Honey Accounts

Required User Role: Administrator on the local machine

A Honey Account is a decoy account whose unique purpose is to detect an attacker trying to compromise the network through the Active Directory.

It is a prerequisite for Tenable.ad's Indicator of Attack to detect Kerberoasting exploitation attempts which seek to gain access to service accounts by requesting and extracting service tickets and then cracking the service account's credentials offline. The Kerberoasting Indicator of Attack sends out alerts when the Honey Account receives login attempts or ticket requests.

You associate one Honey Account per domain. Honey Accounts are not related to security profiles.

To add a Honey Account:

  1. In Tenable.ad, click Systems > Domain management.

    The Domain Management pane appears.

  2. Hover over the domain for which you want to add a Honey Account.

  3. Under Honey Account configuration status, click +.

    The Add a Honey Account pane appears.

  4. In the Name box, type a Distinguished Name (DN) for the user account to use as the Honey Account.

    Tip: You can type any string and Tenable.ad searches for and displays matching user account names in the drop-down box if that user account already exists in the Active Directory.

  5. In the Deployment section, Tenable.ad generates a script with the appropriate settings for you to run to deploy the Honey Account. Click to copy this script.

  6. Click Add.

    A message appears to confirm that Tenable.ad added the Honey Account. In the Domain Management pane, the selected domain's Honey Account configuration status appears orange () to indicate that you must run the Honey Account deployment script to activate it.

    Note: If the Honey Account configuration status appears red (), it indicates that Tenable.ad did not find this user account in the Active Directory. You must create this user account and proceed to the next step.

  7. In a Windows PowerShell on a machine with the Active Directory module, run the Honey Account deployment script that you copied.

    In the Domain Management pane, the selected domain's Honey Account configuration status appears with an green status () to indicate that it is active.

    NoteTenable.ad may take some time to process and activate the Honey Account.

See also