Active Directory Honeypots
I'm currently building out a detection lab focused entirely on Active Directory deception. The goal is to deploy low-maintenance AD traps that generate high-fidelity signals, forwarding the Windows Event Logs directly to Wazuh for ingestion and alerting.
Since everything routes based on specific Event IDs, I want to make sure I’m covering the most common lateral movement and recon paths. Here is what I have planned so far:
- Kerberoasting Bait: A fake
svc-mssql-adminaccount with a dummy SPN and a highly complex password. - AS-REP Roasting Bait: A
backup-automationaccount with Kerberos pre-auth explicitly disabled. - SYSVOL Share Trap: A fake legacy GPO folder with a
Groups.xmlor script containing fake credentials. I'm putting a strict SACL on it to watch for Event ID 4663 (since no legitimate user should be manually browsing that folder). - LSASS Injection: Pushing a fake
Domain-Admin-Bkpcredential into the memory of standard domain workstations via a GPO startup script to catch anyone dumping memory with Mimikatz/procdump. If they try to use those scraped creds, the DC catches the logon attempt.
As mentioned, I am using Wazuh as a SIEM therefor I will be creating the custom honeypot detection rules but before I start building out the rules, are there any other high-signal AD honeypot ideas you guys have deployed in production or labs?