I have just implemented a Honeypot asset in our network a few weeks ago.
Since implementation we are getting discovery responses from only 1 workstation every few days /weeks.
The alert looks something like this:
This content was sent to the honeypot from over UDP port 45769.
A few notable things about these alerts:
- It is always trying connection on UDP port 45769
- The DeviceID is always the same (my thought is that this is a unique ID for this workstation)
- The detection is always during the morning (probably at the startup of the workstation)
Because of the fact that the alert is not on a daily base, I am looking for tips on how to troubleshoot what could be the source on the workstation creating these alerts.
So here is what I found useful when investigating HP alerts:
- Identify the asset(s) causing the alert
- Identify the port(s) that the asset is tickling the HP on
- Look at the asset’s info page in InsightIDR (hopefully there is an agent installed) and review the processes found running on the asset
- Identify any processes that belong to programs on that asset that might run forms of network scans or network marking, etc.
- After I’ve identified any of the programs, do some quick OSINT and see if any of them utilize the port used that was in the HP alert
We’ve had vulnerability scans and certificate scans trigger the honeypot in the past. We have an “Alert modification” rule to exclude the vuln scanner server for honeypot activity.
Hello @SDavis ,
Thank you for your clear answer.
I have found the cause of this behavior by further investigating the troubling asset.
After removing Daemon Tools from the asset, the connections to the Honeypot stopped when rebooting the asset.
It seems as if Daemon Tools was doing a sort of network discovery at the startup of the software. No idea why a mounting tool like Daemon Tools would show this behavior, but I am glad I have found the culprit.
I seem to recall Daemon Tools doing this for another individual I’ve talked with before…not sure why it does this either, but looks like I’m going to be digging into some documentation to find out!! Regardless, I’m glad you were able to get this identified and addressed!