HoneyWin: High-Interaction Windows Honeypot in Enterprise Environment

TL;DR

HoneyWin is a high-interaction Windows honeypot designed for enterprise environments, effectively capturing and analyzing real-world malware attacks on Windows systems over a 34-day deployment.

Contribution

The paper introduces HoneyWin, a comprehensive enterprise-grade Windows honeypot with real-time detection and logging, deployed in the wild to study sophisticated attack behaviors.

Findings

Captured over 5.79 million unsolicited connections

Detected 1.24 million login attempts

Harvested 1,250 SMTP credentials

Abstract

Windows operating systems (OS) are ubiquitous in enterprise Information Technology (IT) and operational technology (OT) environments. Due to their widespread adoption and known vulnerabilities, they are often the primary targets of malware and ransomware attacks. With 93% of the ransomware targeting Windows-based systems, there is an urgent need for advanced defensive mechanisms to detect, analyze, and mitigate threats effectively. In this paper, we propose HoneyWin a high-interaction Windows honeypot that mimics an enterprise IT environment. The HoneyWin consists of three Windows 11 endpoints and an enterprise-grade gateway provisioned with comprehensive network traffic capturing, host-based logging, deceptive tokens, endpoint security and real-time alerts capabilities. The HoneyWin has been deployed live in the wild for 34 days and receives more than 5.79 million unsolicited connections, 1.24 million login attempts, 5 and 354 successful logins via remote desktop protocol (RDP) and secure shell (SSH) respectively. The adversary interacted with the deceptive token in one of the RDP sessions and exploited the public-facing endpoint to initiate the Simple Mail Transfer Protocol (SMTP) brute-force bot attack via SSH sessions. The adversary successfully harvested 1,250 SMTP credentials after attempting 151,179 credentials during the attack.