Skip to content

Manual AD Tripwires Testing

This guide covers manual testing methods for AD Tripwires when you need detailed validation of specific Active Directory attack detection techniques.

Customer Environment Impact

Manual AD Tripwires testing generates real events and activity in your customer environment. This includes actual AD events on Domain Controllers, Windows Security Event log entries, and authentication attempts that may trigger other security monitoring systems.

Domain User Scraping Detection

Test Scenario: Simulate an attacker scraping user account descriptions to find exposed credentials.

Testing Steps

  1. Identify Decoy Accounts 

    # Get specific AD Tripwire decoy account
Get-ADUser -Identity "<tripwire account name>" -Properties Description

  2. Simulate Credential Scraping 

    # Enumerate user descriptions (simulating attacker behavior)
Get-ADUser -Filter * -Properties Description | 
Where-Object {$_.Description -ne $null} | 
Select-Object Name, Description

  3. Attempt to Use Discovered Credentials

  4. Extract any credentials found in decoy account descriptions

  5. Attempt authentication using those credentials
  6. Monitor for detection and alerting

Expected Results

  • Alert should be generated within 5-10 minutes
  • Alert should include source IP, username attempted, and timestamp
  • Event should be logged in Domain Controller security logs

Kerberoasting Detection

Test Scenario: Simulate an attacker requesting Kerberos service tickets for offline password cracking.

Testing Steps

  1. Identify Service Accounts with SPNs 

    # Get specific AD Tripwire service account
Get-ADUser -Identity "<tripwire service account name>" -Properties ServicePrincipalName

  2. Request Service Tickets 

    # Use Invoke-Kerberoast or similar tool to request tickets
# Example using PowerShell:
setspn -T <domain.com> -Q */* | 
findstr "test-webserver.internal"

# Request TGS for the tripwire service account
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/test-webserver.internal"

  3. Alternative Methods 

    # Using Invoke-Kerberoast (if available)
Invoke-Kerberoast -Identity "<tripwire service account name>"

# Using Rubeus
# Rubeus.exe kerberoast /user:<tripwire service account name>

Expected Results

  • TGS request should be logged as Event ID 4769
  • Alert should be generated indicating Kerberoasting attempt
  • Alert should include service account name and requesting user

AS-REP Roasting Detection

Test Scenario: Simulate an attacker requesting authentication responses for accounts without pre-authentication.

Testing Steps

  1. Identify Vulnerable Accounts 

    # Get specific AD Tripwire account with pre-authentication disabled
Get-ADUser -Identity "<tripwire account name>" -Properties DoesNotRequirePreAuth

  2. Request AS-REP 

    # Use Rubeus or similar tool to request AS-REP
# Example command:
# Rubeus.exe asreproast /domain:<domain.com> /user:<tripwire account name>

  3. Alternative Methods 

    # Using impacket GetNPUsers
python3 GetNPUsers.py <domain.com>/<username> -dc-ip <domain-controller-ip> -request

# Using PowerShell
Get-ASREPHash -UserName "<tripwire account name>" -Domain "<domain.com>"

Expected Results

  • AS-REP request should be logged as Event ID 4768
  • Alert should be generated indicating AS-REP roasting attempt
  • Alert should include target account and source information

Advanced Testing Scenarios

Credential Stuffing Simulation

Test detection of credential reuse attempts:

# Attempt authentication with discovered credentials
$credential = Get-Credential -UserName "<tripwire account name>"
Test-ComputerSecureChannel -Credential $credential

LDAP Enumeration Testing

Test detection of LDAP queries against tripwire accounts:

# LDAP enumeration that might discover tripwire accounts
Get-ADUser -LDAPFilter "(servicePrincipalName=*)" -Properties servicePrincipalName
Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"

Event Validation

Manual Event Checking

Verify that expected events are generated:

# Check for Kerberoasting events (Event ID 4769)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769; StartTime=(Get-Date).AddMinutes(-30)} |
Where-Object {$_.Message -like "*<tripwire service account name>*"}

# Check for AS-REP roasting events (Event ID 4768)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768; StartTime=(Get-Date).AddMinutes(-30)} |
Where-Object {$_.Message -like "*<tripwire account name>*"}

# Check for authentication failures (Event ID 4625)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625; StartTime=(Get-Date).AddMinutes(-30)} |
Where-Object {$_.Message -like "*<tripwire account name>*"}

Safety Considerations for Manual Testing

Pre-Testing Requirements

  • Obtain explicit approval from IT and security teams
  • Notify SOC/security operations about planned testing
  • Ensure test environment is properly isolated if possible
  • Document all planned test activities
  • Verify rollback procedures are in place

During Testing

  • Execute tests during designated maintenance windows
  • Monitor Domain Controller performance
  • Track all commands executed with timestamps
  • Watch for unexpected system behavior
  • Stop testing if performance issues occur

Post-Testing Cleanup

  • Verify all test events were properly logged
  • Check that no persistent changes were made
  • Document all results and observations
  • Clean up any temporary files or artifacts
  • Update testing procedures based on findings

Troubleshooting Manual AD Testing

Events Not Generated

Possible Causes:

  • Domain policy not properly applied
  • Audit logging not enabled for required events
  • Domain Controller time synchronization issues
  • Insufficient privileges for test execution

Solutions: 

# Verify audit policy settings
auditpol /get /category:"Account Logon"
auditpol /get /category:"Logon/Logoff"

# Check domain controller time
w32tm /query /status

# Verify required events are enabled
Get-WinEvent -ListLog Security | Select-Object LogName, IsEnabled, MaximumSizeInBytes

Events Not Forwarded

Possible Causes:

  • "IoA Collector" scheduled task not running
  • Network connectivity issues
  • Event Collector configuration problems

Solutions: 

# Check scheduled task status
Get-ScheduledTask -TaskName "IoA Collector" | Get-ScheduledTaskInfo

# Test network connectivity
Test-NetConnection -ComputerName tripwires.horizon3.ai -Port 443

# Check event forwarding logs
Get-WinEvent -LogName "Microsoft-Windows-Forwarding/Operational" -MaxEvents 50

False Negatives

Possible Causes:

  • Tripwire accounts not properly configured
  • Events not matching expected patterns
  • Timing issues with event collection

Solutions:

  • Verify tripwire account attributes match expected configuration
  • Check event log timing against test execution
  • Review AD Agent logs for processing errors
  • Validate network connectivity from Domain Controllers

Best Practices for Manual AD Testing

Test Sequencing

  1. Start with least intrusive tests (account enumeration)
  2. Progress to authentication attempts
  3. Finish with service ticket requests
  4. Allow adequate time between tests for event processing

Documentation Requirements

  • Record exact commands used
  • Document timestamps for all activities
  • Note any error messages or unexpected behavior
  • Track alert generation timing
  • Maintain audit trail for compliance

Coordination Requirements

  • Schedule tests during approved maintenance windows
  • Coordinate with Domain Controller administrators
  • Inform security monitoring teams
  • Plan for potential impact on other AD services
  • Ensure proper change management approval