Honeypot

Honeypots

Kippo, Cowrie, Dockpot, HonSSH

Honeypot Detection

User/service accounts

A user that has a lastLogon date of 0 is most likely a honeypot.

powershell
Get-ADUser <username> -Properties lastLogon | fl Name,lastLogon

Other suspicious properties when 0: logonCount, pwdLastSet, badPwdCount. When it is also in “Domain Admins” group, it is a honeypot for sure…

Super recent accounts also look suspicious.

Computers

A computer that has a lastLogon date of 0 is most likely a honeypot.

A real domain-joined machine cannot reach lasLogon 0. these never opened a secure channel, so they never actually joined the domain.

powershell
Get-ADComputer -Filter * -Properties lastLogon | ft Name,lastLogon

Reference

• Hunting Honey Pots: When Never Logged In Means Everything (Charles Hamilton)