Honeytokens are fake entries, planted in computer assets that belong to a protected network, and their usage is monitored. While legitimate users only use legitimate entries within the computer network, and are not expected to use honeytokens, malicious entities may attempt using the honeytoken to perform malicious activity. Therefore, when use of a honeytoken is detected, the computer from which the honeytoken was used is assumed to be compromised.
An example of a honeytoken is a fake account (e.g., of a human user, or of a computing client) planted on an administrative server, such as a Domain Controller (DC). Malicious entities may be detected when they attempt to use the fake account, for example, in an attempt to access a restricted data.