Honeypots Too Easy for Hackers? Javelin Networks Reveals the Distributed deception market’s detectable bread crumbs that hackers find and avoid

BLACKHAT CONFERENCE–LAS VEGAS–July 2017— Javelin Networks today revealed research showing that today’s “Distributed Deception” attack defense solutions are too easily discovered and defeated by hackers. These cyber security platforms, described as Honey Tokens, Honey-Bread Crumbs, and Honey Pots are used to detect cyber attackers who have already breached the network and are moving towards their objectives.

The main idea behind defensive Honey Tokens is to lure attackers, tricking them to think they’re on the right path to achieve privileged credentials or spread through the domain environment. All Honey Tokens/Lures can be studied and can be easily avoided by the average attacker. With simple validations taking just minutes, attackers can identify objects and avoid the traps. The validation by attackers and avoidance of Honey Tokens can be done without triggering any alarm, without authentication or lateral movement.  This activity can be integrated with Red Team tools such as Empire or Bloodhound, and enhance the automation of Red Team hacking process.

“The truth is that cyber attackers, even with minimal knowledge, will too easily detect distributed deception schemes, and shape their attacks to avoid the honey with even the slightest evidence that the deception is fake,” said Greg Fitzgerald, COO for Javelin Networks. “The evidence is just too easy to find and this presents an opportunity to improve defenses, and Javelin is here to help.”

With its latest research unveiled at the BlackHat conference, Javelin Networks (Exhibition Booth 573) has unveiled 7 Common Active Directory related Honey Tokens objects that Red Teamers encounter.

1. Kerberoasting Service Accounts Honey Tokens, just like the one described in this ADSecurity article by Sean Metcalf (https://adsecurity.org/?p=3458). Tricking attackers to scan for Domain Users with assigned SPN (Service Principal Name), and with {adminCount = 1} LDAP Attribute flag. Request TGS for that user, you’ll be exposed as Kerberoasting attempt.

2. Fake Memory Credentials Honey Tokens, creating a process using the ‘NetOnly’ flag will result a “cached fake login token”.  Once the attacker tries to steal and use these credentials – he’ll be exposed.

3. Fake Computer Accounts Honey Pots, creating many domain computer objects with no actual devices associated to them will result in confusion to any attacker trying to study the network. Any attempt to perform lateral movement into these fake objects will lead to exposure of the attacker.

4. Fake Credentials Manager Credentials Breadcrumbs, many deception techniques inject fake credentials into the “Credentials Manager” and said credentials will be revealed using tools such as Mimikatz. Attacker’s might confuse them as authentic credentials and use them although they aren’t real.

5. Fake Domain Admins Accounts Honey Tokens, creating several domain admins who have never been active and their credentials should never be used. Luring attackers to try brute-forcing their credentials. Once someone tries to authenticate to this user, alarm will be triggered and the attacker will be revealed. This method is used by Microsoft ATA.

6. Fake Mapped Drives Breadcrumbs, many malicious automated scripts and worms are spreading via SMB Shares, especially if they are mapped as Network Drive Share. This tool will try to correlate some of the data collected to identify any mapped drive related to specific Honey Pot server.

7. DNS Records Manipulation Honey Pots, one of the methods used by deception vendors to detect usage of fake endpoints, is registering their DNS records towards the Honey Pot Server.

By that they will be able to point the attacker directly to their honey pot instead of actual endpoints.

In response to the challenge, Javelin has introduced the Honeypot Buster, a tool that allows any Red Teamer to avoid these traps. The tool detects all seven types of common Active Directory related Honey Tokens, objects you might encounter as a Red Teamer, or adversary. Written in PowerShell, the tool supports version 2.0 and above, and has remote WinRM capabilities for the 2nd and 4th Tokens gathering.

It leverages LDAP Queries to find domain objects, loads DLL to access the LSASS process for local tokens gathering (might trigger AVs soon too) Supports all Windows OS’s, however, some of the features will not work with Windows Credentials Guard, and Windows 10 Creators Update. For details, visit: http://jblog.javelin-networks.com/blog/the-honeypot-buster/


About Javelin Networks:
More defenders are recognizing the attackers ease at stealing credentials and moving laterally.  The main culprit is Active Directory, the heart of 90% of the world’s networks. Active Directory is the key to the network kingdom, giving the attacker access to everything domain connected. Attackers understand that Active Directory is exposing the target environment – by Microsoft’s design for an easier to manage IT architecture.  Javelin Networks can show you a better way. Contact us: hello@javelin-networks.com


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.