A honey file is a fake file located on a network file share. Honey files are designed to detect attackers accessing and potentially exfiltrating data on your network. Attackers will often find a file share on a network, zip the contents of the share into a folder, and dump the data for offline analysis.
Because a honey file serves no true purpose, you should never access, modify, or move a honey file. Any such attempts result in an alert.
Before you configure a honey file, complete the following procedure:
- Install the Insight Agent on the Windows server hosting a network file share.
- Enable the Audit Detailed File Share logging (if it is not already enabled). This can be configured in group policy or in the system's Local Security Policy.
- Create a new file in the desired location on the network file share. The file can be of any type, name, or content.
- Make note of the full path to the file.
- The files that will be configured as honey files must be located on a system running a Rapid7 Insight Agent. In this example, there are two files that will be used as "honey files."
- The alert for Honey File Access is only generated when these files are accessed from a network share. In this example, the HR folder has also been shared.
- You must now enable auditing on your Local Security policy.
- In either group policy or the Local Security Policy tool, enable auditing.
- a. Select Advanced Audit Policy Configuration.
- b. Select Object Access.
- c. Open the properties for "Audit Detailed File Share."
- d. Enable auditing for "Success and Failure."
- e. Save this change.
- When you are done with the changes, Audit Detailed File Share should have both Success and Failure auditing enabled.
- From your InsightIDR homepage, select Settings on the left menu.
- Find and select Honey Files in the list. Click the Add a New Honey File button in the top right corner.
- A panel will appear. Enter the full local path to the file, as the Insight Agent would see it. Select the asset that you previously configured.
- Click Add.
Access the Honey File from across the network
Local access will not cause the Honey File Access alert to generate.
Additionally, accessing the file by using a hidden share will not generate a Honey File Accessed alert.
Any type of access to the honey files from the non-local network will generate an alert.
- Navigate to the system that contains the honey file from across the network.
- Browse to the location of the honey file, and zip up the folder, which will trigger an alert.
The example below shows an intruder zipping a file from an HR folder.
- The honey file access will trigger an event in your Security Log where the honey file(s) reside as 5145 EVID.
- You should get a Honey File Accessed alert after a few minutes in the InsightIDR Investigations timeline. The evidence for this alert includes the source user and asset.
- Open the investigation for the alert to view the alert Evidence.