Using Honey Credentials to Make Pivoting Detectable

A pattern of high-profile network breaches happens repeatedly: An attacker gains a foothold on a single computer in the network—usually through use of a phishing scam or other well-known initial compromise method.

Next, the attacker uses domain administrator credentials—stolen from the system’s memory cache—to compromise the rest of the computers in the domain. By default, Windows caches or saves login credentials to its memory, allowing privileged local users to extract them.

Once an attacker accesses your network’s memory and accompanying user credentials, they can then infiltrate the system belonging to the intended target of their attack. So, how do you stop this attack from happening?

Deceiving Attackers with Honey Credentials and Password Hashes

The answer is: You don’t. Instead, you can use honey credentials and hashed passwords to trick an attacker into attempting to infiltrate your network with phony passwords. Honey credentials are a string of fake passwords used as bait.

Password hashing involves a one-way transformation on a password, in which your password turns into a specific, encrypted string of variables once it is stored to memory. Hashing passwords is widely used as a means to create network protection.

Should an attacker come across a hashed password, they would have no reason to think this additional layer of security is fabricated. You can hash and store honey credentials to make these fake passwords look real, giving attackers false confidence in their legitimacy.

Honey Credentials in Action

Honey credentials help catch malicious actors by injecting fake credentials into Windows memory. An attacker gains access to your network, obtains fake or honey credentials, and attempts to use them to further compromise your network. Because these credentials don’t actually exist, any attempt to use them will trigger a flooding of alarms in your SIEM dashboard. In the case of a targeted attack, the attacker will be able to dump recovered honey credentials from the system’s memory through privilege escalation or a system flaw. The attacker will then attempt to perform lateral movement into the fake objects, resulting in their exposure.

A resourceful attacker could check if their stolen user credentials are legitimate by asking the active directory for user account attributes. However, you can further deceive the attacker by creating real accounts filled with honey credentials and disable all network access.

If these fake credentials are associated with real accounts, it would be much harder to spot your trap. You could even give the staged account realistic active directory attributes to effectively make an entire fake employee.

Injecting Honey Credentials into Your Computer’s Memory

To inject hashed honey credentials into your network memory, you have an option to run a Runas command. Runas is a command in Microsoft Windows that allows users to run specific tools and programs under a different username. See the following Runas command: runas /user:logger\helpdeskadmin /netonly cmd.exe

The /netonly option for the Runas command is used to launch a program, as a user, that exists on a remote machine. The system will accept the username and password for that remote user. It then creates an authentication token in the memory of your LSASS process without any interaction through the remote host.

Using the /netonly option, you can run commands on your host as the administrator of the microsoft.com domain, despite not knowing the administrator account password.

This command doesn’t really give you any elevated access on your machine, and with an invalid password, it is not a threat to Microsoft. Windows doesn’t try to authenticate to the Microsoft.com domain to launch the process. It assumes that the credentials are correct, calculates the hashes, and stores them in memory for future use. You can use the Runas command to begin storing your fake passwords or honey credentials in the memory.

Figure 1: Storing Fake Credentials to the Memory Using Runas

An Attacker Obtains Your Honey Credentials

An attacker can obtain clear text credentials from your memory through wdigest. This can be done in any Windows system prior to Windows 8, as these systems will show the user credentials in clear text. The following example uses Windows 7.

After accessing your network honey credentials, an attacker uses Mimikatz or Windows Credential Editor to dump the stolen credentials.

Figure 2: Attacker Uses Mimikatz to Dump Honey Credentials

The attacker makes off with the passwords by passing the dumped honey credentials, or using a remote desktop to access the enumerated remote machine containing the dumped login information.

Stopping and Exposing the Attacker

You can configure LogRhythm AI Engine to look for authentication failures coming from the staged accounts you set up in the helpdeskadmin. When an attacker tries to log on to your network using the honey credentials, AI Engine sends an influx of alarms to your TLM Dashboard, all with a high-risk score of 100 percent. LogRhythm’s TLM platform works to avoid alarm fatigue and you won’t miss this alarm insurgence.

Figure 3: AI Engine Triggers Honey Hashes Authentication Failure Alarm

LogRhythm’s Machine Data Intelligence (MDI) Fabric provides meaningful information regarding the triggered alarm and the attacker. You will then be able to determine the username involved in the alarm, the process name used (NTLM in this case), the hacker’s hostname or IP address, and the MPE rule name used in the attack.

Figure 4: LogRhythm’s Machine Data Intelligence (MDI) Fabric Reveals Meaningful Information About the Attacker

Implementing Honey Credentials Across a Large Number of Endpoints

In order to implement this trap throughout your entire enterprise, you will need distribute honey credentials to all of your endpoints. It’s not feasible to log in to all target hosts and run the Runas command, as this could expose your own credentials to attack. Instead, you will need to set up a group policy to push a login script using the below password.txt, containing the password to inject:

@Echo Off

Echo Password1 > password.txt

Echo >> password.txt

runas /user:logger\helpdeskadmin /netonly cmd.exe < password.txt

Del password.txt

By implementing honey credentials, you can effectively trick attackers into stealing fake passwords. When they attempt to use their stolen passwords, AI Engine jumps into action and alerts your security team to the attempted cyberattack on your network.

LogRhythm’s MDI Fabric takes your response capabilities one step further by providing you with the information you need to expose and apprehend the attacker. This method is used to thwart a targeted attack, so with your attacker off the streets, you can ensure there are not multiple attempts to infiltrate your network from the same source. Today, it is generally accepted that your network will at some point be breached, but you can stop attackers in their tracks by baiting them with honey credentials and hashed passwords.

Detecting Lateral Movement From Pass the Hash Attacks

A Technical Analysis of WannaCry Ransomware

Eight Password Hygiene Tips