For Microsoft's Active Directory, DCEPT (Domain Controller Enticing Password Tripwire) is a tripwire mechanism based on honeytokens. By employing credentials that, if used, signal prospective intruders trying privilege escalation to domain administrator, it acts as a defence mechanism.A server component, agents, and a monitor are all included in the system to look for such behaviours.

DCEPT, which stands for Domain Controller Enticing Password Tripwire, is a security system that utilizes honeytoken-based tripwires within Microsoft's Active Directory environment. It serves as a defense mechanism by deploying credentials that, if used, would indicate potential intruders attempting to escalate their privileges to domain administrator level. The DCEPT system comprises agents, a server component, and a monitoring component that collectively work to detect and alert on such suspicious activities, providing valuable insights into potential security threats within the Active Directory domain.

Docker     Container:

  • A      Docker container is provided for server components.
  • Docker      must be installed on the system (Docker      Installation Instructions).
  • Build      and run the Docker image using provided scripts.

Agent     (C#):

  • Agent      is provided as C# source code.
  • Requires      compilation by the network administrator before deployment.
  • Configuration      (URL and PARAM) must be altered before compilation.

How to Use

Building and Running Docker Image:


Building the Agent (C#)

·        Edit URL and PARAM constants in the C# source code.

·        Compilation on Windows can be done using Visual Studio Express.

·        Compilation on Ubuntu using mono: mcsht-agent.cs -r:System.Data.dll -r:System.Web.Extensions.dll-r:System.Web.Services


·        Use Docker container with tcp replay installed.

·        Execute commands inside the container for testing.

Additional Information

Configuration File:

·        Modify "dcept.cfg" before running the Docker container.

·        Only notifications via rsys log are supported.

Multi-server Architecture:

·        DCEPT can run in standalone or multi-server configuration.

·        Master node generates credentials and sniffs authentication requests.

·        Multiple DCs' traffic can be monitored by a single DCEPT instance.

Deployment Warning:

·        Deploying in a way that leaves valid domain administrator credentials cached on endpoints is highly discouraged.

Cosmetic Configurations:

·        Names suggesting the use of DCEPT are discouraged for security reasons.

Table of Contents: