Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server and allows administrators to manage permissions and access to network resources. Active Directory stores data as objects. An object is a single element, such as a user, group, application; or device, such as a printer.
To detect AD attack using deception technology, use the following deception configuration example.
- Add several custom Windows decoys to the customer network domain.
- On the Windows domain, configure schedule task scripts to run using the fake users, such as the one from the cache credentials lure.
- Add to each domain decoy the maximum number of IP addresses and ensure they are static IP addresses.
- On the network DNS server, configure a decoy DNS.
- Add DNS records to each decoy IP address.
- Set up attractive hostnames for each decoy IP address. For more information, see Deception decoy best practices.
- Deploy the SMB lure front in a domain decoy to avoid detection by tools like HoneyBuster.