Microsoft Defender for Identity Alert Details
Alert ID: MDI-VALID-ACCTS-1078-7842
Alert Time: 2024-02-12 08:45:33 EST
Severity: HIGH (85/100)
Source: Microsoft Defender for Identity
Rule: “Honeytoken Account Activity Detected”
MITRE ATT&CK: T1078 – Valid Accounts
Alert Details:
Detection: Honeytoken account activity
Honeytoken Account: svc_backup_old (Service Account)
– Created: 2023-01-15 (as honeytoken)
– Last Activity: Never (until now)
– Password: 128-character random (not used anywhere)
– Permissions: None (appears in logs but no actual access)
Activity Detected:
– Time: 08:42 EST
– Authentication Type: NTLM
– Source Host: WORKSTATION-45 (Unknown device)
– Source IP: 192.168.47.89 (Internal IP – Guest WiFi network)
– Service: Attempted access to FILE-SVR-01 (File Server)
– Result: FAILED (account has no permissions)
Honeytoken Characteristics:
– Account exists in AD but has no real purpose
– Appears in logs to lure attackers
– Any activity is 100% malicious
– No legitimate user would ever use this account
Additional Context:
– Source IP is on Guest WiFi network (non-corporate devices)
– WORKSTATION-45 not in asset inventory
– Likely an attacker scanning with compromised credentials
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI honeytoken alert
Microsoft Defender for Identity
Confirmed 100% malicious activity
2. Source Investigation
Identify source IP/host
DHCP Logs, Cisco ISE
Guest WiFi IP assigned to unknown Windows laptop
3. Physical Security
Locate device on Guest WiFi
WiFi Controller, Security Team
Device in lobby area; user unknown
4. Credential Analysis
Determine how attacker had password
AD Logs, Investigation
Password never used; likely password hash from memory dump
5. Threat Hunting
Check for other honeytoken activity
MDI, Splunk
No other honeytoken activity detected
6. Containment
Block source device
Cisco ISE, MAC Filtering
Device blocked from all networks
Jira Incident Report
Ticket: SOC-2024-065
Summary: T1078 – Honeytoken Account Activity Detected – Valid Credentials in Use
Status: RESOLVED
Resolution: MALICIOUS – Honeytoken Triggered
Priority: P2 – MEDIUM
Labels: T1078, valid-accounts, honeytoken, defender-for-identity, lateral-movement
Components: Identity-Management, Threat-Hunting
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Honeytoken Account Activity Detected”.
Honeytoken: svc_backup_old (service account with no real use).
Time: 2024-02-12 08:45 EST.
Technique: MITRE ATT&CK T1078 – Valid Accounts.
2. Technical Analysis:
Honeytoken Design:
Account created January 2023 as decoy
Never used for any legitimate purpose
128-character random password (not in use anywhere)
Appears in AD but has zero permissions
Any activity = 100% malicious
Detection Details:
Time: 08:42 EST
Source IP: 192.168.47.89 (Guest WiFi)
Source Host: WORKSTATION-45 (unknown device)
Target: FILE-SVR-01 (file server)
Authentication: NTLM
Result: Failed (no permissions)
How Attacker Had Password:
Password hash likely obtained from:
LSASS memory dump on compromised host
Domain controller compromise (unlikely)
Credential dumping tool (Mimikatz, etc.)
Honeytoken password never used, so not from phishing
Attacker Activities:
Attacker has foothold on internal network
Using stolen credentials to move laterally
Testing credentials against file server
Honeytoken triggered their reconnaissance
3. Investigation Findings:
Timeline:
08:42 – Honeytoken activity detected
08:45 – MDI alert triggers
08:47 – SOC investigation begins
08:50 – Source IP identified as Guest WiFi
08:55 – Device located in lobby
09:00 – Device blocked from all networks
Source Analysis:
Guest WiFi device: Unknown Windows laptop
MAC address: 00:1A:2B:3C:4D:5E (not in inventory)
User: Unknown (guest/vendor/attacker)
Device no longer on network after blocking
Credential Source Investigation:
Reviewed recent domain controller logs (no compromise)
Checked for LSASS dumping alerts (none in EDR)
Likely attacker brought compromised credentials from outside
4. Containment Actions:
Immediate Actions (08:47-09:00 EST):
Blocked source device via Cisco ISE (MAC filtering).
Blocked source IP at firewall.
Guest WiFi network isolated pending investigation.
Honeytoken Monitoring:
Honeytoken remains active (intentionally).
Enhanced monitoring for any further activity.
Threat Hunting:
Searched for other honeytoken activity (none).
Searched for same source IP in other logs (none).
Searched for lateral movement patterns (none).
5. Root Cause Analysis:
Primary Cause: Attacker with stolen credentials testing on internal network.
Contributing Factors:
Guest WiFi accessible from lobby (physical security gap).
No network segmentation for Guest WiFi.
Honeytoken worked as designed (detected attacker).
6. Business Impact:
Operational Impact: None.
Data Exposure: None (honeytoken has no access).
Detection Value: HIGH – Identified attacker presence.
7. Remediation & Prevention:
Completed Actions:
Attacker device blocked.
Guest WiFi isolated.
Threat hunting completed.
Technical Controls Enhanced:
Implemented network segmentation for Guest WiFi.
Deployed additional honeytokens across environment.
Enhanced monitoring for lateral movement.
8. Conclusion:
This incident demonstrates the value of honeytoken accounts. An attacker with stolen credentials tested them against a file server, triggering our honeytoken. While no actual compromise occurred, we identified an attacker presence on our Guest WiFi and blocked them.
Closure Rationale: Honeytoken detected attacker; device blocked; no compromise.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-12 10:00 EST
End of Batch 5
Ready for your next batch of prompts whenever you are.
Batch 6: Execution & Persistence Incident Reports
Here are the next 5 detailed SOC incident reports.