Setting up Windows Honey Pot Shares

I recently setup a honeypot share on a Windows server.  I put some very “interesting” files and directories in there (financial information, PII etc) and then enabled audit logging in Windows.  There’s a very powerful but mostly unknown Windows tool called LogParser which can be used to query your System/Security event logs.  It’s possible to write a script that will query your system security log every so often and look for requests to the honey pot.  You can get very sophisticated using LogParser, a few hand written scripts, and the Windows Task Scheduler.

  1. Create the honeypot file share.
  2. Create sexy files in the share: bank_statement.pdf, password_list.txt, 08taxes.pst, gmail.doc, megan13.jpg, etc….
  3. Enable audit logging on shared folder.
  4. Install LogParser.
  5. Learn to use LogParser here: http://128.175.24.251/forensics/logparser.htm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s