New-HoneyHash - Empire Module

This page contains detailed information about how to use the powershell/management/honeyhash Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: New-HoneyHash
Module: powershell/management/honeyhash
Source code [1]: empire/server/modules/powershell/management/honeyhash.yaml
Source code [2]: empire/server/data/module_source/management/New-HoneyHash.ps1
MITRE ATT&CK: T1177
Language: PowerShell
Needs admin: Yes
OPSEC safe: Yes
Background: No

The honeyhash module injects artificial credentials into LSASS.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the honeyhash module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the honeyhash module:

Agent
Agent to run module on.

Domain
Specifies the fake domain.

Password
Specifies the fake password.

UserName
Specifies the fake user name.

Honeyhash Example Usage

---

Here's an example of how to use the honeyhash module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/management/honeyhash

 Author       @mattifestation                                                        
 Background   False                                                                  
 Comments     https://isc.sans.edu/diary/Detecting+Mimikatz+Use+On+Your+Network/1931 
              1/                                                                     
 Description  Inject artificial credentials into LSASS.                              
 Language     powershell                                                             
 Name         powershell/management/honeyhash                                        
 NeedsAdmin   True                                                                   
 OpsecSafe    True                                                                   
 Techniques   http://attack.mitre.org/techniques/T1177                               


,Record Options----,----------,-------------------------------,
| Name     | Value | Required | Description                   |
|----------|-------|----------|-------------------------------|
| Agent    |       | True     | Agent to run module on.       |
|----------|-------|----------|-------------------------------|
| Domain   |       | True     | Specifies the fake domain.    |
|----------|-------|----------|-------------------------------|
| Password |       | True     | Specifies the fake password.  |
|----------|-------|----------|-------------------------------|
| UserName |       | True     | Specifies the fake user name. |
'----------'-------'----------'-------------------------------'

(Empire: usemodule/powershell/management/honeyhash) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/management/honeyhash) > set Domain local.corp
[*] Set Domain to local.corp
(Empire: usemodule/powershell/management/honeyhash) > set Password Password123
[*] Set Password to Password123
(Empire: usemodule/powershell/management/honeyhash) > set UserName user
[*] Set UserName to user
(Empire: usemodule/powershell/management/honeyhash) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• @mattifestation

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/management/honeyhash.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/management/New-HoneyHash.ps1
• https://isc.sans.edu/diary/Detecting+Mimikatz+Use+On+Your+Network/19311/
• http://attack.mitre.org/techniques/T1177

See Also

---

Check also the following modules related to this module:

• powershell/management/timestomp
• powershell/management/spawnas
• powershell/management/zipfolder
• powershell/management/switch_listener
• powershell/management/start-processasuser
• powershell/management/invoke_script
• powershell/management/invoke_sharpchisel
• powershell/management/get_domain_sid
• powershell/management/enable_multi_rdp
• powershell/management/enable_rdp
• powershell/management/reflective_inject
• powershell/management/shinject
• powershell/management/lock
• powershell/management/sid_to_user
• powershell/management/psinject
• powershell/management/spawn
• powershell/management/phant0m
• powershell/management/disable_rdp
• powershell/management/user_to_sid
• powershell/management/wdigest_downgrade
• powershell/management/runas
• powershell/management/downgrade_account
• powershell/management/vnc
• powershell/management/powercat
• powershell/management/logoff
• powershell/management/invoke_socksproxy
• powershell/management/restart
• powershell/management/mailraider/get_subfolders
• powershell/management/mailraider/mail_search
• powershell/management/mailraider/send_mail
• powershell/management/mailraider/view_email
• powershell/management/mailraider/search_gal
• powershell/management/mailraider/get_emailitems
• powershell/management/mailraider/disable_security

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.