Combining AD Honey Pot Accounts with Canaries to Detect Password Sprays and Kerberoasting for free!

**IMPORTANT: The event filter should be 4625 not 4624.

00:00 - Intro
01:00 - Going over CanaryTokens
04:00 - Scheduled Task Basics
06:10 - Switching over to Event Log
07:15 - Enabling logging for failures
09:30 - Searching Events based upon Event ID via XPATH/XML
11:30 - Searching Events based upon data in the Event Log
12:20 - Searching a specific field within the event log data
16:00 - Adding Boolean Logic to watch multiple events
19:00 - Preventing the account from being able to be used by setting login hours to none
21:00 - Creating a SPN so the account becomes kerberoastable
22:00 - Changing our Search Query to easily find events related to the kerberoasting
23:10 - Fixing up how we parsed multiple Event ID's
25:10 - Exporting and Importing the task
Be the first to comment