We recently implemented rapid7s honey creds tool to identify any use of fake credentials on our network using the idr agent – [https://docs.rapid7.com/insightidr/honey-credentials/](https://docs.rapid7.com/insightidr/honey-credentials/)
I’ve had an alert come through today on one of our admins machines trying to reach smb (445) on the file server using the fake credentials.
On the file server itself an audit failure log (4625) has been generated ‘unknown username or badpassword’ with the fake credential name used. This event is also present in the security log on the workstation (4648): ‘A logon was attempted using explicit credentials.’
I’ve checked process monitor to see if theres any thing that doesn’t look right but theres nothing that stands out. AV scans etc all ran.
Does any one have any further ideas I could explore to find the source process of the authentication attempt?
Any help would be extremely appreciated!