Lessons Learned

Lesson 3 - Detection Reality

People and Honey tokens are THE BEST detective tool you have.

Go buy a Thinkst Canary, they detect me more than any multi-million dollar EDR. Period.



Let me clarify something quickly before I get roasted. I am not saying that EDR (Endpoint Detection and Response) agents don’t have a place, it’s just that they have taken over for Anti-Virus for being mostly preventative and response oriented. Do EDRs detect things? Sure, but in my pentesting and red teaming experience they rarely catch any of the actions I do outside of touching LSASS. Which to be fair, is what a lot of malware and APT actors do. But it won’t stay that way, and Sysmon is free :P

One more clarifying statement. I have no affiliation to Thinkst other than knowing Haroon Meer through Twitter and meeting him once or twice in person, super amazing dude, I think the world of him. I truly think the Canary as a concept is one of the best detective tools we have. If you don’t have fake accounts, computers, and configurations that look vulnerable mixed in with your population of systems you are missing out.

Finally lets get to the meat of this lesson. Back in 2018 I made this statement:

System administrators usually know their systems very well. With the move to DevOps, I’m not sure if that is decreasing because systems are more transitory or the monitoring systems have kept pace or improved because of it. But, as a pentester / red teamer I have been caught more times by system administrators than any tool security operations has put in place. I did a talk back in 2014 called “Attacker Ghost Stories” [slides] about exactly this and all of the ways system administrators put tricks and traps in place to catch attackers like me.

What are these tricks? Just to name a few:

  • Trap: Create a domain administrator that has logon hours all turned off with alerting on any attempt to logon with that user not just sent to an alert or a log server but to PagerDuty. This user had the current, real password in the description. No one should EVER use this account.
    • Benefit: It’s too hard to pass up and logon hours aren’t commonly looked at by attackers in the attributes for a user, so not only will the attack fail, you’ll have a near instant, high fidelity alert of malicious actions on your network.
    • Alternatives: Have an account that is Kerberoastable with a very weak password that doesn’t have permission to logon anywhere (you can do this by assigning the user to a computer account that no longer exists). Less risk an attacker will find a way to use the account and still a high fidelity alert (just not as juicy of bait)
  • Trap: A fake login portal that looks like it is a corporate VPN or OWA server, this is a very easy way to identify credentials that had already been stolen some other way from your organization.
    • Benefit: An attacker will attempt to validate credentials they have stolen other ways.

This is just two ideas. Go look at the slides for more, or check out OpenCanary - https://github.com/thinkst/opencanary - it’s an open source version that you can start to play with along with Canary Tokens if you want even less setup - https://canarytokens.org/generate

You don’t have to use any of the Thinkst tools, for that matter you don’t need any of the new “Deception” vendors (** **barf** **) out there. Just sprinkle your network with bait of all kinds (ask your pentester, or look at what your last pentest report “found” as their steps) and make fake things. It’s set-it-and-forget-it. Way easier than implementing 500 security vendors to catch bad in every way possible.