Microsoft Defender for Identity Alert Details
Alert ID: MDI-VALID-ACCTS-1078-7842
Alert Time: 2024-02-12 08:45:33 EST
Severity: HIGH (85/100)
Source: Microsoft Defender for Identity
Rule: “Honeytoken Account Activity Detected”
MITRE ATT&CK: T1078 – Valid Accounts
Alert Details:
Detection: Honeytoken account activity
Honeytoken Account: svc_backup_old (Service Account)
– Created: 2023-01-15 (as honeytoken)
– Last Activity: Never (until now)
– Password: 128-character random (not used anywhere)
– Permissions: None (appears in logs but no actual access)
Activity Detected:
– Time: 08:42 EST
– Authentication Type: NTLM
– Source Host: WORKSTATION-45 (Unknown device)
– Source IP: 192.168.47.89 (Internal IP – Guest WiFi network)
– Service: Attempted access to FILE-SVR-01 (File Server)
– Result: FAILED (account has no permissions)
Honeytoken Characteristics:
– Account exists in AD but has no real purpose
– Appears in logs to lure attackers
– Any activity is 100% malicious
– No legitimate user would ever use this account
Additional Context:
– Source IP is on Guest WiFi network (non-corporate devices)
– WORKSTATION-45 not in asset inventory
– Likely an attacker scanning with compromised credentials
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify MDI honeytoken alert | Microsoft Defender for Identity | Confirmed 100% malicious activity |
| 2. Source Investigation | Identify source IP/host | DHCP Logs, Cisco ISE | Guest WiFi IP assigned to unknown Windows laptop |
| 3. Physical Security | Locate device on Guest WiFi | WiFi Controller, Security Team | Device in lobby area; user unknown |
| 4. Credential Analysis | Determine how attacker had password | AD Logs, Investigation | Password never used; likely password hash from memory dump |
| 5. Threat Hunting | Check for other honeytoken activity | MDI, Splunk | No other honeytoken activity detected |
| 6. Containment | Block source device | Cisco ISE, MAC Filtering | Device blocked from all networks |
Jira Incident Report
Ticket: SOC-2024-065
Summary: T1078 – Honeytoken Account Activity Detected – Valid Credentials in Use
Status: RESOLVED
Resolution: MALICIOUS – Honeytoken Triggered
Priority: P2 – MEDIUM
Labels: T1078, valid-accounts, honeytoken, defender-for-identity, lateral-movement
Components: Identity-Management, Threat-Hunting
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Microsoft Defender for Identity.
- Alert: “Honeytoken Account Activity Detected”.
- Honeytoken: svc_backup_old (service account with no real use).
- Time: 2024-02-12 08:45 EST.
- Technique: MITRE ATT&CK T1078 – Valid Accounts.
2. Technical Analysis:
- Honeytoken Design:
- Account created January 2023 as decoy
- Never used for any legitimate purpose
- 128-character random password (not in use anywhere)
- Appears in AD but has zero permissions
- Any activity = 100% malicious
- Detection Details:
- Time: 08:42 EST
- Source IP: 192.168.47.89 (Guest WiFi)
- Source Host: WORKSTATION-45 (unknown device)
- Target: FILE-SVR-01 (file server)
- Authentication: NTLM
- Result: Failed (no permissions)
- How Attacker Had Password:
- Password hash likely obtained from:
- LSASS memory dump on compromised host
- Domain controller compromise (unlikely)
- Credential dumping tool (Mimikatz, etc.)
- Honeytoken password never used, so not from phishing
- Attacker Activities:
- Attacker has foothold on internal network
- Using stolen credentials to move laterally
- Testing credentials against file server
- Honeytoken triggered their reconnaissance
3. Investigation Findings:
- Timeline:
08:42 – Honeytoken activity detected
08:45 – MDI alert triggers
08:47 – SOC investigation begins
08:50 – Source IP identified as Guest WiFi
08:55 – Device located in lobby
09:00 – Device blocked from all networks
- Source Analysis:
- Guest WiFi device: Unknown Windows laptop
- MAC address: 00:1A:2B:3C:4D:5E (not in inventory)
- User: Unknown (guest/vendor/attacker)
- Device no longer on network after blocking
- Credential Source Investigation:
- Reviewed recent domain controller logs (no compromise)
- Checked for LSASS dumping alerts (none in EDR)
- Likely attacker brought compromised credentials from outside
4. Containment Actions:
- Immediate Actions (08:47-09:00 EST):
- Blocked source device via Cisco ISE (MAC filtering).
- Blocked source IP at firewall.
- Guest WiFi network isolated pending investigation.
- Honeytoken Monitoring:
- Honeytoken remains active (intentionally).
- Enhanced monitoring for any further activity.
- Threat Hunting:
- Searched for other honeytoken activity (none).
- Searched for same source IP in other logs (none).
- Searched for lateral movement patterns (none).
5. Root Cause Analysis:
- Primary Cause: Attacker with stolen credentials testing on internal network.
- Contributing Factors:
- Guest WiFi accessible from lobby (physical security gap).
- No network segmentation for Guest WiFi.
- Honeytoken worked as designed (detected attacker).
6. Business Impact:
- Operational Impact: None.
- Data Exposure: None (honeytoken has no access).
- Detection Value: HIGH – Identified attacker presence.
7. Remediation & Prevention:
Completed Actions:
Attacker device blocked.
Guest WiFi isolated.
Threat hunting completed.
Technical Controls Enhanced:
Implemented network segmentation for Guest WiFi.
Deployed additional honeytokens across environment.
Enhanced monitoring for lateral movement.
8. Conclusion:
This incident demonstrates the value of honeytoken accounts. An attacker with stolen credentials tested them against a file server, triggering our honeytoken. While no actual compromise occurred, we identified an attacker presence on our Guest WiFi and blocked them.
Closure Rationale: Honeytoken detected attacker; device blocked; no compromise.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-12 10:00 EST