RSA 2016 Dell SecureWorks duo Joe Stewart and James Bettke have created a free honeypot loaded with fake domain credentials in a bid to help admins trap and block attackers.
The researchers built the Domain Controller Enticing Password Tripwire (DCEPT) tool designed to help organisations unmask hackers and shore up defences ahead of attacks.
Windows Active Directory credentials are among the most common and handy tools in an attacker's arsenal and the pair hope to foil those who access them with the tool.
Network administrators often use domain administrator accounts to access network computers. If any of those machines are compromised, attackers can swipe the credentials stored in cache using tools like Mimikatz.
"With this information, the attacker gains total control of the network," the pair say.
"These types of attacks can potentially terminate a company’s ability to do business.
"Espionage or advanced-persistent-threat-style attacks have used this technique for years to compromise networks and steal protected data."
The pair say the method is as common as it is effective, and has led to fleets of computers being permanently destroyed.
"Even with reliable and recent data backups, the manpower it would take to restore an entire enterprise network is daunting."
Stewart and Bettke, both seasoned forensic investigators, say solutions that identify anomalies are expensive and must be trained to capture normal behaviour.
The DCEPT tool launched at the RSA San Francisco conference last week will identify what credential or honeytoken was stolen and from which machine.
It sports an agent that drops honeytoken passwords into memory on endpoints, a network service that generates unique honeytokens at the request of an agent, and a sniffer service that looks at network traffic for signs that credentials are being stolen.
The tool can be downloaded from GitHub and is available as a Docker container. ®