Setting up Windows Honey Pot Shares

Posted on 12-Sep-2009 by .

I recently setup a honeypot share on a Windows server.  I put some very “interesting” files and directories in there (financial information, PII etc) and then enabled audit logging in Windows.  There’s a very powerful but mostly unknown Windows tool called LogParser which can be used to query your System/Security event logs.  It’s possible to write a script that will query your system security log every so often and look for requests to the honey pot.  You can get very sophisticated using LogParser, a few hand written scripts, and the Windows Task Scheduler.

  1. Create the honeypot file share.
  2. Create sexy files in the share: bank_statement.pdf, password_list.txt, 08taxes.pst, gmail.doc, megan13.jpg, etc….
  3. Enable audit logging on shared folder.
  4. Install LogParser.
  5. Learn to use LogParser here: http://128.175.24.251/forensics/logparser.htm
This entry was posted in microsoft, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>