This is a logon script used to detect the theft of credentials by tools such as Mimikatz
Switch branches/tags
Nothing to show
Clone or download
SMAPPER Includes EventID 4624
Updated to included eventID 4624 in case real domain user account is
used.
Latest commit 7af9008 May 7, 2015
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitattributes 🎊 Added .gitattributes & .gitignore files May 5, 2015
.gitignore 🎊 Added .gitattributes & .gitignore files May 5, 2015
README.md Update README.md May 7, 2015
logon_script.au3 Updated May 7, 2015
logon_script.exe Updated May 7, 2015
powershell_alert.ps1 Includes EventID 4624 May 7, 2015
runme.au3 No window May 6, 2015
runme.exe No window May 6, 2015

README.md

MimikatzHoneyToken

This is a logon script used to detect the theft of credentials by tools such as Mimikatz. This script is an AutoIT logon script that launches cmd.exe as a fake user account. It is intended to be ran as a logon script on windows systems.

Concept for using runas with /netonly came from Mark Baggett's blog on "Detecting Mimikatz Use On Your Network" found at https://isc.sans.edu/diary/Detecting+Mimikatz+Use+On+Your+Network/19311.

When an attacker runs a tool such as Mimikatz against a system running this script they will see the fake account and hopefully attempt to use it to gain access to other machines on the network. This enables defenders to catch this attempt by looking for the fake account with an IDS or looking for failed log on attempts in Windows event logs.

Recommendations:

  • Create IDS rules looking for traffic using the fake user and password. Also, consider creating IDS rules looking for the NTLM hash of the fake user.
  • Create log alarms looking for failed log on attempts from this user account.
  • Use something similar to powershell script (found in repository) to send email alerts

Check out the wiki for more information on how to use: https://github.com/SMAPPER/MimikatzHoneyToken/wiki

This solution would work great if you setup alerts on Event ID 4625.

Example, forward event ID 4625 to a Windows Server and use powershell to look for the "fake" account. If found, email or kick of some action.