Honey Files

A honey file is a fake file located on a network file share. Honey files are designed to detect attackers who are accessing and potentially removing data from your network. Attackers will often find a file share on a network, zip the contents of the share into a folder, and dump the data for offline analysis. Because a honey file serves no true purpose, you should never access, modify, or move a honey file. Any such attempts will result in a honey file alert.

Avoid unnecessary noise and false positive alerts

Windows Explorer views that display a preview of the files' contents can generate false positive honey file alerts when users browse directories that contain honey files. Previews of files are indistinguishable from intentional file openings. You may want to consider placing your honey files in alternate directories that users would not be expected to browse in Windows Explorer. You could also use a file extension that does not produce a file preview in Windows Explorer to avoid these false positive alerts.

Before You Begin

Before you configure a honey file, complete the following procedure:

  1. Install the Insight Agent on the Windows server hosting a network file share.
  2. Enable the "Audit Detailed File Share" logging, if it is not already enabled. This can be configured in Group Policy or in the system's Local Security Policy.
  3. Create a new file in the desired location on the network file share. The file can be of any type, name, or content.
  4. Make note of the full path to the file.

Configure Honey Files on your System

To configure a honey file on your system:

  1. The files that will be configured as honey files must be located on a system running a Rapid7 Insight Agent. In this example, there are two files that will be used as "honey files."
  2. The alert for Honey File Access is only generated when these files are accessed from a network share. In this example, the HR folder has also been shared.
  1. You must now enable auditing on your Local Security policy.
  1. In either group policy or the Local Security Policy tool, enable auditing.
    • Select Advanced Audit Policy Configuration.
    • Select Object Access.
    • Open the properties for "Audit Detailed File Share."
    • Enable auditing for "Success and Failure."
    • Save this change.
  1. When you are done with the changes, "Audit Detailed File Share" should have both "Success" and "Failure" auditing enabled.

Configure a Honey File in InsightIDR

To configure a honey file in InsightIDR:

  1. From your InsightIDR homepage, select Settings on the left menu.
  2. Find and select Deception Technology in the list and click the Honey Files tab. Click the Add a new honey file button in the top right corner.
  3. A panel will appear. Enter the full local path to the file, as the Insight Agent would see it. For example, enter: C:\path\to\directory\filename.eg rather than \\hostname\path\to\directory\filename.eg.
  4. Select the asset that you previously configured.
  5. Click Add.
  6. You can add more than one honey file.

Test Your Honey Files

Access the Honey File from across the network

Local access will not cause the Honey File Access alert to generate.

Additionally, accessing the file by using a hidden share will not generate a Honey File Access alert.

Any type of access to the honey files from the non-local network will generate an alert.

  1. Navigate to the system that contains the honey file from across the network.
  2. Browse to the location of the honey file, and zip up the folder, which will trigger an alert.

The example below shows an intruder zipping a file from an HR folder.

  1. The honey file access will trigger an event in your Security Log where the honey file(s) reside(s) as 5145 EVID.
  1. You should get a Honey File Access alert after a few minutes in the InsightIDR Investigations timeline. The evidence for this alert includes the source user and asset.
  1. Open the investigation for the alert to view the alert evidence.