Honey Credentials

Has anyone enabled the Honey Credentials feature in their environment? I’m wondering how concerned I should be before enabling it on our production servers (skipping test). Any false positives by your EDR?

With honeycreds enabled, honeyhashx86.exe process runs on all systems. I have had Crowdstrike balk at it running in the past. Was able to put an exception in place and haven’t seen an issue since.

We have Honey Credentials enabled on all systems without any impact by either our old Sophos InterceptX nor our new Palo Alto Cortex XDR so that should not cause any issues I would say.

Will see honeyhashx86.exe running in process but has never been brought up or alarmed anybody in our Org., and they normally get upset about anything they can.

We run Carbon Black EDR, no exceptions were needed. We only had 1 person notice the running process out of 1000 users.

I enabled Honey Credentials about two weeks ago with no reports of issues. They really should have a way to test this on a group of assets vs all or nothing.
I did have one issue with testing the alerts involving the honey credentials. I was not able to get IDR to alert during a pass-the-hash attack test. I ended up creating a custom alert that will trigger with any activity around the account which seems to solved the problem.