Deceptive-Auditing: An Active Directory Honeypots Tool

Source: Black Hills Information Security, Inc.

Author: BHIS

URL: https://www.blackhillsinfosec.com/deceptive-auditing/

Deceptive-Auditing: An Active Directory Honeypots Tool

ONE SENTENCE SUMMARY:

Deceptive-Auditing deploys and audits Active Directory honeypots, integrating multiple functions to automate setup and enhance security defenses.

MAIN POINTS:

1. Deceptive-Auditing automates Active Directory honeypot deployment using PowerShell cmdlets.
2. It combines two projects: Set-AuditRule and Deploy-Deception by Rodriguez and Mittal.
3. Automates creation/removal of ACEs in a SACL for file auditing.
4. Supports auditing for files, registry keys, and AD objects.
5. Functions like New-DecoyUser and Deploy-UserDeception create and audit decoy users.
6. Deploy-PrivilegedUserDeception establishes privileged honeypots with simulated activity.
7. New-DecoyComputer and Deploy-ComputerDeception manage deceptive computer setups.
8. New-DecoyGroup and Deploy-GroupDeception create and manage decoy groups.
9. Includes functions like New-DecoyOU and Deploy-OUDeception for organizational units.
10. New-DecoyGPO and Deploy-GPODeception manage group policy objects for decoy purposes.

TAKEAWAYS:

1. Handles deceptive traps in Active Directory to bait adversaries.
2. Supports creating scripts for ongoing honeypot deployments.
3. Offers mechanisms to simulate and entice malicious activity.
4. Automates Active Directory lab environment setup with fake objects.
5. Extensible for future functions and detailed defensive strategies.