Dell SecureWorks researchers created an open source honeypot to help network administrators catch and monitor attackers.
The tool is called DCEPT (Domain Controller Enticing Password Tripwire) and is a tripwire-style intrusion detection system for Active Directory (AD), Dell security researchers Joe Stewart and James Bettke said in a March 2 blog post.
The detection system is based on honeytokens - pieces of information that reveal an attack is taking place when they are accessed or used - and can detect privilege escalation attempts and identify which computer the honeytoken was stolen from.
“The DCEPT tool consists of three parts: an agent that puts a honeytoken domain administrator password into memory on endpoints, a network service that generates unique honeytokens at the request of an agent, and a sniffer service that looks at network traffic for signs that the honeytoken password is being sent in an authentication request,” researchers said.
DCEPT can be downloaded from GitHub.
