Creating and configuring a Honeypot account in Active Directory

Hi readers, here we will be looking into the detection of password spraying attempts by adversaries. Specifically, we will be creating an account on a domain that nobody uses (a honeypot account). But for attackers any account which exists on the domain is useful. So Let’s jump in…

Prerequisites:

1. Vagrant box for Windows Server (I am using this box for this example https://app.vagrantup.com/StefanScherer/boxes/windows_2022). If you want to create your own vagrant box please refer to this blog(https://medium.com/@pswalia2u/automate-active-directory-installation-packer-provisioning-vagrant-e5b059d8fda). I have discussed creating a vagrant box using hashicorp’s packer there.
2. Finding Event IDs we need to monitor: Our goal here is to detect password spraying attempts. So we need to look for failed login attempts for our Honey user(Adam).

Start-Process -FilePath C:\Windows\System32\cmd.exe -Credential (Get-Credential)
OR
Start-Process -FilePath C:\Windows\System32\cmd.exe -Credential ($cred=New-Object System.Management.Automation.PSCredential ("auror.local\Adam", ($pass=ConvertTo-SecureString 'Random_junk' -AsPlainText -Force)))
OR
runas /user:Adam@auror.local C:\Windows\System32\cmd.exe

Checking Local Event Viewer: