspicious activities
  • Attack Attribution: Provides detailed information about attacker techniques and timelines

Next Steps

To get started with AD Tripwires:

  1. Check Requirements: Ensure you have Domain Admin privileges and access to your NodeZero runner
  2. Set Up Accounts: Follow the Getting Started guide to create your tripwire accounts and agents
  3. Enable Monitoring: Use the Configuring Domain Policy guide to activate detection
  4. Verify Operation: Test the system to ensure everything is working correctly

For help with issues or advanced settings, see the Troubleshooting guide.