To catch an attack and an attacker, both the administrator and the organization need to be prepared. This can come in a few different forms. One option is a honeypot: a portion of the network that is set up to lure an attacker into thinking there is value within it. In many cases, such as those included here, the honeypot is monitored, and alerts will be sent out when an attacker tries to leverage it.
For our first honeypot, we are going to manipulate the most sought-after account in Active Directory. Of course, we are talking about the built-in Administrator user account. This account cannot be deleted, so it is often the target of attackers. The key to this honeypot is to ensure the attacker thinks the account is legitimate and active.
Note: No honeypot is foolproof! No matter what you might set up, a highly sophisticated attacker will be able to determine if the source of your honeypot is legitimate or not. So, we set up numerous honeypots to catch attackers who are highly sophisticated at most security-related configurations, but not all.
In this instance, we are going to keep the Administrator account enabled, but try to hide it the best we can. Here’s what you need to do to the Administrator account:
Rename the account: It’s a good idea to name the account like any other user account. That means giving it a real name, like Tom Adams, with a username that matches your naming convention, say “tadams.”
Remove its description: Next, you want to remove the default description for the built-in Administrator, which says, “Built-in account for administering the computer/domain.”
Create a user account named “Administrator”: Now that the built-in Administrator account is renamed, you can create a user account named “Administrator.”
Give the fake Administrator a description: Give the fake Administrator the description of the built-in Administrator: “Built-in account for administering the computer/domain.”
Next, make sure to configure the monitoring of failed and successful logons for the fake Administrator account. You will need to configure the built-in Audit Policy or Advanced Audit Policy, which you can accomplish as laid out in this blog. You will also need a tool that will help you search and alert you when this account is touched, which is not possible with any of Microsoft’s built-in tools. If you download and use ManageEngine ADAudit Plus, you can monitor, search, analyze, and get alerts when this honeypot is triggered. Here is a blog on how to use ADAudit Plus to trigger alerts.
Now that you’ve created a honeypot for your fake Administrator account, we also suggest you set up an alert for the real Administrator account (i.e., tadams). This account should not be used unless there is an emergency. So, if anyone does use this account, their actions should be tracked and should trigger alerts. While the account usage may be legitimate, it’s still important to be aware of when someone logs on or tries to log on to this account.
With these two honeypots, you will now get immediate email alerts when anyone tries to log on to either of these user accounts, and your network will be prepared and secure.