BlueHive is HoneyPot User management tool built with the free open source community edition of Universal Dashboard by Ironman Software. This utility can be used to create and manage Honeypot user and service accounts via an interactive web dashboard.
WARNING: This project is intended to be used as a teaching tool for learning Universal Dashboard and the basic concepts of Active Directory Honey Pot Users - don't use this in your production :)
NOTE : Uses Names files from Seclists as data for the random user / account creation process.
- Create "Honey Pot" Users with randomized names / properties
- Service Accounts (with SPN)
- Target creation of an account on a specific domain / controller
- Dashboards showing status of deployed HoneyPot users
- Management of Honey Pot User (Add/Remove/Modify)
- Track History of Honey User Deployments
- One Click to Remove Honey Users from Active Directory
- Scheduling of Automatic Login for Accounts so they have AD login properties update to avoid obvious honeypot busting
Drawbacks / Issues
- Service Accounts will be BUSTED by HoneyPot Buster - I have not yet implemented a good way to update values like "lastlogontimestamp" to reduce the Fank Rank. NOTE - Currently working on implementing a Scheduled Endpoint, that will "Login" with specified accounts on a schedule.
- Data storage via json files on disk 🤷
- Only "half-way" supports multiple domains, needs some data management work needs to be completed
- "OtherName" of created token objects have value of 1337 - this is the identifier for a honey object used by this. Ideally accounts would be independently tracked outside of such a value.
- Many more values in the Ad Objects COULD be populated but are not.
- Some... LESS THAN efficient powershell scripting ;)
- SETUP - Populate your own environmental variables in the "start.ps1" script. Specifically the folowing variables:
$DomainControllerFQDN- FQDN of the domain controller bluehive will interact with.
$BlueHiveFolderEX: 'C:\Users\lee\git\BlueHive' - Data Storage for Bluehive
$AutoLoginServerFQDN of servce where new powershell sessions will login with honey accounts (Honey accoutns must have login rights).
- Use the start script to connect to active directory and startup the dashboard.
- Open the "Domain Connection" page and initiate a new domain sync by specifying your domain name and clicking the "Sync" button.
- Verify Domain Information in the "Existing Domain Connection" Pane. **Note - at this point you should have domain data populated in your
- Use Deployment Page to deploy new Honey Account
- Use the Management Page to delete / edit Honey Accounts that have been deployed.
- Use the dashboard pages to management honey accounts and don't forget to check out the Logs folder for a good old fashion log file.