Windows Shared Folder honeypot configuration
Share folders can be created on any Windows computer and provide a simple and effective means for colleagues to collaborate and share files. Often valuable and sensitive information is contained in files that are placed on insecure file shares. It is for this reason that makes them a tempting target for attacks from inside the organization.
The honeypot principal of putting up a redundant resource on the network with no legitimate use, works especially well to detect this threat. By creating a shared folder on the honeypot machine and then monitoring connections to it KFSensor can detect these attacks with the following advantages:
- By using actual shared folders to monitor, these are indistinguishable from other legitimate shares to those browsing the Windows network.
- KFSensor makes use of Windows auditing to detect access to shared folders and files in real time and enabled information on the remote attacker's domain account and machine to be recorded.
- Access of shared folders results in numerous duplicate records in the event log as the same folder's contents are often repeatable checked. KFSensor de-duplicates these events automatically
- DOS limits can be adjusted for Windows share access to ensure the number of events can be limited. Worms can often repeatedly target the same shared folder generating a large number of events otherwise.
- KFSensor Visitor Rules and Signatures can be applied to shared folder access to enable custom processing. For example a signature can be defined to set the event priority to high if a remote user accesses the file called passwords.txt
Windows Shared Folder configuration steps
There are three parts to configuring KFSensor to monitor shared folders.
- By default KFSensor is configured to monitor file share access, unless this is disabled in the Windows Auditing settings dialog box.
- Windows auditing needs to be enabled in the local security policy. Configuring this is described in the section 'Windows Audit configuration'.
- At least one folder needs to be shared and made available to everyone on the network.
- Each shared folder needs to have auditing enabled. This is in addition to the general Windows auditing requirement mentioned in 2. Both have to be configured for this to work.
Setting up the standard KFSensor shared folder
In order to make setting up a shared folder and enabling its auditing as easy as possible, KFSensor contains a standard folder to share and a PowerShell script that will do the configuration automatically.
The KFSensor setup creates the directory 'C:\kfsensor\public_share', which contains one sample file called passwords.txt
- Ensure you are logged on with administrator access rights and start a command prompt. If running on Vista or later ensure you 'Run As administrator' to give the command prompt elevated rights.
- Enter the following command to run the script:
powershell.exe -ExecutionPolicy Unrestricted -File "C:\Program Files (x86)\KeyFocus\KFSensor\files\utils\configureshares.ps1"
After this script is run then the machine will have a new shared folder called public_share, with auditing enabled. The script will also attempt to enable auditing to any other shared folders on the system.
Configuring shares manually
The PowerShell script does not do anything that cannot be done manually. The following instructions are for Windows 7 and 8, but are similar to all versions of Windows.
- Create one or more folders that you wish to monitor and place in it suitable files that might appeal to an attacker.
- In File Explorer, right click on the folder and select Properties from the popup menu.
- From the Sharing tab, in the Properties dialog box, click on the Advanced Sharing button.
- In the Advanced Sharing dialog box, select the Share this folder checkbox and enter a suitable share name and description.
- Press the Permissions button and check that Everyone have been Allowed Read access. Press OK twice.
- From the Security tab, in the Properties dialog box, click on the Advanced Sharing button.
- From the Auditing tab, in the Advanced Security Settings dialog box, press Continue with admin privileges.
- Press the Add button and then enter 'Everyone' when asked to select a User (Windows 7), or a Principal (Windows 8)
- Select the 'Full Control' checkbox. Both Successful and Failed (Windows 7).
- Press OK three times and then Close.
Testing share configuration
- From another machine browse to the KFSensor computer in File Explorer and access the new file share and open one of the documents.
KFSensor should have detected this and generated a number on events with the WIN protocol and the name Detailed File Share.
- If no events have been recorded first check if events are appearing in the event viewer. Go to
Control Panel\System and Security\Administrative Tools\Event Viewer
Then go to the Windows Logs > Security section. There should be events with File System Task Category.
- If no events are being recorded then first check that auditing has been turned on for the shared folder by following the steps in the previous section.
After that check that Windows Audit configuration has been properly enabled and has not been overwritten by another Active Directory GPO.
KFSensor On-Line Manual Contents