January 5, 2021

Rapid7 Honey Creds tool – is this a potential breach?

Hi all,

We recently implemented rapid7s honey creds tool to identify any use of fake credentials on our network using the idr agent – [https://docs.rapid7.com/insightidr/honey-credentials/](https://docs.rapid7.com/insightidr/honey-credentials/)

I’ve had an alert come through today on one of our admins machines trying to reach smb (445) on the file server using the fake credentials.

On the file server itself an audit failure log (4625) has been generated ‘unknown username or badpassword’ with the fake credential name used. This event is also present in the security log on the workstation (4648): ‘A logon was attempted using explicit credentials.’

I’ve checked process monitor to see if theres any thing that doesn’t look right but theres nothing that stands out. AV scans etc all ran.

Does any one have any further ideas I could explore to find the source process of the authentication attempt?

Any help would be extremely appreciated!

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.