StealthDEFEND 2.1 IS HERE!

Stealthbits Technologies provides users with Honeytoken Deployment, Management, and Threat Detection as well as multiple performance and functionality improvements.

Request a Free Trial

Powered by ChronoForms -


Deception Capabilities with Honeytokens

StealthDEFEND 2.1 employs the use of “honeytokens” – a deception technique whereby fake credentials are injected into memory on a system in order to entice and bait an attacker – providing users the ability to deploy, manage, and detect the request or attempted use of a fake Kerberos TGS ticket.

Commonly used and highly successful credential compromise techniques like Pass-the-Hash and Pass-the-Ticket are notoriously difficult to detect amidst the noise of everyday activities within Active Directory. To an observer, they appear to be legitimate authentication events and to Active Directory, they are. However, the use of deception methods like honeypots have proven to be particularly effective in capturing less savvy or careless attackers at a minimum, allowing security practitioners to proactively detect and thwart attempts to compromise their credentials and the resources they provide access to. In StealthDEFEND, users now have the ability to employ a new application of the honeypot concept through the use of centrally managed honeytokens, creating a digital trip wire throughout their infrastructure and providing an early warning alert that allows security teams to respond quickly and with confidence. With reduced time to detection potentially earlier in the kill chain, organizations can dramatically mitigate the risks and impact of successful data breach outcomes.

Replication Delegation

Replication Delegation is a new preconfigured threat model in StealthDEFEND 2.1 designed to detect when a user, group, or computer is granted permissions to replicate a domain.

A common technique employed by cyber attackers is to use the DCSync command in Mimikatz to request password information from a Domain Controller. If successful, attackers can easily assume the control of privileged accounts and employ the use of additional attack tactics, techniques, and procedures such as Golden Tickets, ultimately resulting in full domain compromise. However, in order for this attack to work, the attacker must have specific permissions to perform domain replication.

In version 2.1, StealthDEFEND has been tuned to detect and alert on changes to any account where domain replication is involved. If changes are detected, StealthDEFEND can automatically execute a custom playbook of actions to contain the threat and mitigate further damage.

Application Auditing

StealthDEFEND’s internal auditing capabilities have been expanded and refined to include all activities performed within the product.

StealthDEFEND 2.1 provides a powerful threat detection and response engine, making it a critical element of an organization’s overall data security strategy. However, insider threat and human error continue to be a concern for security teams, driving the need for StealthDEFEND itself to be as secure as the technologies it’s applied to. In this release, internal auditing of StealthDEFEND has expanded to include:

  • Logins
  • Viewing of threats
  • Investigations
  • Configuration updates
  • Enable and Disabled threats
  • All threat settings
  • Allow console login
  • Add/Remove of credential profiles
  • Create/Delete/Modify threat profiles

This additional user activity logging also ensures that StealthDEFEND can satisfy requirements for common criteria, FIPS, and other standards required for the most secure environments.

Active Directory Sync

StealthDEFEND has transitioned from a scheduled Active Directory sync to a real-time sync in version 2.1, ensuring event details always present up-to-date information.

Attackers move quickly to establish a foothold in the environment, but then act cautiously as they collect information. In order to counter these threats, Security teams need the most current information to make decisions about the best way to respond. Getting real-time updates can mean the difference between early detection and late stage remediation and clean up, which is critical as early detection and containment are the best ways to minimize the financial and business impact of a breach.

In version 2.1, StealthDEFEND now receives updates in real time, expediting threat triage, investigations, and response.

SIEM Enhancements

StealthDEFEND’s SIEM integration features have been enhanced to allow users to customize their SIEM templates, including the ability to remove or reorder fields, specify custom delimiters, and even change the format of the data stream. Additional protocol support for TCP and TCP over TLS has also been added.

Most security teams employ SIEM systems as part of their overall security monitoring strategy. As companies continue to refine their security posture, they look for ways to improve the quality and level of detail of events sent to their SIEM. As a result, it’s important that all security systems work together in order to provide the additional context Security teams need to quickly respond to threats.

StealthDEFEND 2.1 has been enhanced to provide users to ability customize the amount and types of data sent to the SIEM platform of their choosing, ensuring the higher quality, higher fidelity threat insight from StealthDEFEND is seamlessly ingested and represented in the place they want it most.

Additional Enhancements

Threat Detection

  • LSA Process Injection – The LSA Process Injection threat model now collects additional details about injection
  • Insecure UAC Change – The Insecure UAC Change threat model provides better details when multiple changes occur
  • DCSync – The DCSync threat model now logs the Operating System type of the suspected machine (Windows Server vs Desktop) and whether or not the attack a “sync” vs “sync /all”
  • Kerberoasting – The Kerberoasting threat model has been enhanced to summarize a list of all affected accounts when an attack includes multiple accounts

User Experience

  • Threat Configuration – The threat configuration page has been redesigned to make it easier to tune threat and response options
  • Integration – The third party integration and AD Sync configuration pages have been simplified
  • Interactive Charts – The StealthDEFEND home page and threats page now include interactive charts which improves the threat discovery experience

StealthDEFEND for Active Directory

Data Sheet

Learn More

StealthDEFEND for File Systems

Data Sheet

Learn More

Attack Site


Learn More

Free Risk Assessment
Free Trial Request
STEALTHbits Demo Request
Browse Resource Library

New Template - Custom CSS