Honey Accounts
A Honey Account is a decoy account whose unique purpose is to detect an attacker trying to compromise the network through the Active Directory.
It is a prerequisite for Tenable Identity Exposure's Indicator of Attack to detect Kerberoasting exploitation attempts which seek to gain access to service accounts by requesting and extracting service tickets and then cracking the service account's credentials offline. The Kerberoasting Indicator of Attack sends out alerts when the Honey Account receives login attempts or ticket requests.
You associate one Honey Account per domain. Honey Accounts are not related to security profiles.
To add a Honey Account:
-
In Tenable Identity Exposure, click Systems > Domain management.
The Domain Management pane appears.
-
Hover over the domain for which you want to add a Honey Account.
-
Under Honey Account configuration status, click +.
The Add a Honey Account pane appears.
-
In the Name box, type a Distinguished Name (DN) for the user account to use as the Honey Account.
Tip: You can type any string and Tenable Identity Exposure searches for and displays matching user account names in the drop-down box if that user account already exists in the Active Directory.
-
In the Deployment section, Tenable Identity Exposure generates a script with the appropriate settings for you to run to deploy the Honey Account. Click
to copy this script. -
Click Add.
A message appears to confirm that Tenable Identity Exposure added the Honey Account. In the Domain Management pane, the selected domain's Honey Account configuration status appears orange (
) to indicate that you must run the Honey Account deployment script to activate it.Note: If the Honey Account configuration status appears red (
), it indicates that Tenable Identity Exposure did not find this user account in the Active Directory. You must create this user account and proceed to the next step. -
In a Windows PowerShell on a machine with the Active Directory module, run the Honey Account deployment script that you copied.
In the Domain Management pane, the selected domain's Honey Account configuration status appears with an green status (
) to indicate that it is active.Note: Tenable Identity Exposure may take some time to process and activate the Honey Account.
To edit a Honey Account:
-
In Tenable Identity Exposure, click Systems > Domain management.
The Domain Management pane appears.
-
Hover over the domain for which you want to add a Honey Account.
-
Under Honey Account configuration status, click the
icon at the right.The Edit a Honey Account pane appears.
-
In the Name box, modify the user account as necessary.
-
In the Deployment section, click
to copy the Honey Account Deployment script. -
Click Edit.
A message appears to confirm that Tenable Identity Exposure updated the Honey Account. In the Domain Management pane, the selected domain's Honey Account configuration status appears orange (
) to indicate that you must run the Honey Account deployment script to activate it.Note: If the Honey Account configuration status appears red (
), it indicates that Tenable Identity Exposure did not find this user account in the Active Directory. You must create this user account and proceed to the next step. -
In a Windows PowerShell on a machine with the Active Directory module, run the Honey Account deployment script that you copied.
In the Domain Management pane, the selected domain's Honey Account configuration status appears with an green status (
) to indicate that it is configured.Note: Tenable Identity Exposure may take some time to process and activate the Honey Account.
To delete a Honey Account:
-
In Tenable Identity Exposure, click Systems > Domain management.
The Domain Management pane appears.
-
Hover over the domain for which you want to add a Honey Account.
-
Under Honey Account configuration status, click the
icon at the right.The Edit a Honey Account pane appears.
-
Click Delete.
A message appears to confirm that Tenable Identity Exposure deleted the Honey Account.
See also