/SPN-Honeypot

Example of Kerberoasting Honeypot

Primary LanguagePowerShell

SPN-Honeypot

Detect Kerberoasting.

There is an effective way to detect Kerberoasting, which is to create an account and an SPN that will not be used (the created SPN is not associated with any real service).

Kerberos clients will never request a TGS ticket for a false SPN, so if the corresponding event 4769 appears in the DC security log, then the exploiting of Kerberoasting can be noticed.

Installation

Step 1

Download the archive with scripts and extract it to some place

Step 2

Run the script.ps1 script. It will create fake account and SPN.

PS > ./script.ps1

If you can't start script because you have Restricted execution policy - Try this command and try to run script.ps1 again

PS > powershell -ep bypass

Step 3

After installation - delete plain text password from the script, because it already unnecessary

For example, set the value to 1.

изображение

How it will notify me?

If honeypot has been triggered, you will see Windows 10 notification on the right bottom corner (default windows 10 notification)

image

изображение

Change the script start time

If you want to run the script every 2 minutes for instance. You should change this on the third line in sheduler.ps1 and on the second line in script.ps1.

Attention: In the script.ps1 you should change the time in seconds. (300 = 5 min, 120 = 2 min).

TODO

  1. GUI with alert history
  2. Connection with some SIEM systems
  3. Update guide
  4. More secure password storage...
  5. Add the ability to choose service exe file6
  6. Check results code - info