DCEPT, which stands for Domain Controller Enticing Password Tripwire, is a security system that utilizes honeytoken-based tripwires within Microsoft's Active Directory environment. It serves as a defense mechanism by deploying credentials that, if used, would indicate potential intruders attempting to escalate their privileges to domain administrator level. The DCEPT system comprises agents, a server component, and a monitoring component that collectively work to detect and alert on such suspicious activities, providing valuable insights into potential security threats within the Active Directory domain.
Docker Container:
- A Docker container is provided for server components.
- Docker must be installed on the system (Docker Installation Instructions).
- Build and run the Docker image using provided scripts.
Agent (C#):
- Agent is provided as C# source code.
- Requires compilation by the network administrator before deployment.
- Configuration (URL and PARAM) must be altered before compilation.
How to Use
Building and Running Docker Image:
Building the Agent (C#)
· Edit URL and PARAM constants in the C# source code.
· Compilation on Windows can be done using Visual Studio Express.
· Compilation on Ubuntu using mono: mcsht-agent.cs -r:System.Data.dll -r:System.Web.Extensions.dll-r:System.Web.Services
Testing:
· Use Docker container with tcp replay installed.
· Execute commands inside the container for testing.
Additional Information
Configuration File:
· Modify "dcept.cfg" before running the Docker container.
· Only notifications via rsys log are supported.
Multi-server Architecture:
· DCEPT can run in standalone or multi-server configuration.
· Master node generates credentials and sniffs authentication requests.
· Multiple DCs' traffic can be monitored by a single DCEPT instance.
Deployment Warning:
· Deploying in a way that leaves valid domain administrator credentials cached on endpoints is highly discouraged.
Cosmetic Configurations:
· Names suggesting the use of DCEPT are discouraged for security reasons.
