InsightIDR

Honey Files

A honey file is a fake file located on a network file share. Honey files are designed to detect attackers accessing and potentially exfiltrating data on your network. Attackers will often find a file share on a network, zip the contents of the share into a folder, and dump the data for offline analysis.

Because a honey file serves no true purpose, you should never access, modify, or move a honey file. Any such attempts result in an alert.

Before You Begin

Before you configure a honey file, complete the following procedure:

  1. Install the Insight Agent on the Windows server hosting a network file share.
  2. Enable the Audit Detailed File Share logging (if it is not already enabled). This can be configured in group policy or in the system's Local Security Policy.
  3. Create a new file in the desired location on the network file share. The file can be of any type, name, or content.
  4. Make note of the full path to the file.

Configure Honey Files on your System

  1. The files that will be configured as honey files must be located on a system running a Rapid7 Insight Agent. In this example, there are two files that will be used as "honey files."
  2. The alert for Honey File Access is only generated when these files are accessed from a network share. In this example, the HR folder has also been shared.
  1. You must now enable auditing on your Local Security policy.
  1. In either group policy or the Local Security Policy tool, enable auditing.
    • a. Select Advanced Audit Policy Configuration.
    • b. Select Object Access.
    • c. Open the properties for "Audit Detailed File Share."
    • d. Enable auditing for "Success and Failure."
    • e. Save this change.
  1. When you are done with the changes, Audit Detailed File Share should have both Success and Failure auditing enabled.

Configure a Honey File in InsightIDR

  1. From your InsightIDR homepage, select Settings on the left menu.
  2. Find and select Honey Files in the list. Click the Add a New Honey File button in the top right corner.
  3. A panel will appear. Enter the full local path to the file, as the Insight Agent would see it. Select the asset that you previously configured.
  4. Click Add.
  1. You can add more than one honey file.

Test Your Honey Files

Access the Honey File from across the network

Local access will not cause the Honey File Access alert to generate.

Additionally, accessing the file by using a hidden share will not generate a Honey File Accessed alert.

Any type of access to the honey files from the non-local network will generate an alert.

  1. Navigate to the system that contains the honey file from across the network.
  2. Browse to the location of the honey file, and zip up the folder, which will trigger an alert.

The example below shows an intruder zipping a file from an HR folder.

  1. The honey file access will trigger an event in your Security Log where the honey file(s) reside as 5145 EVID.
  1. You should get a Honey File Accessed alert after a few minutes in the InsightIDR Investigations timeline. The evidence for this alert includes the source user and asset.
  1. Open the investigation for the alert to view the alert Evidence.

Honey Files


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.