Introducing entity tags
In MDI, we can use entity tagging to highlight sensitive accounts and honeytoken accounts. This improves our response by helping us prioritize. Let’s start with honeytokens.
Configuring honeytokens
These are decoy accounts set up to identify and trace suspicious activity where these accounts are in use. Honkeytoken accounts should be left unused while having an account name that is attractive to lure malicious outsiders or malicious insiders to use. For example, an account named AD-Admin
would be interesting to try and use since the name implies privileges within AD.
In real life, though, the name of the account does not matter as the Security Identifier (SID) value of high privileged users or groups. The SID values in AD are always the following:
- S-1-5-domain-500 for the Administrator account in AD
- S-1-5-domain-512 for the Domain Admins group in AD
- S-1-5-root domain-518 for the Schema Admins group in AD
- S-1-5-root domain...