Creating and configuring a Honeypot account in Active Directory

Prerequisites:

  1. Vagrant box for Windows Server (I am using this box for this example https://app.vagrantup.com/StefanScherer/boxes/windows_2022). If you want to create your own vagrant box please refer to this blog(https://medium.com/@pswalia2u/automate-active-directory-installation-packer-provisioning-vagrant-e5b059d8fda). I have discussed creating a vagrant box using hashicorp’s packer there.
  2. Finding Event IDs we need to monitor: Our goal here is to detect password spraying attempts. So we need to look for failed login attempts for our Honey user(Adam).
Start-Process -FilePath C:\Windows\System32\cmd.exe -Credential (Get-Credential)ORStart-Process -FilePath C:\Windows\System32\cmd.exe -Credential ($cred=New-Object System.Management.Automation.PSCredential ("auror.local\Adam", ($pass=ConvertTo-SecureString 'Random_junk' -AsPlainText -Force)))ORrunas /user:Adam@auror.local C:\Windows\System32\cmd.exe
Invoke-Command -Computer Machine-A-Dc -ScriptBlock {gpupdate /force}

Configuration

  1. Scheduling task in Task Scheduler:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
(*[System[EventID='4771']] or *[System[EventID='4625']]) and
*[EventData[Data [@Name='TargetUserName']='Adam']]
</Select>
</Query>
</QueryList>
C:\Windows\System32\curl.exe
http://canarytokens.com/terms/c3ysvo9uz3arju4c5kkw3h55z/post.jsp

Testing-

runas /user:Adam@auror.local C:\Windows\System32\cmd.exe

Slack Integration-

a) Create a private channel.

curl -X POST --data-urlencode "payload={\"channel\": \"#monitoring\", \"username\": \"Honeypot\", \"text\": \"Someone tried loggin in to Adam user account!!.\", \"icon_emoji\": \":ghost:\"}" https://hooks.slack.com/services/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

Automation:

Prerequisites:

Export-ScheduledTask -TaskName "Monitor_Honey_User" -TaskPath "\"
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2022-09-10T15:11:30.7921099</Date>
<Author>auror\Administrator</Author>
<Description>Honey Account(Adam) Monitoring. Sending emails on failed logon events.</Description>
<URI>\Monitor_Honey_User</URI>
</RegistrationInfo>
<Principals>
<Principal id="Author">
<UserId>S-1-5-21-2928777613-1704353729-2693998158-500</UserId>
<LogonType>Password</LogonType>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<ExecutionTimeLimit>PT2H</ExecutionTimeLimit>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
</Settings>
<Triggers>
<EventTrigger>
<Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;
(*[System[EventID='4771']] or *[System[EventID='4625']]) and
*[EventData[Data [@Name='TargetUserName']='Adam']]
&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
</EventTrigger>
</Triggers>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\System32\curl.exe</Command>
<Arguments>-X POST --data-urlencode "payload={\"channel\": \"#monitoring\", \"username\": \"Honeypot\", \"text\": \"Someone tried loggin in to Adam user account!!.\", \"icon_emoji\": \":ghost:\"}" https://hooks.slack.com/services/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</Arguments>
</Exec>
<Exec>
<Command>C:\Windows\System32\curl.exe</Command>
<Arguments>http://canarytokens.com/terms/c3ysvo9uz3arju4c5kkw3h55z/post.jsp</Arguments>
</Exec>
</Actions>
</Task>
#Creating a scheduled taskdc.vm.provision "shell", inline: "Write-Host -ForegroundColor Green Creating scheduled task. ; Register-ScheduledTask -TaskName Monitor_Honey_User -Xml (Get-Content 'C:\\vagrant\\provisioning_scripts\\task.xml' | Out-String) -Force -User \"Administrator\" -Password \"Testertest@123\""ORdc.vm.provision "shell", inline: "Register-ScheduledTask -TaskName Monitor_Honey_User -Xml (curl.exe <XML_File_url> --silent | Out-String) -Force -User \"Administrator\" -Password \"Testertest@123\""
  1. Clone the repo
git clone https://github.com/pswalia2u/Honey_User.git
cd vagrant_project
vagrant up --provider virtualbox
cd vagrant_project
vagrant up --provider virtualbox

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
n00🔑

n00🔑

135 Followers

Tries to understand computers. I know little bit of most things. Definitely not an expert. Usually plays HTB (ID-23862). https://www.linkedin.com/in/pswalia2u/