Techniques related to detecting compromised unmanaged client end stations using synchronized tokens placed on enterprise-managed client end stations are described. A token distribution module causes token(s) to be placed with user data of a managed client end station in specific locations. The placement locations are selected due to the token(s) likely being synchronized, the token(s) being unlikely to be discovered or used by an authorized user, but likely discovered by an attacker. During a synchronization process, the token(s) are sent to an unmanaged client end station. The token(s) can be detected and/or acquired from the unmanaged client end station by an attacker, and thereafter used in an attempt to access an apparent enterprise resource. A token detection module can detect this use of the token(s) to thereby detect the compromise of the unmanaged client end station, without needing direct access to the unmanaged client end station.
展开▼