MITRE ATT&CK technique T1003
Tactic: Credential Access
Platform: Windows
- Inject fake credentials into LSASS (i.e. honey hashes)
- Create Kerberoast Service Account honeytoken
- Create files containing fake credentials (i.e. honey accounts)
- Configuration, backup and connection files such as RDP, VPN, and AWS credentials file
- Fake credentials in browser password manager
- New-HoneyHash.ps1 - Inject artificial credentials into LSASS. New-HoneyHash is a simple wrapper for advapi32!CreateProcessWithLogonW that specifies the LOGON_NETCREDENTIALS_ONLY flag.
- DCEPT (Domain Controller Enticing Password Tripwire) - A tool for deploying and detecting use of Active Directory honeytokens
- MimikatzHoneyToken - A logon script used to detect the theft of credentials by tools such as Mimikatz. This script is an AutoIT logon script that launches cmd.exe as a fake user account. It is intended to be ran as a logon script on windows systems.
- honeybits-win - The windows version of honeybits that supports creating fake credentials in Windows Credential Manager.