Detect Honeypots and LuresEmpower Red Teams

hello@javelin-networks.com +1-888-867-5179Austin, TX 201 W. 5th Street

Introducing Honeypot Buster—a tool to detect Honeypots, Honey Tokens, and Breadcrumbs.

WHAT IS THE PURPOSE OF HONEYPOTS AND HONEY TOKENS?

The main idea behind Honeypots and Honey Tokens is to lure attackers to use them, letting them think they’re on the right path to achieve privileged credentials or spread through the domain environment. Attackers can study these Honey Tokens/lures and easily avoid them.

Using simple validations that only take a few minutes, an attacker can identify objects that are fake and avoid the trap. The validation of attackers and avoidance of Honey Tokens can be done without triggering any alarm and without authentication or lateral movement.

DETECTS:

Kerberoasting Service Accounts Honey TokensFake Computer Accounts Honey PotsFake Domain Admins Accounts Honey TokensFake Memory Credentials Honey TokensFake Credentials Manager Credentials BreadcrumbsFake Mapped Drives BreadcrumbsDNS Records Manipulation Honey Pots

TECHNICAL FEATURES:

Powershell Only, Supports version 2+Windows 7 and aboveActive Directory EnvironmentRemote Capabilities using WinRM

Distributed Deception—marketing buzzword or legitimate technique?

THE TRUTH BEHIND “DISTRIBUTED DECEPTION” One of the uprising trends in Red Team vs. Blue Team is the use of the marketing term “Distributed Deception”—offerings which are actually Honey Tokens, Honey Bread Crumbs, and Honey Pots used to detect attackers who have already breached the networks and are developing a plan to compromise or achieve the objective.

However, after reviewing some of the solutions offered by the cybersecurity community, we came to the conclusion that attackers with minimal knowledge can detect some of them or at least try to avoid “Honey-*” that might seem suspicious and/or fake.

HOW DO ATTACKERS AVOID DECEPTIONS?

We will briefly highlight two methods used today:

1. Fake Sessions and Injected Memory Credentials Tokens

This LOGON_NETCREDENTIALS_ONLY fake session is a method many solutions use to spread their fake tokens. Attackers can easily detect it when reviewing these two flags:

2. Mapped Drives and Credentials Manager Breadcrumbs

Another method used by more deception solutions is to spread their tokens via the Credentials Manager. The detection here might be trickier, but it is still possible. Correlating more data collected from the Active Directory about the fake user token and target server, attackers realize they’re probably faked.

1

23

456

During the research, we revealed there are six common types of Active

Directory related Honey Tokens a Red Teamer might encounter:

Kerberoasting Service Accounts Honey Tokens

This tricks attackers to scan for Domain Users with assigned SPN (Service Principal Name) and {adminCount = 1} LDAP Attribute flag. When an attacker tries to request TGS for that user, he’ll be exposed as Kerberoasting attempt. TGS definition: A ticket granting server (TGS) is a logical key distribution center (KDC) component that is used by the Kerberos protocol as a trusted third party.

Fake Computer Accounts Honey Pots

Creating many domain computer objects with no actual devices associated to them will result in confusion to any attacker trying to study the network. Any attempt to perform lateral movement into these fake objects will expose the attacker.

Fake Credentials Manager Credentials Breadcrumbs

Many deception vendors are injecting fake credentials into the “Credentials Manager”. These credentials will also be revealed using tools such as Mimikatz. Although they aren’t real, attackers might confuse them as authentic credentials and use them.

Fake Domain Admins Accounts Honey Tokens

Creating several domain admins and their credentials who have never been active is bad policy. These Honey Tokens lure attackers to try brute-forcing domain admin credentials. Once someone tries to authenticate to this user, an alarm will be triggered, and the attacker will be revealed. Microsoft ATA uses this method.

Fake Mapped Drives Breadcrumbs

Many malicious automated scripts and worms are spreading via SMB Shares, especially if they’re mapped as Network Drive Share. This tool will try to correlate some of the data collected before to identify any mapped drive related to a specific Honey Pot server.

DNS Records Manipulation HoneyPots

One of the methods deception vendors use to detect fake endpoints is registering their DNS records towards the Honey Pot Server. They will then be able to point the attacker directly to their honey pot instead of actual endpoints.

Honeypot Buster detects all six common types of Active Directory related Honey Tokens one might encounter a Red Teamer.

Written in PowerShell, it supports version 2.0 and above and has remote WinRM capabilities for the 2nd and 4th Tokens gathering. It leverages LDAP Queries to find domain objects and loads DLL to access the LSASS process for local tokens gathering. Honeypot Buster supports all Windows OSs; however, some of the features will not work with Windows Credentials Guard and Windows 10 Creators Update.

Invoke-HoneypotBuster

-CsvOutput “export folder path”Export the results to csv files.

-ComputerName “hostname”Remote endpoint to run the FakeCredMan and FakeSession gathering on; accesses LSASS using WinRM.

Import the module and execute the function: Import-Module .\Invoke-HoneypotBuster.ps1Invoke-HoneypotBuster

+1-888-867-5179hello@javelin-networks.com www.javelin-networks.com201 W. 5th Street Austin, TX 78701

Download on Github:

https://github.com/JavelinNetworks/HoneypotBuster