Honey Credentials

Honey credentials are fake credentials that will set off alarms if they are used. This deception technology acts as a trap for attackers who attempt to access an asset on your network using the fake credentials. Because passwords live locally on assets, attackers try to harvest them and use the passwords elsewhere to gain access to other resources.

For more information about the nuances of honey credentials, check out our blog.

Before You Begin

In order to use the honey credential deception trap, you must have the Rapid7 Insight Agent for Windows installed on your assets.

Enable Honey Credentials

With honey credentials enabled, the Rapid7 Insight Agent injects a set of fake credentials into an asset's memory that an attacker would find appealing. An intruder using a memory dump tool, such as MimiKatz, who is attempting to use a pass-the-hash attack will likely find these fake credentials.

To enable honey credentials

  1. From the InsightIDR left menu, click Deception Technology.
  2. Click the Honey Credentials tab.
  3. Switch the toggle to ON.

If these credentials are seen in use anywhere on the network that is monitored with InsightIDR, it will trigger a detection.

Some malware detection software may activate upon finding the honey credentials running in memory.

How to Test Honey Credentials

To test the honey credential feature after it is enabled, you should perform a pass-the-hash attack.

  1. Download a memory dump or scraping tool, such as MimiKatz.
  2. Use the tool to extract the users and passwords from memory on a system running the Insight Agent.
  3. Log in to something that InsightIDR is monitoring, such as a domain account and its credentials.

Black Hills Information Security has more information on how to perform a pass-the-hash attack: https://www.blackhillsinfosec.com/your-password-is-wait-for-it-not-always-encrypted/

Once you use these credentials, InsightIDR will trigger a detection and create an investigation.