About a week ago Mark Baggett described a way to detect stolen passwords being used in your Windows environment on the SANS ISC diary, something he called "honey hashes." The idea is to inject fake users/passwords into memory and then create alerts that trigger on login attempts using those accounts.
One way to do this would be to set group policy to push login script like this (password.txt contains the password to inject):
runas /user:hq\ScriptAdmin /netonly gpresult < password.txt
I've found this works with actual domains and passwords in my environment, and if you try this I would recommend actually creating a real account with domain admin permissions (that said, if you do this, create a very long, complex password, and then throw it away--never use this account). Even then, this is easy enough to detect--let me tell you how.
When I have access to a machine on a Domain, one the first things I like to do is query active directory and see what I can learn. For example, I'll pull down all domain attributes for all users:
Dsquery * -limit 0 -filter "&(objectClass=User)(objectCategory=Person)" -attr * >> output.txt
This will pretty much get you everything you could want, except for passwords, like group memberships, permissions, usernames, full names, last password change, email/contact info, job titles, direct reports, boss, departments, and much more.
Once I have the full list of attributes, I like to identify target accounts--typically accounts for users that are either likely to have access to sensitive information (e.g. President, CFO, accounting dept), or administrative rights (e.g. Domain Admin, database admin, IT users, information security dept). If fake accounts are used for these "honey hashes," this is the first way weed them out.
After I've identified these target accounts, I query the Security event log for logon/logoff events that match to those accounts. This is easily doable using find in Eventvwr, or you can parse the log with Powershell, using Get-WinEvent. If you can't find an logon or logoff for that account since the machine was last powered on, you're almost certainly dealing with a "honey hash."
This will also help you recognize recurring logons. If I can find an administrative account that logs in regularly, for example a service account that pushes out updates, I can create a scheduled task to perform a minidump of lsass.exe when the relative service starts.
TLDR; Query active directory and Windows event logs validate credentials recovered via memory dumps with Mimikatz.
