Honey Credentials

Honey credentials exist on an asset and not on the Active Directory. Passwords live locally on your assets.There are tools that attackers can use to harvest these password from an asset and then use them elsewhere to try and access other resources. Honey credentials are fake credentials that will set off alarms if they are used.

For more information about the nuances of honey credentials, check out our blog.

Before You Begin

In order to use the honey credential deception trap, you must have the Rapid7 Insight Agent for Windows installed on your assets.

Enable Honey Credentials

With honey credentials enabled, the Rapid7 Insight Agent injects a set of fake credentials into an asset's memory that an attacker would find appealing. An intruder using a memory dump tool, such as MimiKatz, who is attempting to use a pass-the-hash attack will likely find these fake credentials.

To enable honey credentials

  1. From the InsightIDR left menu, click Deception Technology.
  2. Click the Honey Credentials tab.
  3. Switch the toggle to ON.

If these credentials are seen in use anywhere on the network that is monitored with InsightIDR, it will trigger an alert.

Some malware detection software may alert upon finding the honey credentials running in memory.

How to Test Honey Credentials

To test the honey credential feature after it is enabled, you should perform a pass-the-hash attack.

  1. Download a memory dump or scraping tool, such as MimiKatz.
  2. Use the tool to extract the users and passwords from memory on a system running the Insight Agent.
  3. Log in to something that InsightIDR is monitoring, such as a domain account and its credentials.

Black Hills Information Security has more information on how to perform a pass-the-hash attack: https://www.blackhillsinfosec.com/your-password-is-wait-for-it-not-always-encrypted/

Once you use these credentials, InsightIDR will alert and open an Investigation.