Skip to content

AD Tripwires Testing

This guide covers testing Active Directory-specific tripwires including domain user scraping detection, Kerberoasting, and AS-REP roasting. AD tripwire testing generates real events in your customer environment and requires careful coordination.

Pre-Testing Requirements

Before testing AD Tripwires, ensure:

  • AD Tripwires domain policy is properly deployed
  • Decoy accounts are created and configured
  • Event Collector is running on Domain Controllers
  • Security team is notified of testing activities
  • Test user accounts are available (separate from production accounts)

Using the Test Tripwire Button

The recommended way to test your AD Tripwires is through the NodeZero portal interface:

  1. Navigate to Tripwire Details: Go to the specific AD tripwire you want to test in the NodeZero portal
  2. Click Test Tripwire: At the bottom of the tripwire details page, click the Test Tripwire button
  3. Wait for AD Agent Processing: The system sends a message to the AD Agent to perform the test
  4. Allow Processing Time: Due to event collection intervals and processing delays, expect up to 20-30 minutes before receiving notifications
  5. Check Portal for Updates: Detection may appear in the portal before alerts are delivered, so check the portal periodically
  6. Monitor for Alerts: Check for alerts through all configured channels after the delay period

Test Tripwire Button - Placeholder Screenshot placeholder - Test Tripwire button on AD Tripwire details page

End-to-End Testing with Customer Environment Impact

AD Tripwires testing is end-to-end testing that generates actual activity and log events in your customer environment. Unlike general tripwire testing which only tests Horizon3 infrastructure, AD Tripwire testing:

  • Generates real AD events on your Domain Controllers
  • Creates actual log entries in Windows Security Event logs
  • Triggers real authentication attempts against decoy accounts
  • May activate security monitoring systems in your environment

Coordinate with your IT and security teams before testing, as this will create genuine activity that may be detected by other security tools.

Processing and Display Delays

AD Tripwires testing involves multiple processing stages that can affect timing:

  • Detection Processing: The actual detection may occur within 10 minutes
  • Portal Updates: It may take additional time for the detection to populate and display in the user portal
  • Alert Delivery: Email and webhook notifications may arrive separately from portal updates

Plan for up to 20-30 minutes for the complete testing cycle, including portal display updates.

This built-in testing feature:

  • Performs end-to-end testing of the complete AD Tripwires detection pipeline
  • Generates actual AD events and log entries in your customer environment
  • Automatically creates realistic attack scenarios through the AD Agent
  • Validates the complete detection pipeline including event collection and processing
  • Tests alert delivery through all configured integration points

Manual Testing Methods

Advanced testing scenarios are available for detailed validation of specific AD attack techniques when the UI testing is not sufficient for your requirements.

Event Collection Testing

Verify Event Collector Functionality

  1. Check Scheduled Task 

    # Verify Event Collector scheduled task is running
Get-ScheduledTask -TaskName "IoA Collector" | Get-ScheduledTaskInfo

  2. Monitor Event Forwarding 

    # Check recent security events
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768,4769,4771; StartTime=(Get-Date).AddHours(-1)}

  3. Validate Network Connectivity 

    # Test connectivity to Horizon3.ai collection endpoints
Test-NetConnection -ComputerName tripwires.horizon3.ai -Port 443

Alert Delivery Testing

For detailed alert delivery testing procedures including webhook and email testing, see the General Tripwires Testing Guide.

Note that AD Tripwires alerts may take 20-30 minutes to be delivered due to the event processing pipeline, so allow adequate time when testing alert delivery mechanisms.

Timing Considerations

AD Tripwires testing requires patience due to the distributed nature of Active Directory and multiple processing stages:

  • Event Collection Intervals: Domain Controllers may batch events before forwarding
  • AD Agent Processing: The AD Agent processes events in scheduled intervals
  • Detection Processing: Backend systems analyze events and generate detections
  • Portal Updates: Detections must be processed and displayed in the user interface
  • Alert Processing: Final alert generation and delivery to external systems

Expected Timeline:

  • 0-5 minutes: Test action is initiated via AD Agent
  • 5-15 minutes: Events are generated and collected on Domain Controllers
  • 10-20 minutes: Events are processed and tripwire activity is detected
  • 15-25 minutes: Alerts appear in the NodeZero portal and are delivered to configured endpoints

Monitoring Strategy

While detection may happen faster, plan for the full 20-30 minute window. Check the portal periodically rather than waiting only for external alerts.

AD-Specific Safety Measures

In addition to general safety measures, AD Tripwires testing requires:

  • Coordinate with IT and Security Teams: AD testing generates real events that may trigger other security monitoring systems
  • Notify SOC/Security Teams: Inform security operations centers about planned testing to avoid false alarm responses
  • Monitor Domain Controller Resources: Watch for performance impact on Domain Controllers during testing
  • Plan for Real Events: Remember that AD testing creates actual log entries that will appear in security logs