Skip to main content

Search

Fake AD User-Sessions on Canaries

For birds that are up to date, we've introduced the ability to create fake user-sessions on Canaries to help lure potential attackers. Some attack tools look for hosts with active sessions as a way to escalate privileges. These fake sessions will indicate which users are logged in, and by using important accounts—such as admins—we make the Canary appear even more valuable, increasing the likelihood of an attacker engaging with it.


What does this look to a potential attacker?

The fake user-sessions are stored as registry keys on the bird, and tools such as Sharphound can be used to read the remote/network registry of devices. Attackers can then import the dump into a tool such as BloodHound to view any “fake” user-sessions that the bird has. For example with a Canary called "OFFICESHARE" and multiple user-sessions installed they'll see:

spoofBloodhound.png

Where BloodHound shows that the Canary has multiple sessions with High Value Target users (indicated by the diamond icon) and therefore looks like a more valuable target to the attacker.

 

Adding Fake User-Sessions

For Canaries joined to Active Directory, you can easily enable these fake sessions through the Windows File Share configuration by following these steps:

  1. Toggle "Simulate User-Sessions on Host" on and click "Create Fake User-Sessions" to begin the add workflow:spoofadd1.png
  2. Next, enter your AD domain credentials in order to fetch a list of potential users to spoof: (Domain admin is not strictly required, regular AD users is sufficient here)spoofadd2.png
  3. The Canary will now fetch a list of Domain users to select from, which are considered to be more desired (or "High Value Targets", more info here). This may take up to 30 seconds.spoofadd3.png
  4. Next, select a list of desired users to spoof/simulate from the dropdown box and click "Confirm Users":spoofadd4.png
  5. The add process will now be kicked off and may take up to 30 seconds to complete:spoofadd5.png
  6. Once added, the device will reboot to apply the config changes and you can simply click "Done" to close the workflow:spoofadd6.png

 

Removing Fake User-Sessions

For Canaries joined to Active Directory with existing fake sessions, you can remove all sessions on the bird through the Windows File Share configuration by following these steps:

  1. Click "Remove Fake User-Sessions", next to the list of current "Active Sessions" to enable the removal flow:
    spoofremove1.png
  2. Click "Yes, Start Remove Process" to confirm and remove all Spoofed AD User-Sessions from the target device:spoofremove2.png
  3. The removal process will now be kicked off and may take up to 30 seconds to complete:spoofremove3.png
  4. Once removed, the device will reboot to apply the config changes and you can simply click "Done" to close the workflow:
    spoofremove4.png
Was this article helpful?
0 out of 0 found this helpful
Return to top