There is a tool available that allows Windows system administrators to detect network intrusion attempts and pinpoint them to the original source.
Developed by Dell SecureWorks, the is available as an open source tool on Github.
“In Microsoft Windows networking, a domain is a group of computers that have registered with a central database known as the domain controller. Using a Windows component known as Active Directory (AD), network administrators can manage all user accounts, processes, and permissions on devices that have joined the domain,” researchers said in a blog post.
“By default, Windows caches login credentials in memory, and privileged local users can extract them. When a domain administrator logs in to a compromised workstation interactively (via keyboard, remote desktop, or command-line tools such as the PsExec utility), their password ends up stored in the credential cache. Using popular credential-theft tools such as Mimikatz, an attacker with local administrator privileges can dump the cache and read the password and/or its hash (which is as effective as the password, given how Windows authentication works). With this information, the attacker gains total control of the network.”
The name of the tool is DCEPT (Domain Controller Enticing Password Tripwire). It consists of:
• DCEPT Generation Server, which creates unique honeytoken credentials for Active Directory (AD), the Windows component used by network administrators to manage accounts, processes, and permissions on devices within their domain.
• DCEPT Agent, which introduces them daily into the memory of each endpoint on the network.
• DCEPT Sniffer, which looks for Kerberos pre-authentication packets destined for the AD domain controller that match the honeytoken username. If it detects one, it alerts the network administrator and points toward the compromised workstation.
DCEPT has been open sourced and is available on GitHub, along with instructions for deployment.