Table of Contents
Fetching ...

HoneyWin: High-Interaction Windows Honeypot in Enterprise Environment

Yan Lin Aung, Yee Loon Khoo, Davis Yang Zheng, Bryan Swee Duo, Sudipta Chattopadhyay, Jianying Zhou, Liming Lu, Weihan Goh

TL;DR

This work addresses the prevalence and risk of Windows-targeted threats in enterprise IT/OT environments by introducing HoneyWin, a scalable high-interaction Windows honeypot that mimics a real enterprise network. The system combines three Windows 11 endpoints with an enterprise gateway, extensive network capture, host logging, deceptive tokens, EDR, and real-time alerts, designed for rapid restoration and potential OT deployment. Validation includes targeted penetration testing and C2-like malware testing, demonstrating effective logging, detection, and alerting, while live 34-day deployment yields millions of interactions (e.g., $5.79\times10^{6}$ unsolicited connections) and concrete evidence of attacker engagement with decoys, including an SMTP brute-force operation via SSH. Collectively, HoneyWin provides actionable threat intelligence, enables end-to-end attack attribution, and offers a practical defense decoy that can be scaled and extended to critical OT networks in the future.

Abstract

Windows operating systems (OS) are ubiquitous in enterprise Information Technology (IT) and operational technology (OT) environments. Due to their widespread adoption and known vulnerabilities, they are often the primary targets of malware and ransomware attacks. With 93% of the ransomware targeting Windows-based systems, there is an urgent need for advanced defensive mechanisms to detect, analyze, and mitigate threats effectively. In this paper, we propose HoneyWin a high-interaction Windows honeypot that mimics an enterprise IT environment. The HoneyWin consists of three Windows 11 endpoints and an enterprise-grade gateway provisioned with comprehensive network traffic capturing, host-based logging, deceptive tokens, endpoint security and real-time alerts capabilities. The HoneyWin has been deployed live in the wild for 34 days and receives more than 5.79 million unsolicited connections, 1.24 million login attempts, 5 and 354 successful logins via remote desktop protocol (RDP) and secure shell (SSH) respectively. The adversary interacted with the deceptive token in one of the RDP sessions and exploited the public-facing endpoint to initiate the Simple Mail Transfer Protocol (SMTP) brute-force bot attack via SSH sessions. The adversary successfully harvested 1,250 SMTP credentials after attempting 151,179 credentials during the attack.

HoneyWin: High-Interaction Windows Honeypot in Enterprise Environment

TL;DR

This work addresses the prevalence and risk of Windows-targeted threats in enterprise IT/OT environments by introducing HoneyWin, a scalable high-interaction Windows honeypot that mimics a real enterprise network. The system combines three Windows 11 endpoints with an enterprise gateway, extensive network capture, host logging, deceptive tokens, EDR, and real-time alerts, designed for rapid restoration and potential OT deployment. Validation includes targeted penetration testing and C2-like malware testing, demonstrating effective logging, detection, and alerting, while live 34-day deployment yields millions of interactions (e.g., unsolicited connections) and concrete evidence of attacker engagement with decoys, including an SMTP brute-force operation via SSH. Collectively, HoneyWin provides actionable threat intelligence, enables end-to-end attack attribution, and offers a practical defense decoy that can be scaled and extended to critical OT networks in the future.

Abstract

Windows operating systems (OS) are ubiquitous in enterprise Information Technology (IT) and operational technology (OT) environments. Due to their widespread adoption and known vulnerabilities, they are often the primary targets of malware and ransomware attacks. With 93% of the ransomware targeting Windows-based systems, there is an urgent need for advanced defensive mechanisms to detect, analyze, and mitigate threats effectively. In this paper, we propose HoneyWin a high-interaction Windows honeypot that mimics an enterprise IT environment. The HoneyWin consists of three Windows 11 endpoints and an enterprise-grade gateway provisioned with comprehensive network traffic capturing, host-based logging, deceptive tokens, endpoint security and real-time alerts capabilities. The HoneyWin has been deployed live in the wild for 34 days and receives more than 5.79 million unsolicited connections, 1.24 million login attempts, 5 and 354 successful logins via remote desktop protocol (RDP) and secure shell (SSH) respectively. The adversary interacted with the deceptive token in one of the RDP sessions and exploited the public-facing endpoint to initiate the Simple Mail Transfer Protocol (SMTP) brute-force bot attack via SSH sessions. The adversary successfully harvested 1,250 SMTP credentials after attempting 151,179 credentials during the attack.
Paper Structure (17 sections, 7 figures, 5 tables, 1 algorithm)

This paper contains 17 sections, 7 figures, 5 tables, 1 algorithm.

Figures (7)

  • Figure 1: Windows-based Honeypots in Enterprise Environment
  • Figure 2: Analysis of Incoming Connections Received by G1 and E3
  • Figure 3: Connections to Open Ports of G1 and E3
  • Figure 4: Boxplot of Failed Login Attempts
  • Figure 5: Analysis of a Successful RDP Login & Deceptive Token Interaction by the Adversary
  • ...and 2 more figures