HoneyWin: High-Interaction Windows Honeypot in Enterprise Environment
Yan Lin Aung, Yee Loon Khoo, Davis Yang Zheng, Bryan Swee Duo, Sudipta Chattopadhyay, Jianying Zhou, Liming Lu, Weihan Goh
TL;DR
This work addresses the prevalence and risk of Windows-targeted threats in enterprise IT/OT environments by introducing HoneyWin, a scalable high-interaction Windows honeypot that mimics a real enterprise network. The system combines three Windows 11 endpoints with an enterprise gateway, extensive network capture, host logging, deceptive tokens, EDR, and real-time alerts, designed for rapid restoration and potential OT deployment. Validation includes targeted penetration testing and C2-like malware testing, demonstrating effective logging, detection, and alerting, while live 34-day deployment yields millions of interactions (e.g., $5.79\times10^{6}$ unsolicited connections) and concrete evidence of attacker engagement with decoys, including an SMTP brute-force operation via SSH. Collectively, HoneyWin provides actionable threat intelligence, enables end-to-end attack attribution, and offers a practical defense decoy that can be scaled and extended to critical OT networks in the future.
Abstract
Windows operating systems (OS) are ubiquitous in enterprise Information Technology (IT) and operational technology (OT) environments. Due to their widespread adoption and known vulnerabilities, they are often the primary targets of malware and ransomware attacks. With 93% of the ransomware targeting Windows-based systems, there is an urgent need for advanced defensive mechanisms to detect, analyze, and mitigate threats effectively. In this paper, we propose HoneyWin a high-interaction Windows honeypot that mimics an enterprise IT environment. The HoneyWin consists of three Windows 11 endpoints and an enterprise-grade gateway provisioned with comprehensive network traffic capturing, host-based logging, deceptive tokens, endpoint security and real-time alerts capabilities. The HoneyWin has been deployed live in the wild for 34 days and receives more than 5.79 million unsolicited connections, 1.24 million login attempts, 5 and 354 successful logins via remote desktop protocol (RDP) and secure shell (SSH) respectively. The adversary interacted with the deceptive token in one of the RDP sessions and exploited the public-facing endpoint to initiate the Simple Mail Transfer Protocol (SMTP) brute-force bot attack via SSH sessions. The adversary successfully harvested 1,250 SMTP credentials after attempting 151,179 credentials during the attack.
