Zach's Book

Honey credentials/hashes

Honey credentials and hashes are very similar to honey users because they are fake users created to lure attackers into using them.

What are honey credentials or hashes?

Just like in the honey users page, honey credentials are fake accounts created to lure in attackers however they are stored slightly differently. While honey users are just placed in AD groups to wait for someone to enumerate the domain, these credentials/hashes are placed in the running memory of a computer in order to detect someone using tools like mimikatz to dump any passwords in the memory of a computer.

How do we use them?

There are several ways to create honey credentials on computers, to start you will want to create a fake user like shown in the "honey users" page. You can then manually add the user to the running memory of a windows computer using the "runas" command or use can use a commercial tool such as Rapid7's IDR tool to automatically create them for you. For a more detailed breakdown of how exactly you can create them manually please check out this guide: https://logrhythm.com/blog/using-honeywords-to-make-password-cracking-detectable/. After taking the above steps you need to set up your tools to alert any time there is a login attempt with the account.

Why do we need honey credentials?

While you should be able to detect someone running a tool such as mimikatz to grab passwords, there is always a chance that an attacker could do so without your knowledge. Other attacks like pass the hash can be harder to detect so by giving attackers a fake account to login with, regardless of the tools they use or where they login you should be alerted as soon as they try to authenticate with the fake account.