How to compile and deploy the DCEPT agent on Windows?

You need to edit the hardcoded URL and PARAM constants in the C# source code, then compile it using Visual Studio Express or mono on Ubuntu. Deployment methods are left to the administrator, with warnings against using valid credentials.

DCEPT vs commercial AD security tools – what's the difference?

DCEPT is a free, open-source honeytoken tool focused on detection and education, while commercial tools often offer broader features like real-time prevention, advanced analytics, and integrated dashboards. DCEPT is best for cost-conscious teams wanting hands-on insight into credential theft.

Can DCEPT work in environments without Docker?

No, the server components require Docker for containerized deployment, as per the README's getting started section. Alternative setups aren't documented, limiting flexibility for teams without Docker expertise.

How to set up multi-server architecture with DCEPT?

Configure the 'master_node' option in dcept.cfg to point to a master node for slave nodes, which relay data to the master for credential matching. This allows scalable monitoring but adds configuration complexity.

What are the risks of using honeytokens in production AD?

If not properly configured, honeytokens might leak or be misused, but DCEPT uses invalid credentials to minimize risk. However, deploying agents with methods like psexec is discouraged to avoid exposure of valid credentials.

Open-Awesome

dcept

GPL-3.0Python

A honeytoken-based tripwire for detecting Active Directory credential theft and privilege escalation attempts.

Visit Website GitHub

506 stars101 forks0 contributors

What is dcept?

DCEPT is a honeytoken-based tripwire for Microsoft Active Directory that detects credential theft and privilege escalation attempts. It deploys fake credentials cached on endpoints, and any logon attempt using these tokens signals an intruder is inside the network. The tool provides forensic timelines and helps administrators identify breaches before they escalate.

Target Audience

Windows system administrators and security teams managing Active Directory environments who need to detect lateral movement and credential theft attacks.

Value Proposition

Developers choose DCEPT because it offers a free, open-source alternative to commercial detection tools, with a simple deployment via Docker and a focus on educating about real-world attack patterns. Its honeytoken approach provides low-risk, high-visibility detection without compromising valid credentials.

Overview

A tool for deploying and detecting use of Active Directory honeytokens

Use Cases

Best For

Detecting Active Directory credential theft and privilege escalation attempts
Creating forensic timelines for intrusion investigations in Windows networks
Deploying honeytokens across endpoints to monitor for lateral movement
Educating security teams about real-world credential theft attacks
Monitoring domain controller networks for suspicious authentication events
Building a free, self-hosted intrusion detection system for Active Directory

Not Ideal For

Organizations not using Microsoft Active Directory for authentication
Teams needing active intrusion prevention with real-time blocking capabilities
Environments without resources to compile and deploy custom C# agents across endpoints

Pros & Cons

Pros

Low-Risk Honeytoken Deployment

Agents cache invalid credentials in endpoint memory, posing no compromise risk while creating forensic trails, as specified in the README.

Forensic Timeline Creation

Tokens are uniquely tied to workstations and time windows, aiding investigation scope narrowing, which is highlighted in the overview.

Simple Server Deployment

Docker container builds for server components make deployment straightforward, with scripts provided for building and running.

Educational Security Tool

Designed to educate administrators about credential theft attacks, offering a free, open-source alternative to commercial tools.

Cons

Manual Agent Compilation

The agent is provided as C# source code only, requiring administrators to audit and compile it before deployment, adding setup complexity.

Limited Alerting Options

Currently only supports notifications via rsyslog, lacking built-in integrations with other alerting systems or SIEMs beyond syslog.

Passive Detection Only

Only monitors for logon attempts without active response capabilities, meaning it detects intrusions but doesn't prevent them.

Frequently Asked Questions

Related Projects

T-Pot

🍯 T-Pot - The All In One Multi Honeypot Platform 🐝

Stars9,208

Forks1,363

Last commit2 months ago

Endlessh

SSH tarpit that slowly sends an endless banner

Stars8,455

Forks303

Last commit1 year ago

Androguard

Reverse engineering and pentesting for Android applications

Stars6,066

Forks1,139

Last commit4 months ago

OpenCanary

Modular and decentralised honeypot

Stars2,863

Forks397

Last commit1 day ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub