DCEPT (Domain Controller Enticing Password Tripwire) is a honeytoken-based tripwire for Microsoft’s Active Directory. Honeytokens are pieces of information intentionally littered on system so they can be discovered by an intruder. In the case of DCEPT, the honeytokens are credentials that would only be known by a someone extracting them from memory. A logon attempt using these faux credentials would mean someone was inside the network and is attempting privilege escalation to domain administrator.
Active Directory Honeytoken Tripwire Overview
There are three components to DCEPT.
The first is an agent written in C# that caches honeytokens in memory on the endpoints. The tokens themselves are invalid credentials and pose no risk of compromise. Honeytokens are requested at regular intervals and are uniquely associated with a workstation for a particular window of time; therefore providing a forensic timeline. In the event a honeytoken is used on a different workstation at a later date, its point of origin is still known, potentially narrowing the scope of an investigation. The agent puts honeytoken credentials into memory by calling the CreateProcessWithLogonW Windows API to launch a suspended subprocess with the LOGON_NETCREDENTIALS_ONLY flag. It refreshes this process with a default time period of one day, obtaining new honeytoken credentials from the DCEPT generation server each time.
DCEPT Generation Server
The second is a server component that generates and issues honeytokens to requesting endpoints. Generated tokens are stored in a database along with the timestamp and endpoint that requested it. This component generates a randomized honeytoken password for each agent per time period. It logs the credentials, timestamp, and computer name to a database for later retrieval.
A third component acts as a monitor that passively listens for logon attempts. In order to capture the necessary packets, the DCEPT interface needs to be on the same network as the domain controller. The sniffer process runs alongside the generation server and looks for Kerberos pre-authentication packets destined for the AD domain controller that match the honeytoken username. Upon receiving one of these packets, DCEPT attempts to brute-force decrypt the contents using all of the honeytoken credentials stored in the database. If a packet is successfully decrypted, then a generated alert reveals the name of the compromised computer the honeytoken password was stolen from and the time period when it happened.
In Microsoft Windows networking, a domain is a group of computers that have registered with a central database known as the domain controller. Using a Windows component known as Active Directory (AD), network administrators can manage all user accounts, processes, and permissions on devices that have joined the domain. A special administrative account known as the domain administrator can authenticate to and control any computer in the domain. This all-powerful account can simplify and streamline network administration tasks, but can also provide unfettered network access to attackers. Many network administrators are unaware that using this account to log in casually to network workstations for routine maintenance carries great risk.
The best option for attackers with a foothold on a Windows network to move laterally is to obtain the domain administrator account password. By default, Windows caches login credentials in memory, and privileged local users can extract them. When a domain administrator logs in to a compromised workstation interactively (via keyboard, remote desktop, or command-line tools such as the PsExec utility), their password is stored in the credential cache. Using popular credential-theft tools such as Mimikatz, an attacker with local administrator privileges can dump the cache and read the password and/or its hash (which is as effective as the password, given how Windows authentication works). With this information, the attacker gains total control of the network.
A Docker container build for the server components is provided, making deployment a simple process. Before you can use DCEPT, you must have Docker installed on your system. Consult the Docker website forinstallation instructions.
The configuration file is named “dcept.cfg” and must modified before running the Docker container. Currently only notifications via rsyslog are supported. Configure syslog_host to point to your SIEM’s syslog server.
Building the Docker Image
root@host:~# cd server root@host:~# ./docker_build.sh
Running the Docker Image as a Container
Run the Docker container interactively with the following command:
root@host:~# cd server root@host:~# ./launcher.sh
Run the container in the background with the following command:
root@host:~# cd server root@host:~# ./launcher.sh
Building the Agent
The agent is provided as C# source code only, designed to be audited and compiled by the network administrator before deploying to endpoints. If you are compiling on a Windows system, Microsoft provides Visual Studio Express for free which can be downloaded here.
Configuring the Agent
The agent configuration is hardcoded and must be altered prior to compilation. Toward the top of the code, you will find two constants URL and PARAM. The URL should point to the DCEPT Generation Server. The URL can also contain any number of arbitrary directories/subdirectories. This is simply cosmetic and intended to intrigue a hacker should they come across the URL. The PARAM constant is how the agent passes the endpoint hostname to the Generation server. The parameter name can also be changed for cosmetic purposes, but be sure that is reflected in the generation server configuration file.
IMPORTANT: Using names such as “honeytoken” or anything else that might suggest you are using DCEPT to a hacker is both counterintuitive and highly discouraged.
// Edit this to point to your Honeytoken server URL static string URL="http://not-a-dcept-server-wink.domain.lan/backup/auth/nonsense"; static string PARAM="machine";
Compiling on Ubuntu
If you prefer to compile from an Ubuntu system, you can use mono. If you don’t already have it installed, you can run the following command to install the mono development packages and C# compiler.
root@host:~# apt-get install monodevelop mono-mcs
Once mono is installed, change your working directory and then run the following to compile the source code.
root@host:~# mcs ht-agent.cs -r:System.Data.dll -r:System.Web.Extensions.dll
Deploying the Agent
How the agent is deployed will vary from organization to organization and is entirely up to you. Deployment in a way that would leave valid domain administrator credentials cached on the endpoints (e.g. psexec) is highly discouraged.
Testing Your Active Directory Honeytoken Tripwire
tcpreplay is installed inside the docker container along with a sample pcap for testing purposes. While DCEPT is running, execute the following from within the container:
root@host:~# tcpreplay -i <interface> /opt/dcept/example.pcap