• QOMPLX Knowledge
  • Jul 6, 2021

QOMPLX Knowledge: Honey Account Logins and Ticket Requests

QOMPLX Knowledge: Honey Account Logins and Ticket Requests

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

QOMPLX’s cloud-based Identity Assurance cybersecurity software helps CISOs automatically spot and stop attacks in real-time. Want to see how? Visit qomplx.com/cyber/identity

Much like Honeypots, Honey accounts are used to lure attackers into what may appear to be a legitimate account but is in fact a trap that was set up to look like a legitimate account. When hackers attack, they tend to look for accounts that appear to be important while attempting to gain control over as many accounts as possible. By doing so, they are able to gain access to as many assets and privileges without setting off alarms.

Typically, a virtual environment is used for the purpose of hosting honey pots in order to keep the adversary as isolated and far away from the real network as possible. This security mechanism is used to monitor, detect and deflect an attacker and to identify the techniques that are used.  When it comes to Honey Accounts, these are hosted in the real environment in order to trick attackers into believing that they popped a legitimate account in the production environment.

Key Points:

  • Real data is collected from actual attacks, in return providing valuable resources and insight
  • Honey accounts are able to capture lateral movements used by attackers which identifies potential gaps and vulnerabilities
  • False positives should be non-existent due to the fact that a honey account is fake, not associated with a real user within the organization. If it is triggered, this indicates an attacker is actively on your network, and therefore should be addressed with urgency.

How Honey Accounts are used

A honey account is a user account specifically created to mimic an account that would be attractive to an attacker for compromise, for example an account with elevated admin privileges. This detection is triggered when an attacker successfully logs into a honey account, and therefore typically configured with a higher severity than just a request for a honey account ticket.

How Honey Accounts Ticket Requests are used

Rather than requesting multiple service principal names (SPN - a unique identifier of a service instance), at the same time, an attacker may instead execute a more advanced Kerberoasting attack in which they request a copy of the service ticket for a particular user to better avoid detection. An effective way to detect this activity is to create a honey account. When there's an attempt at kerberoasting on a honey account, it is an indication that an attacker is actively on your network and therefore a red flag which should be addressed with urgency. Read more about Kerberoasting here: https://qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/

QOMPLX Detection

The Honey account ticket request detection monitors Windows Event ID 4729 (indicating that a Kerberos service ticket was requested) for a honey account (which is a specified ServiceName defined in the detection rule). The Honey Account Login detection monitors Windows Event 4624 (logs every successful attempt to logon regardless of the logon type)

Additional Reading

QOMPLX Knowledge: Detecting Account Name Enumeration

QOMPLX Knowledge: Detecting New Members Added To Sensitive Groups

QOMPLX Knowledge: Detecting Password Spraying Attacks

Q:CYBER Ingesting Windows Event Logs

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Understanding Zones and Zone Transfer

Security Monitoring Recommendations for Windows Event 4688

Detecting Lateral Movement Through Tracking Event Logs

You might also be interested in

Lessons from the Medibank breach

Lessons from the Medibank breach

Ming Fu, a member of the Americas Pre-Sales Engineering Team at QOMPLX, looks at the much publicized Medibank breach in Australia last year, and draws a few much needed lessons based on the published findings of this breach.

Read more
IcedID Malware Gaining Prominence by Adding Identity Attack Chains

IcedID Malware Gaining Prominence by Adding Identity Attack Chains

Brian Freedman, WW Director of Solution Architecture highlights how identity controls are necessary tools, along with EDR, to combat evolving malware threats that have been expanding to include identity compromise as a primary objective in their attack strategies.

Read more
QOMPLX Knowledge: OverPass The Hash Attacks

QOMPLX Knowledge: OverPass The Hash Attacks

OverPass The Hash (OPtH) is a form of credential theft- and reuse attack that is one of the most common methods of lateral movement within compromised IT environments.

Read more
Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.