Today I wanted to talk about using the deception technology called New-HoneyHash.ps1. This is a tool that was inspired by Mark Baggett and authored by Matt Graeber, that will inject fake credentials into the lsass.exe process. This can be effective at finding attackers who are dumping the lsass process in your environment in order to extract credentials and hashes for lateral movement and domain dominance.
We will first create an admin account with an absurdly long password that will never be used except by shady individuals in our domain. We will add this account to the domain admins group to entice would be attackers to use it if they find its existence either through Bloodhound or Mimikatz. We will then create an alert inside of our Elastic Stack to fire whenever there is an unsuccessful logon with our account. Sounds simple enough let’s get to it.
How it all works, first things first we need to create a fake admin account and then add them to the domain admins group. We will do this on our Domain Controller from the Server Manager under Active Directory Users and Computers
After that we will login to our Elastic Stack and configure our alert. So, inside of the Security area of Elastic under Rules click “Create new rule”. From there our next step is to define our custom query that will fire our alert. In the below screenshot I am creating a query that will alert only when the eventID 4625 (failed logon) and the TargetUserName which is our honey account da_admin has a failed logon event.
From there we will give it a name of Honey Hash and a brief description and set the severity to high or critical, since this should never fire in our environment.
From there you schedule it, I just used the default of every five minutes and we will not use any rule actions. If you wanted you could schedule an email or some other action to also fire if the alert triggers. For our purposes we are done so we can just create the rule and activate it.
Then we need to inject our fake credentials on one of our workstations with the PowerShell script New-HoneyHash.ps1. After you import the PowerShell module just run the function as shown in the below screenshot.
Now, finally we will trigger our alert by generating a failed logon with our honey account that an attacker could have found if they dumped lsass on our workstation. The login, will of course fail, because the credentials that we inject into the lsass process on our workstation are not the same that we used to create the account.
And now here is our alert that got triggered by the rule we created.
So I hope this was a quick informative post on how easy it can be to weave deception into your environment. This took me all of fifteen minutes to completely set up in my home lab. If you can spread deception and disinformation throughout your environment and make the attacker question everything they do, you can provide your team with the space and time in order to respond to the filth, and take out the trash in your environment.
So until next time…