Cyber Deception¶

AC-Hunter's Cyber Deception feature lets you plant deception tokens (fake files and user accounts) across your environment. When an attacker (or insider) touches one of those assets, AC-Hunter records the event and surfaces it in the threat list for investigation.

This page covers the end-to-end setup: creating tokens in AC-Hunter, installing the Tripwire Windows agent, and configuring it on both Domain Controllers and non-DC Windows hosts.

How it works¶

You create a deception token in AC-Hunter Settings. AC-Hunter returns a unique UUID for that token.
You install the Tripwire Windows agent on the target host.
You edit Tripwire's JSON config file to point it at AC-Hunter and list which files or accounts to watch.
You start the Tripwire service.
Tripwire subscribes to the Windows Security event log. When a monitored file is accessed or a monitored account logs on, Tripwire fires a request to the AC-Hunter server with structured event context.
AC-Hunter stores the event and displays it in the threat list at a critical score.

What each installation type can monitor¶

Capability	Domain Controller	Non-DC Windows host
Monitored file access	Yes	Yes
Local account logon	Yes	Yes
Domain account logon (all domain users)	Yes	No
Kerberos TGT / TGS requests	Yes	No
NTLM validation	Yes	No

Why the DC? Domain Controllers authenticate every domain logon. Placing a deception account in Active Directory and monitoring it on a DC means any machine in the domain that attempts to use that account will trigger an alert. On a member server, only logons that physically reach that machine are captured.

Step 1: Create a deception token in AC-Hunter¶

Performed on the AC-Hunter server by an Editor or Administrator.

Log in to the AC-Hunter web interface.
Open Settings → Deception.
Click Create Token.
Fill in:
Name: a descriptive label (e.g., DC01 – HR share canary).
Description: optional notes for the analyst.
Database: the sensor dataset this token should appear under in the threat list.
Click the save icon at the end of the row. Click the copy icon to copy the token's UUID; you will add it to the Tripwire config file in the next steps.

Tokens can be viewed and deleted from the same Settings page at any time.

Step 2: Prepare the Windows host¶

Supported platforms¶

Windows Server 2016, 2019, 2022 (recommended for DCs)
Windows 10 / 11 and Windows Server 2012 R2 (member servers and workstations)
The host must be able to reach the AC-Hunter server over HTTPS (port 443 by default).

Required information before you start¶

Item	Example
AC-Hunter server URL (must be HTTPS)	`https://ac-hunter.yourcompany.com`
TLS certificate fingerprint (if using a self-signed cert)	`B9:76:75:E4:...` (see Step 4a)
Token UUID(s)	`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`
Honeypot file path(s) (if monitoring files)	`C:\Shares\HR\salary_2025.xlsx`
Honeypot account name(s) (if monitoring accounts)	`svc_legacy_backup`

No AC-Hunter service account credentials are needed; Tripwire uses the token UUID as its credential.

Step 3: Install the Tripwire agent¶

Copy the Tripwire installer (Tripwire.msi) to the target Windows host.
Open an Administrator command prompt or PowerShell window.

Run the installer:

# Silent install
msiexec /i Tripwire.msi /qn

# Or interactive (GUI)
msiexec /i Tripwire.msi

The installer places the service executable at C:\Program Files\Tripwire\Tripwire.exe and creates a template config at C:\ProgramData\Tripwire\config.json.

Important: The service is registered but does not start automatically. You must edit the config file first (Step 4), then start the service (Step 6).

Step 4: Configure Tripwire¶

Edit C:\ProgramData\Tripwire\config.json. The file supports JSON with comments (JSONC).

Minimal example: file token¶

{
  // AC-Hunter server address (no trailing slash)
  "ac_hunter_url": "https://ac-hunter.yourcompany.com",
  "heartbeat_interval_seconds": 60,
  "tokens": [
    {
      "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", // paste the UUID of the token you created earlier here
      "type": "file",
      "path": "C:\\Shares\\HR\\salary_2025.xlsx"
    }
  ]
}

Minimal example: account token (Domain Controller)¶

{
  "ac_hunter_url": "https://ac-hunter.yourcompany.com",
  "heartbeat_interval_seconds": 60,
  "tokens": [
    {
      "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", // paste the UUID of the token you created earlier here
      "type": "account",
      "username": "svc_legacy_backup",
      "domain": "CORP"
    }
  ]
}

Multiple tokens in one config¶

You can monitor multiple files and accounts from a single Tripwire installation:

{
  "ac_hunter_url": "https://ac-hunter.yourcompany.com",
  "heartbeat_interval_seconds": 60,
  "tokens": [
    {
      "uuid": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
      "type": "file",
      "path": "C:\\Windows\\SYSVOL\\sysvol\\corp.local\\scripts\\readme.txt"
    },
    {
      "uuid": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
      "type": "account",
      "username": "svc_legacy_backup",
      "domain": "CORP"
    }
  ]
}

All configuration options¶

Field	Required	Default	Description
`ac_hunter_url`	Yes	—	Full HTTPS URL of the AC-Hunter server. No trailing slash. HTTP is not supported.
`heartbeat_interval_seconds`	No	`60`	How often (in seconds) the agent sends a liveness signal per token.
`tokens`	Yes	—	Array of token objects (at least one required).
`tls.cert_fingerprints`	No	`[]`	Array of SHA-256 certificate fingerprints to pin. See Step 4a.
`tls.skip_verify`	No	`false`	Set `true` to disable TLS certificate verification (not recommended).
`exclude_file_processes`	No	`[]`	Array of process names to ignore for file access events (e.g., `["SearchIndexer.exe", "antivirus.exe"]`). Events from these processes will not trigger alerts.
`proxy`	No	`""`	HTTP proxy URL, e.g. `http://proxy.corp.local:8080`.

Token fields:

Field	Required	Description
`uuid`	Yes	Token UUID from AC-Hunter Settings.
`type`	Yes	`"file"` or `"account"`.
`path`	For file tokens	Full Windows path to the honeypot file. The file must exist when the service starts.
`username`	For account tokens	Honeypot account name (SAM name, not `DOMAIN\user`).
`domain`	For account tokens	Domain name (display purposes; does not affect event filtering).

Step 4a: Configure the TLS connection¶

AC-Hunter requires HTTPS — the ac_hunter_url must start with https://. You have three options for trusting the server's TLS certificate:

Option 1: CA-trusted certificate (recommended)¶

If your AC-Hunter server uses a certificate issued by a Certificate Authority that is already trusted on the Windows host (e.g., your organization's internal CA), no extra TLS configuration is needed. Tripwire will validate the certificate automatically.

Option 2: Pin the certificate fingerprint¶

If your AC-Hunter server uses a self-signed or custom certificate, you can pin its SHA-256 fingerprint. On the AC-Hunter server, run:

openssl x509 -in /etc/AC-Hunter/tls/server/huntcert.crt -noout -fingerprint -sha256

This outputs something like:

sha256 Fingerprint=B9:76:75:E4:9A:53:F6:BA:37:AA:D5:D1:38:11:65:DD:1F:5D:9F:9C:DE:52:3C:38:28:B5:4D:B0:96:34:17:AB

Copy only the fingerprint portion (everything after the =) and add it to your Tripwire config:

{
  "ac_hunter_url": "https://ac-hunter.yourcompany.com",
  "tls": {
    "cert_fingerprints": [
      "B9:76:75:E4:9A:53:F6:BA:37:AA:D5:D1:38:11:65:DD:1F:5D:9F:9C:DE:52:3C:38:28:B5:4D:B0:96:34:17:AB"
    ]
  },
  "tokens": [ ... ]
}

Tip: The fingerprint field is flexible — colon-separated, plain hex, and dash-separated formats are all accepted and case-insensitive.

Option 3: Skip TLS verification (least recommended)¶

For quick testing only, you can disable certificate verification entirely:

{
  "ac_hunter_url": "https://ac-hunter.yourcompany.com",
  "tls": {
    "skip_verify": true
  },
  "tokens": [ ... ]
}

Warning: Skipping verification means Tripwire will not validate the server's identity. Use this only for initial testing, not in production.

Step 5: Enable Windows audit policies¶

Tripwire reads the Windows Security event log. The relevant audit subcategories must be enabled before events are generated.

On a Domain Controller (via Group Policy, recommended)¶

Edit the Default Domain Controllers Policy (or a dedicated GPO linked to the Domain Controllers OU):

Open Group Policy Management (gpmc.msc).
Right-click the GPO and choose Edit.
Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies
Enable these subcategories:

Subcategory	Setting	Events generated
Account Logon → Audit Kerberos Authentication Service	Success, Failure	4768 (TGT request), 4771 (pre-auth failure)
Account Logon → Audit Kerberos Service Ticket Operations	Success, Failure	4769 (service ticket request)
Account Logon → Audit Credential Validation	Success, Failure	4776 (NTLM validation)
Logon/Logoff → Audit Logon	Success, Failure	4624 (logon success), 4625 (logon failure)
Logon/Logoff → Audit Special Logon	Success	4648 (explicit credential use)
Object Access → Audit File System	Success, Failure	4663 (file access)
Object Access → Audit Handle Manipulation	Success, Failure	4656 (handle request)

Run gpupdate /force on the DC to apply immediately.

Alternatively, configure via auditpol in an elevated PowerShell window on each DC:

auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Handle Manipulation" /success:enable /failure:enable

On a non-DC Windows host¶

For file-only deployments on member servers or workstations, only file system auditing is required:

auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Handle Manipulation" /success:enable /failure:enable

Or via Local Security Policy (secpol.msc) → Security Settings → Advanced Audit Policy Configuration → Object Access.

Tripwire automatically sets the correct SACL (System ACL) on each monitored file so that Windows generates the appropriate events. No manual ACL configuration is needed on the files themselves. SACLs are re-verified and re-applied on every heartbeat cycle.

Step 6: Start the Tripwire service¶

Once the config file is saved, start the service from an elevated PowerShell prompt:

Start-Service Tripwire

Verify it is running:

Get-Service Tripwire

Check the log for startup messages and errors:

type C:\ProgramData\Tripwire\debug.log

A healthy startup log looks something like:

Tripwire service starting
Loading config from C:\ProgramData\Tripwire\config.json
Config loaded: 1 token(s), heartbeat every 60s, server https://your-server.com
Endpoint identity: HOSTNAME (10.0.0.1)
SACL added for C:\honeypot\secrets.xlsx
Watching file token abc-123: *[System[(EventID=4656 or EventID=4663)]] and ...
Tripwire agent ready - monitoring 1 token(s)

To stop the service:

Stop-Service Tripwire

DC vs. non-DC deployment guide¶

Domain Controller installation¶

A DC installation is the most powerful placement because it sits at the authentication chokepoint for the entire domain.

What you get:

Alerts on any domain logon attempt for a monitored account, regardless of which workstation the logon originates from.
Kerberos TGT and service ticket events (4768, 4769, 4771), which catches pass-the-hash and Kerberoasting tools.
NTLM validation events (4776).
File access events for files stored locally on the DC (e.g., SYSVOL, NETLOGON, or placed honey files).

DC-specific considerations:

DCs are high-traffic machines. Use unique, non-obvious account names for deception accounts to avoid noise from legitimate service account activity.
The Tripwire service runs as Local System and requires no domain account of its own.
Group Policy audit changes (Step 5) apply to all DCs in the domain. Coordinate with your AD team before deploying.
For honey files on member servers, deploy a separate Tripwire instance on those servers.

Recommended DC config:

{
  "ac_hunter_url": "https://ac-hunter.yourcompany.com",
  "tokens": [
    {
      // Disabled AD account planted in a "sensitive" group
      "uuid": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
      "type": "account",
      "username": "svc_legacy_backup",
      "domain": "CORP"
    },
    {
      // Honey file in NETLOGON share
      "uuid": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
      "type": "file",
      "path": "C:\\Windows\\SYSVOL\\sysvol\\corp.local\\scripts\\readme.txt"
    }
  ]
}

Non-DC Windows host installation¶

Appropriate for monitoring local resources on file servers, jump hosts, build systems, or executive workstations.

What you get:

Alerts when monitored files on that host are accessed by any process or user.
Alerts for logons that physically reach that machine (local accounts and any domain logons landing on it).

Non-DC considerations:

File monitoring is the primary use case.
Account monitoring has limited domain-wide visibility; only logons that reach this specific host are captured.
Ideal placement: file servers with sensitive shares, administrative workstations, dev/build servers.

Recommended non-DC config:

{
  "ac_hunter_url": "https://ac-hunter.yourcompany.com",
  "tokens": [
    {
      "uuid": "cccccccc-cccc-cccc-cccc-cccccccccccc",
      "type": "file",
      "path": "C:\\Shares\\Finance\\Q4_forecast.xlsx"
    }
  ]
}

Step 7: Verify end-to-end¶

In AC-Hunter Settings → Cyber Deception, confirm the token shows a recent heartbeat timestamp (updated every heartbeat_interval_seconds, default 60 seconds).
Test a file trigger: Open the honey file from another machine on the network or as a non-owner user on the host.
Test an account trigger: Attempt to authenticate using the deception account from any domain workstation:
Within a minute the event should appear in the AC-Hunter Dashboard threat list. Deception events are scored as critical and labeled with beacon type deception.

Alerts and investigation¶

Where deception events appear¶

Deception events appear in the Dashboard threat list alongside network-based detections, identified by:

Beacon type: deception
Score: critical
Token name: the label assigned at token creation

Clicking an event opens the detail panel with the full event context captured by Tripwire: triggering username, source IP, process name, domain, logon type, and the monitored file path or account name.

Dismissing a token¶

When you have investigated an alert and determined it is resolved or expected:

In the threat list, open the token.
Click Dismiss.

The token is hidden from the threat list. If the token triggers again after the dismissal date, it automatically resurfaces, so future activity is never silently lost.

To see the dismissed token, use the filter toggle on the Dashboard:

Click the Filter button in the filter bar
Check the View Dismissed Tokens checkbox
The table now displays only all the dismissed tokens

To undo a dismissal, click the Actions menu (kebab icon) on the row and select Undismiss.

Filtering noisy processes¶

Backup agents, antivirus scanners, or indexing services may repeatedly access monitored files. You have two options for suppressing these:

Option 1: Filter at the agent (recommended for known processes)

Add the process names to exclude_file_processes in config.json. Events from these processes are dropped at the Tripwire agent and never sent to AC-Hunter:

{
  "exclude_file_processes": ["SearchIndexer.exe", "MsMpEng.exe"]
}

Option 2: Filter in AC-Hunter

Go to Settings → Cyber Deception → Event Filters.
Create a filter for the process ID to ignore.
New events matching the filter are suppressed; existing events are unchanged.

Troubleshooting¶

Log file: C:\ProgramData\Tripwire\debug.log. The file rolls at 10 MB and keeps 5 old files (debug_001.log through debug_005.log).

To monitor the log live:

Get-Content C:\ProgramData\Tripwire\debug.log -Wait

Symptom	What to check
Token shows no heartbeat in AC-Hunter	Confirm the service is running (`Get-Service Tripwire`). Check `debug.log` for connection errors. Verify the host can reach the AC-Hunter URL.
"Config file not found" in log	Confirm `C:\ProgramData\Tripwire\config.json` exists and is valid JSON.
"File token … file not found" at startup	The honeypot file must exist before starting the service. Create the file, then start the service.
File access events not arriving	Confirm Audit File System and Handle Manipulation policies are enabled (`auditpol /get /category:*`). Check `debug.log` for SACL errors.
Account logon events not arriving	Confirm the relevant Account Logon / Logon audit subcategories are enabled on the DC. Verify the account name in `config.json` matches the exact SAM name.
Service stops immediately after start	Check `debug.log`; the service exits fast if config validation fails (missing URL, invalid token, missing file path).
TLS/certificate errors in log	See Step 4a. Pin the server's certificate fingerprint in `tls.cert_fingerprints`, or set `tls.skip_verify: true` for testing.

Common error messages in `debug.log`¶

ac_hunter_url is not a valid URL

The ac_hunter_url value in your config is malformed. The two most common causes:

Missing the scheme. AC-Hunter enforces HTTPS — the URL must start with https://. A bare hostname like ac-hunter.yourcompany.com will not work.
Extra path or trailing characters. The value should be the server origin only (e.g., https://ac-hunter.yourcompany.com), with no trailing slash or path such as /api/v1.

Config must define at least one token

The tokens array in your config is either missing or empty. Go back to Step 4 and add at least one file or account token.

The SSL connection could not be established

Tripwire could not establish a trusted TLS connection to the AC-Hunter server. This typically means the server's certificate is self-signed or issued by a CA that the Windows host does not trust. Revisit Step 4a to either pin the certificate fingerprint or configure your trust settings.

Invalid cert fingerprint

A value in tls.cert_fingerprints is not a valid SHA-256 fingerprint. Make sure you copied only the fingerprint portion of the openssl output — everything after the = sign. The fingerprint should be 64 hex characters (with or without : separators). Do not include the sha256 Fingerprint= prefix.

Updating and uninstalling¶

Update¶

Run the new Tripwire.msi as Administrator over the existing installation:

msiexec /i Tripwire.msi /qn

The installer stops the service, replaces the binary, and restarts the service. The config file at C:\ProgramData\Tripwire\config.json is never overwritten; your token configuration and settings are preserved.

Uninstall¶

msiexec /x Tripwire.msi /qn

This removes the service and the binary. The config and log files in C:\ProgramData\Tripwire\ are preserved. To fully clean up:

Remove-Item -Recurse -Force "C:\Program Files\Tripwire"
Remove-Item -Recurse -Force "C:\ProgramData\Tripwire"

Quick reference¶

Task	Command / location
Create token	AC-Hunter Settings → Cyber Deception → New Token
Install agent	`msiexec /i Tripwire.msi /qn` (as Administrator)
Edit config	`C:\ProgramData\Tripwire\config.json`
Start service	`Start-Service Tripwire`
Check service status	`Get-Service Tripwire`
Enable file audit policy	`auditpol /set /subcategory:"File System" /success:enable /failure:enable`
Enable account audit policy	`auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable` (plus others; see Step 5)
View agent logs	`C:\ProgramData\Tripwire\debug.log`
Dismiss alert	AC-Hunter threat list → Token Entry → Dismiss