ioc[.]one - OSINT Cyber Threat Intelligence Database

Using Windows File Auditing to Detect Honeyfile Access

Tags

attack-pattern:

Data Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	fa845a40-d698-4186-b22b-ad6556b3a3a7
Fingerprint	3c184b7fada5de05
Analysis status	DONE
Considered CTI value	0
Text language
Published	July 7, 2017, midnight
Added to db	Jan. 18, 2023, 9:56 p.m.
Last updated	Nov. 18, 2024, 1:38 a.m.
Headline	Using Windows File Auditing to Detect Honeyfile Access
Title	Using Windows File Auditing to Detect Honeyfile Access
Detected Hints/Tags/Attributes	42/1/11

Source URLs

	Redirection	Url
Details	Source	https://labs.mwrinfosecurity.com/blog/using-windows-file-auditing-to-detect-honeyfile-access/

URL Provider

Details	Provider	Source level domain
Details	mwrinfosecurity.com	labs.mwrinfosecurity.com

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	18		www.rt.com
Details	Domain	212		technet.microsoft.com
Details	Domain	281		docs.microsoft.com
Details	Domain	201		msdn.microsoft.com
Details	File	1		honeyfile.txt
Details	File	23		searchprotocolhost.exe
Details	File	1209		powershell.exe
Details	Url	1		https://www.rt.com/news/386433-wikileaks-cia-scribbles-microsoft-office
Details	Url	1		https://technet.microsoft.com/en-us/library/dn319078(v=ws.11).aspx
Details	Url	1		https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor.
Details	Url	1		https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx