Honey credentials unique or static?

KasperD · April 11, 2022, 11:38am

Currently we have honey credentials deployed with a customer which is under attack. Over the weekend we got multiple attempts to access servers with the honey account which really helps us understanding which workstations are involved. The only thing that I was wondering about is, are the credentials unique for every insight agent (asset) or are they the same on each asset?

The reason that I ask is because if they are compromised on workstation A then the attacker could be trying them from workstation B to avoid being detected on patient zero.

Does any one known this?

jtippen · April 12, 2022, 1:01am

It’s the same

joe_delavalle · April 19, 2022, 1:16am

Honey credentials are fake and cannot be used to authenticate. They are simply there in memory as a trap. When used they alert.

If you’re referring to honey users, those id’s live in your AD and would have whichever password you set.