Using Honeypot Accounts and Hashes in Active Directory to Detect Pass-the-Hash & Credential Theft

Webinar Registration

Bad guys usually start out on an endpoint relatively far from their ultimate goal. To move laterally through the network to reach that goal they need to steal credentials and they use a variety of methods, including pass-the-hash and other credential artifact harvesting techniques.

There are many ways to steal credentials and some of them are just not directly observable.

What if you could lay traps throughout your network to be alerted when bad guys use credentials they shouldn't be – regardless of how they obtained them? That’s exactly what Jeff Warren, my respected colleague and AD security expert, is back to demonstrate with me in this real training for free event.

By implanting fake credentials into memory of computers on the network, you can create honeypots through the use of “honey tokens” and then monitor for the usage of those honey token accounts. If you see either authentication events or LDAP reconnaissance events performed against those accounts, you know you have caught a bad guy scraping credentials from memory and can respond quickly.

Here's an outline of all the technical goodness Jeff is going to show us:

  • How Pass-the-Hash and Overpass-the-Hash Work - We’ll dive into these common lateral movement techniques used by attackers so you understand the behavior to look for before planting your honeypots.
  • The “Honeyhash” – Using PowerShell scripts we will implant fake credentials in memory and demonstrate how they appear as genuine accounts to attackers when using tools such as Mimikatz.
  • Setting Up Detections – Once your honeypots are set, we will explore how to use Windows event logs and Sysmon to monitor for attackers who attempt to compromise these honeypot accounts and use them on your network.
  • Deploying the Honeypots – Using PowerShell and Group Policy, it is simple to deploy these honeypots at scale and automate the entire process.

STEALTHbits is making this awesome event possible and Jeff will briefly show you how their technology provides a much more streamlined and efficient honey token experience and automates all this powerful but complex defense strategy.

Please join us for this real training for free session.

First Name:   
Last Name:   
Work Email:  
Job Title:  

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources