Using Honeypot Accounts and Hashes in Active Directory to Detect Pass-the-Hash & Credential Theft

Webinar Registration

Bad guys usually start out on an endpoint relatively far from their ultimate goal. To move laterally through the network to reach that goal they need to steal credentials and they use a variety of methods, including pass-the-hash and other credential artifact harvesting techniques.

There are many ways to steal credentials and some of them are just not directly observable.

What if you could lay traps throughout your network to be alerted when bad guys use credentials they shouldn't be – regardless of how they obtained them? That’s exactly what Jeff Warren, my respected colleague and AD security expert, is back to demonstrate with me in this real training for free event.

By implanting fake credentials into memory of computers on the network, you can create honeypots through the use of “honey tokens” and then monitor for the usage of those honey token accounts. If you see either authentication events or LDAP reconnaissance events performed against those accounts, you know you have caught a bad guy scraping credentials from memory and can respond quickly.

Here's an outline of all the technical goodness Jeff is going to show us:

How Pass-the-Hash and Overpass-the-Hash Work - We’ll dive into these common lateral movement techniques used by attackers so you understand the behavior to look for before planting your honeypots.
The “Honeyhash” – Using PowerShell scripts we will implant fake credentials in memory and demonstrate how they appear as genuine accounts to attackers when using tools such as Mimikatz.
Setting Up Detections – Once your honeypots are set, we will explore how to use Windows event logs and Sysmon to monitor for attackers who attempt to compromise these honeypot accounts and use them on your network.
Deploying the Honeypots – Using PowerShell and Group Policy, it is simple to deploy these honeypots at scale and automate the entire process.

STEALTHbits is making this awesome event possible and Jeff will briefly show you how their technology provides a much more streamlined and efficient honey token experience and automates all this powerful but complex defense strategy.

Please join us for this real training for free session.

First Name:	Required
Last Name:	Required
Work Email:	Required Invalid email address
Phone:	Required
Job Title:	Required
Organization:	Required
Country:	Required
City:	Required
State:	Required
Employees:	Required
	Your information will be shared with the sponsor. By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor. Tweet

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.