Honey Users

I am going to separate honey users and honey credentials, honey users are fake accounts in domain groups whereas honey credentials are left in memory for memory dumps.

What are honey users?

Honey users are fake users that you can put in enticing groups such as "Domain Admins" or other important AD groups in your organization. They are meant to detect threat actors that enumerate the domain looking for accounts to login with.

How do we use them?

  1. Create a fake account

    1. Give the account an enticing name such as "helpdesk account" or "troubleshooting"

    2. You can put the password in the description of the account or an easy to guess hint for it to make it more appealing to attackers

  2. Add the fake account to some AD groups

    1. There should be at least one important AD group such as Domain Admins group

  3. Give the account some activity

    1. Most decent threat actors are not going to login to an account that says "helpdesk" however has no logged in time

    2. If possible, create a script to continually add "activity" to the account on a regular schedule, make sure you whitelist this activity

  4. Make it impossible to login and start detecting

    1. There are several ways you can make it so that a login attempt can be detected yet still fail to gain access such as restricting logon hours

      1. logon hours = 0

    2. Set up your tools to detect any login attempts on this account and alert immediately, if there are any scripts run for the account make sure that activity is whitelisted

Why do we need honey users?

Once an attacker has access to a domain, they will most likely start enumerating the domain, looking for accounts that have more privileged access than the account they're using. It is very easy to enumerate the users in a domain or a specific group so you know an attacker will see the account if it is in a group such as Domain Admins and by making it easy to guess or brute-force the password you make it a likely target. At the end of the day this is all about finding an attacker already in your network that you have failed to detect with your other controls before they get further into the environment.

Last updated