u/Equal-Painting-1553

Active Directory Honeypots

I'm currently building out a detection lab focused entirely on Active Directory deception. The goal is to deploy low-maintenance AD traps that generate high-fidelity signals, forwarding the Windows Event Logs directly to Wazuh for ingestion and alerting.

Since everything routes based on specific Event IDs, I want to make sure I’m covering the most common lateral movement and recon paths. Here is what I have planned so far:

  • Kerberoasting Bait: A fake svc-mssql-admin account with a dummy SPN and a highly complex password.
  • AS-REP Roasting Bait: A backup-automation account with Kerberos pre-auth explicitly disabled.
  • SYSVOL Share Trap: A fake legacy GPO folder with a Groups.xml or script containing fake credentials. I'm putting a strict SACL on it to watch for Event ID 4663 (since no legitimate user should be manually browsing that folder).
  • LSASS Injection: Pushing a fake Domain-Admin-Bkp credential into the memory of standard domain workstations via a GPO startup script to catch anyone dumping memory with Mimikatz/procdump. If they try to use those scraped creds, the DC catches the logon attempt.

As mentioned, I am using Wazuh as a SIEM therefor I will be creating the custom honeypot detection rules but before I start building out the rules, are there any other high-signal AD honeypot ideas you guys have deployed in production or labs?

reddit.com
u/Equal-Painting-1553 — 4 days ago
▲ 27 r/Wazuh+1 crossposts

I made a blog that ranks log sources

I wrote down how I think about onboarding order. Basically I ranked sources by how much they actually help an investigation, not by what's easiest to ingest. For each one I went through what you need to collect, how painful the parsing is, what retention makes sense, and what you can realistically detect once it's in.

blog.sentry.security
u/Equal-Painting-1553 — 13 days ago