Honey Credentials

Honey credentials exist on an asset and not on the Active Directory. Passwords live locally on your assets.There are tools that attackers can use to harvest these password from an asset and then use them elsewhere to try and access other resources. Honey credentials are fake credentials that will set off alarms if they are used.

This helpful Rapid7 blogpost explains many of the nuances of honey credentials.

Before You Begin

In order to use the honey credential deception trap, you must have the Rapid7 Insight Agent for Windows installed on your assets.

You must opt in to have honey credentials

The honey credential feature is not enabled by default. It is an "opt-in" feature that you must specifically request to be enabled through a Support ticket.

Configuring Honey Credentials

With honey credentials enabled, the Rapid7 Insight Agent injects a set of fake credentials into an asset's memory. The credentials should be given a name that an attacker would find appealing. An intruder using a memory dump tool, such as MimiKatz, who is attempting to use a pass-the-hash attack will likely find these fake credentials.

If these credentials are seen in use anywhere on the network that is monitored with InsightIDR, it will trigger an alert.

Some malware detection software may alert upon finding the honey credentials running in memory.

How to Test Honey Credentials

To test the honey credential feature after it is enabled, you should perform a pass-the-hash attack.

  1. Download a memory dump or scraping tool, such as MimiKatz.
  2. Use the tool to extract the users and passwords from memory on a system running the Insight Agent.
  3. Log in to something that InsightIDR is monitoring, such as a domain account and its credentials.

Black Hills Information Security has more information on how to perform a pass-the-hash attack: https://www.blackhillsinfosec.com/your-password-is-wait-for-it-not-always-encrypted/

Once you use these credentials, InsightIDR will alert and open an Investigation.