• Back

Blog

Major amounts of data live within insurance carriers but the challenge lies in getting it out in useful form. Learn how to extract the value from data without the need to replace your existing systems, spend thousands of hours coding or rekeying data, or commit millions to a new data architecture.

QOMPLX Knowledge: Honey Account Logins and Ticket Requests

Table of Contents

QOMPLX Knowledge: Honey Account Logins and Ticket Requests

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

QOMPLX’s cloud-based Identity Assurance cybersecurity software helps CISOs automatically spot and stop attacks in real-time. Want to see how? Visit qomplx.com/cyber/identity


Much like Honeypots, Honey accounts are used to lure attackers into what may appear to be a legitimate account but is in fact a trap that was set up to look like a legitimate account. When hackers attack, they tend to look for accounts that appear to be important while attempting to gain control over as many accounts as possible. By doing so, they are able to gain access to as many assets and privileges without setting off alarms.

Typically, a virtual environment is used for the purpose of hosting honey pots in order to keep the adversary as isolated and far away from the real network as possible. This security mechanism is used to monitor, detect and deflect an attacker and to identify the techniques that are used.  When it comes to Honey Accounts, these are hosted in the real environment in order to trick attackers into believing that they popped a legitimate account in the production environment.

Key Points:

  • Real data is collected from actual attacks, in return providing valuable resources and insight
  • Honey accounts are able to capture lateral movements used by attackers which identifies potential gaps and vulnerabilities
  • False positives should be non-existent due to the fact that a honey account is fake, not associated with a real user within the organization. If it is triggered, this indicates an attacker is actively on your network, and therefore should be addressed with urgency.

How Honey Accounts are used

A honey account is a user account specifically created to mimic an account that would be attractive to an attacker for compromise, for example an account with elevated admin privileges. This detection is triggered when an attacker successfully logs into a honey account, and therefore typically configured with a higher severity than just a request for a honey account ticket.

How Honey Accounts Ticket Requests are used

Rather than requesting multiple service principal names (SPN - a unique identifier of a service instance), at the same time, an attacker may instead execute a more advanced Kerberoasting attack in which they request a copy of the service ticket for a particular user to better avoid detection. An effective way to detect this activity is to create a honey account. When there's an attempt at kerberoasting on a honey account, it is an indication that an attacker is actively on your network and therefore a red flag which should be addressed with urgency. Read more about Kerberoasting here: https://qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/

QOMPLX Detection

The Honey account ticket request detection monitors Windows Event ID 4729 (indicating that a Kerberos service ticket was requested) for a honey account (which is a specified ServiceName defined in the detection rule). The Honey Account Login detection monitors Windows Event 4624 (logs every successful attempt to logon regardless of the logon type)

Additional Reading

QOMPLX Knowledge: Detecting Account Name Enumeration

QOMPLX Knowledge: Detecting New Members Added To Sensitive Groups

QOMPLX Knowledge: Detecting Password Spraying Attacks

Q:CYBER Ingesting Windows Event Logs

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Understanding Zones and Zone Transfer

Security Monitoring Recommendations for Windows Event 4688

Detecting Lateral Movement Through Tracking Event Logs


Related Posts in Series

Card image cap
Attack surface risk signals: DNS records

Published Oct 14, 2021

Card image cap
Identify and Fight the Phish #CyberMonth

Published Oct 12, 2021

Card image cap
Offensive Security Service Data Sheet

Published Sep 28, 2021

Card image cap
Offensive Security Service Tech Spec

Published Sep 28, 2021