When an attacker gets into a network, they may try to to break into user accounts, especially those who have an important description, such as patchadmin. Attackers frequently attempt to authenticate to as many user accounts as possible during an attack. This helps them expand their footprint and gain access to more assets and privileges without tripping any traditional alarms.
With InsightIDR, you can create user accounts within Active Directory that look exciting to an attacker. If any attempt is made to log in using this account, InsightIDR will fire an alert.
Rapid7 Honey Users
A honey user is a fake user that is not associated with a real person within the organization, and therefore should never be accessed.
Honey users are a unique way to detect attacker activity. If someone attempts to log in to a honey user account, InsightIDR generates a Honey User Authentication incident, which displays the time at which the attempt was made and the asset that was targeted.
Before You Begin
Before creating a honey user, please note the following:
- Once you create a honey user, the Collector must make an LDAP pull in order for the honey user to appear. This may take a day or more.
- In order to see honey user attempts or honey user evidence in the domain controller security logs, you must be collecting the audit trail from the honeypot machine first.
Create a Honey User
To create a honey user:
- Create a new user in Active Directory with a believable name, but do not allow anyone access to the account. This will be your new honey user.
- Give the honey user every appearance of a normal employee of the company. This includes things like a complex passphrase, organizational mappings, permissions, or whatever else may trick an attacker into believing the user is an actual employee.
Remember that honey users may have multiple accounts. In fact, multiple accounts can increase the likelihood that an attacker will target the user, as it seems more authentic and provides additional chances for reaching an administrative role.
- Log in to your account in InsightIDR. Go to Settings > Honey Users and enter the newly created honey user’s name in the search bar on the page (not the global search bar). Select the name to mark the user as a honey user.
LDAP makes honey users available in InsightIDR
In order for the honey users to appear when you search for them, the Collector needs to make an LDAP pull after you create the honey user(s).
Therefore, you may need to wait a day or so after creating the honey users in Active Directory before you can configure them in InsightIDR.
Test a Honey User
Any attempt to authenticate with a honey user will generate an alert. The easiest way to test the honey user is to use a tool like Microsoft Remote Desktop.
First, attempt to log into the Windows domain with the honey user account.
After attempting to authenticate with the honey user, wait a few minutes and then navigate to the "Investigations" page in InsightIDR to verify that you received a Honey User Authentication alert.