Open in app

Sign in

Write

Sign in

Creating and configuring a Honeypot account in Active Directory

n00🔑
5 min readSep 10, 2022

Hi readers, here we will be looking into the detection of password spraying attempts by adversaries. Specifically, we will be creating an account on a domain that nobody uses (a honeypot account). But for attackers any account which exists on the domain is useful. So Let’s jump in…

Prerequisites:

  1. Vagrant box for Windows Server (I am using this box for this example https://app.vagrantup.com/StefanScherer/boxes/windows_2022). If you want to create your own vagrant box please refer to this blog(https://medium.com/@pswalia2u/automate-active-directory-installation-packer-provisioning-vagrant-e5b059d8fda). I have discussed creating a vagrant box using hashicorp’s packer there.
  2. Finding Event IDs we need to monitor: Our goal here is to detect password spraying attempts. So we need to look for failed login attempts for our Honey user(Adam).
Start-Process -FilePath C:\Windows\System32\cmd.exe -Credential (Get-Credential)ORStart-Process -FilePath C:\Windows\System32\cmd.exe -Credential ($cred=New-Object System.Management.Automation.PSCredential ("auror.local\Adam", ($pass=ConvertTo-SecureString 'Random_junk' -AsPlainText -Force)))ORrunas /user:Adam@auror.local C:\Windows\System32\cmd.exe

Checking Local Event Viewer:

4625 is the Event ID we need to monitor.

Checking Domain Event Viewer:

a) Before this, we need to Enable Logging for domain logs by Opening Group Policy Management -> right click and edit default domain policy -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy and enable Success and Failure

To open the domain event viewer. Right-click on Event Viewer and choose Connect to another computer, Type Domain Controller’s hostname and click ok. Note: This is only required if you are connecting from another domain joined machine.

Invoke-Command -Computer Machine-A-Dc -ScriptBlock {gpupdate /force}

b) Now we are good to go.

4771 is the Event ID we need to monitor.

Now we got the Event IDs(4625 and 4771) which we need to monitor.

3. Canary token:

a)Go to http://canarytokens.org/generate# and Choose Web bug/URL token.

c) Enter the email address on which you want to get alerts and type any reminder note or add an empty space. Click create my token. Aunique URL will be generated.

http://canarytokens.com/terms/c3ysvo9uz3arju4c5kkw3h55z/post.jsp

Configuration

  1. Scheduling task in Task Scheduler:

a) Open Task scheduler -> Create Task

b) Next click on Triggers and select On an event for when to begin the task.

c) Then we need to choose custom -> New Event Filter

Paste this XML and click OK.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    (*[System[EventID='4771']] or *[System[EventID='4625']]) and
    *[EventData[Data [@Name='TargetUserName']='Adam']]
    </Select>
  </Query>
</QueryList>

d) Next step is to configure action. Choose New -> Start a program

and give the path of the program you want to execute.

C:\Windows\System32\curl.exe

add token URL in arguments feild. Click OK to save. You will be prompted for the Administrator password to save the task.

http://canarytokens.com/terms/c3ysvo9uz3arju4c5kkw3h55z/post.jsp

Testing-

runas /user:Adam@auror.local C:\Windows\System32\cmd.exe

Now if any attacker tries to log in to Adam’s account we will get a mail alert!!

Slack Integration-

a) Create a private channel.

b) Click on Integrations and install Incoming Webhooks.

c) Copy the below trigger action(Make sure you modify the hook url accordingly):

curl -X POST --data-urlencode "payload={\"channel\": \"#monitoring\", \"username\": \"Honeypot\", \"text\": \"Someone tried loggin in to Adam user account!!.\", \"icon_emoji\": \":ghost:\"}" https://hooks.slack.com/services/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

Automation:

Prerequisites:

a. Export the task XML.

Export-ScheduledTask -TaskName "Monitor_Honey_User" -TaskPath "\"
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2022-09-10T15:11:30.7921099</Date>
    <Author>auror\Administrator</Author>
    <Description>Honey Account(Adam) Monitoring. Sending emails on failed logon events.</Description>
    <URI>\Monitor_Honey_User</URI>
  </RegistrationInfo>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-21-2928777613-1704353729-2693998158-500</UserId>
      <LogonType>Password</LogonType>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <ExecutionTimeLimit>PT2H</ExecutionTimeLimit>
    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
  </Settings>
  <Triggers>
    <EventTrigger>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;
    (*[System[EventID='4771']] or *[System[EventID='4625']]) and
    *[EventData[Data [@Name='TargetUserName']='Adam']]
    &lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
    </EventTrigger>
  </Triggers>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Windows\System32\curl.exe</Command>
      <Arguments>-X POST --data-urlencode "payload={\"channel\": \"#monitoring\", \"username\": \"Honeypot\", \"text\": \"Someone tried loggin in to Adam user account!!.\", \"icon_emoji\": \":ghost:\"}" https://hooks.slack.com/services/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</Arguments>
    </Exec>
    <Exec>
      <Command>C:\Windows\System32\curl.exe</Command>
      <Arguments>http://canarytokens.com/terms/c3ysvo9uz3arju4c5kkw3h55z/post.jsp</Arguments>
    </Exec>
  </Actions>
</Task>

b. Save this XML in a file or host it. Then we just need to add the below line in our vagrant file. The task will automatically be scheduled while provisioning.

#Creating a scheduled taskdc.vm.provision "shell", inline: "Write-Host -ForegroundColor Green Creating scheduled task. ; Register-ScheduledTask -TaskName Monitor_Honey_User -Xml (Get-Content 'C:\\vagrant\\provisioning_scripts\\task.xml' | Out-String) -Force -User \"Administrator\" -Password \"Testertest@123\""ORdc.vm.provision "shell", inline: "Register-ScheduledTask -TaskName Monitor_Honey_User -Xml (curl.exe <XML_File_url> --silent | Out-String) -Force -User \"Administrator\" -Password \"Testertest@123\""

We can now proceed with automation:

  1. Clone the repo
git clone https://github.com/pswalia2u/Honey_User.git

2. Copy the vagrant box file to the Honey_User Folder. You can create you own box or download it from here (https://app.vagrantup.com/StefanScherer/boxes/windows_2022)

Note: make sure you rename the downloaded file with “windows_2022_virtualbox.box”

cd vagrant_project
vagrant up --provider virtualbox

3. Spinning up and provisioning box

cd vagrant_project
vagrant up --provider virtualbox

References:

https://www.virtualizationhowto.com/2016/07/set-audit-policy-powershell/

Active Directory
Ethical Hacking
Penetration Testing
Red Team
Honeypot

--

--

n00🔑

Written by n00🔑

278 Followers

Computer Security Enthusiast. Usually plays HTB (ID-23862). https://www.youtube.com/@pswalia2u https://www.linkedin.com/in/pswalia2u/ Instagram @pswalia4u

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams