One of the cool things developing a product is designing defensive software that detects what you do as an attacker. Growing up through the offensive mindset gave me a unique perspective on what I need to do to gain access to systems. The concept of honeypots is nothing new and has been around for ages. One of the tools I designed initially was Artillery which has had wide-scale deployment success in networks for early indicators of compromise. BDS Vision is a distributed endpoint and server software agent that has been designed from the ground up on the attacker mindset and looking at all of the patterns that we would commonly use for exploitation.
A good example of this is the recent DNC hack analyzed by CrowdStrike (which is still under debate on attribution :P). The attackers used PowerShell injection techniques, PE droppers, and WMI as methods for persistence and initial compromises. Interesting enough, all of these techniques would have been covered by Vision out of the box without any need for additional detection capabilities. But what if the attackers were absolutely using methods or techniques that haven’t been previously used before and compromised a system using an unknown technique?
In this scenario, the attacker must first compromise the victim machine through spear phishing or direct exploitation of a vulnerability. The machine itself becomes compromised using this unknown technique for an established command and control (C2). The attacker is not usually content with staying on one system and will start to emulate an insider with obtained credentials and attempt to elevate and move laterally to other systems. In this specific example, there are ways to entice an attacker to slip up and give up that a breach has actually occurred. There was a recent Twitter debate between two great folks in the industry, Jeremiah Grossman and egyp7 from the Metasploit team.
Both are exactly right. An attacker only needs to attack a system that the organization didn’t know they owned and lacks all of the controls hopefully built within the organization. Egyp7 on the other hand nailed it; the blue team only needs to catch the attacker once to know that they are there.
By creating an entirely simulated environment where attackers would go after and leaving these artifacts on a compromise environment drastically increases the probability of an attacker being detected.
With BDS Vision 2.2 we’ve implemented several new key features specifically around creating a HoneyNet:
HoneyLLMNR/NBNS – This method sprays enticing accounts through the network for tools such as Responder and Inveigh. In the event these credentials are used, Vision will trigger an alarm that the credentials were used.
HoneyTokens – This sprays randomized usernames and passwords on the endpoints and servers (commonly used by tools such as Mimikatz/Kiwi). In the event these credentials are used through the network, Vision alarms giving a high probability and low false positive rate that an attacker is there.
HoneyFiles – Enticing files and monitoring actual access. If the file is accessed/modified it will trigger an alarm that should never be triggered.
HoneyPorts – Randomized low, mid, and high ports that are not consumed by the operating system. Each endpoint turns into a network honeypot with randomized ports (detect basic port scans, etc).
In addition, there are other honey methods used to simulate an environment that would be enticing to an attacker that would give them up in the early stages. With the release of BDS Vision 2.2, we continue to strengthen the detection capabilities on top of what’s already there. If you aren’t a BDS Vision customer, there are definitely tools and techniques you can use to leverage the same types of concepts.
For HoneyTokens, @Ben0xA and @FuzzySec created some tools which you can leverage to do similar HoneyTokens or LLMNR tokens in your environment in PowerShell with some modifications:
Using CreateProcessWithLogonW you have more granular flexibility on being able to create processes in suspended states, specify arguments for command lines, etc.
For techniques such as honeyports, you can use BDS’s free tool Artillery located at:
Regardless of what you use, the ability to detect attackers in every state of an attack greatly increases the likelihood and probability that an attacker will be detected through the attack phases. These features in Vision are just a small subset of a number of methods used for detection within the product.
This blog was written by Dave Kennedy (@HackingDave) – Founder and Chief Hacking Officer – Binary Defense Systems and TrustedSec.