Detecting Kerberoasting with a Honeypot service account

Overview

Kerberoasting is a stealthy identity attack technique where threat actors request service tickets for accounts with SPNs and attempt to crack their credentials offline. Cayosoft Guardian detects this behavior by monitoring for failed Kerberos requests to a decoy account.

This article walks you through creating a secure, high-fidelity honeypot service account designed to detect Kerberoasting attempts without introducing risk to your environment.

Objective

Deploy an Active Directory user account with:

• A non-existent SPN to trigger failed TGS requests
• A 256-character random password to prevent compromise
• No logon ability
• Delegation restrictions
• Enabled state (to appear legitimate)
• Monitored in real time by Cayosoft Guardian

Security Design

Step-by-Step Setup

Step 1: Create the Honeypot User (Enabled)

New-ADUser `
    -Name "svc-KrbTrap" `
    -SamAccountName "svc-KrbTrap" `
    -UserPrincipalName "svc-KrbTrap@yourdomain.com" `
    -Enabled $true `
    -AccountPassword (ConvertTo-SecureString -String ([System.Web.Security.Membership]::GeneratePassword(256,32)) -AsPlainText -Force) `
    -PasswordNeverExpires $true `
    -Path "CN=Users,DC=yourdomain,DC=com"

Replace "CN=Users,DC=yourdomain,DC=com" with your preferred OU.

Step 2: Lock Down the Account

Deny All Logon Types:

Set-ADUser svc-KrbTrap -UserAccountControl "NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD,NO_PASSWORD_REQUIRED"

Use Group Policy or Local Security Policy to apply these:

• Deny logon locally
• Deny logon through Remote Desktop Services
• Deny access to this computer from the network

Add the honeypot account to a dedicated group like GP_KrbTrap_DenyLogon, and apply logon denial through GPO targeting that group.

Step 3: Disable delegation

Set-ADAccountControl svc-KrbTrap -TrustedForDelegation $false
Set-ADUser svc-KrbTrap -Add @{ "msDS-AllowedToDelegateTo" = @() }

Step 4: Assign a Fake, Unique SPN

SPN must not resolve to any legitimate service.

Set-ADUser svc-KrbTrap -ServicePrincipalNames @{Add="MSSQLSvc/fake-sqlbait.yourdomain.com"}

Common believable prefixes: MSSQLSvc, HTTP, LDAP, CIFS, etc.

Step 5: Deception enhancements

Make the ACCOUNT privileged:

Set-ADUser svc-KrbTrap -Replace @{adminCount=1}

Add to dummy "privileged" groups:

New-ADGroup -Name "SQLAdmins-Fake" -GroupScope Global -GroupCategory Security
Add-ADGroupMember -Identity "SQLAdmins-Fake" -Members svc-KrbTrap

These groups should have no permissions or linked policies. They exist to attract attacker enumeration tools.

What Guardian detects

Cayosoft Guardian detects this activity using 4769 (Failure) event monitoring:

Any request that matches this logic is treated as a Kerberoasting Honeypot Threat and will:

• Be surfaced in the Threat Dashboard
• Include user, client IP, and domain controller
• Trigger alerts and response workflows (if configured)

How to Test the Detection (Optional)

To validate the honeypot trigger, simulate a TGS request using a lab attacker tool against the fake SPN. Within seconds, Guardian will raise an alert for failed access to the honeypot account with the correct failure code.

Summary

Version Compatibility

Need Help?

If you would like assistance deploying the honeypot or fine-tuning detection thresholds, please contact Cayosoft Support.