This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.
QOMPLX’s cloud-based Identity Assurance cybersecurity software helps CISOs automatically spot and stop attacks in real-time. Want to see how? Visit qomplx.com/cyber/identity
Much like Honeypots, Honey accounts are used to lure attackers into what may appear to be a legitimate account but is in fact a trap that was set up to look like a legitimate account. When hackers attack, they tend to look for accounts that appear to be important while attempting to gain control over as many accounts as possible. By doing so, they are able to gain access to as many assets and privileges without setting off alarms.
Typically, a virtual environment is used for the purpose of hosting honey pots in order to keep the adversary as isolated and far away from the real network as possible. This security mechanism is used to monitor, detect and deflect an attacker and to identify the techniques that are used. When it comes to Honey Accounts, these are hosted in the real environment in order to trick attackers into believing that they popped a legitimate account in the production environment.
- Real data is collected from actual attacks, in return providing valuable resources and insight
- Honey accounts are able to capture lateral movements used by attackers which identifies potential gaps and vulnerabilities
- False positives should be non-existent due to the fact that a honey account is fake, not associated with a real user within the organization. If it is triggered, this indicates an attacker is actively on your network, and therefore should be addressed with urgency.
How Honey Accounts are used
A honey account is a user account specifically created to mimic an account that would be attractive to an attacker for compromise, for example an account with elevated admin privileges. This detection is triggered when an attacker successfully logs into a honey account, and therefore typically configured with a higher severity than just a request for a honey account ticket.
How Honey Accounts Ticket Requests are used
Rather than requesting multiple service principal names (SPN - a unique identifier of a service instance), at the same time, an attacker may instead execute a more advanced Kerberoasting attack in which they request a copy of the service ticket for a particular user to better avoid detection. An effective way to detect this activity is to create a honey account. When there's an attempt at kerberoasting on a honey account, it is an indication that an attacker is actively on your network and therefore a red flag which should be addressed with urgency. Read more about Kerberoasting here: https://qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/
The Honey account ticket request detection monitors Windows Event ID 4729 (indicating that a Kerberos service ticket was requested) for a honey account (which is a specified ServiceName defined in the detection rule). The Honey Account Login detection monitors Windows Event 4624 (logs every successful attempt to logon regardless of the logon type)