Listen to this Post
Ransomware operators are constantly hunting for Domain Admin credentials to escalate privileges and maximize damage. A clever deception technique involves planting fake credentials in `unattend.xml` files—enticing bait that triggers alerts when accessed.
How to Set Up a Canary File with Fake Credentials
Step 1: Create a Fake `unattend.xml` File
Place a decoy `unattend.xml` file in commonly targeted locations (e.g., C:\Windows\Panther\, network shares).
<?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="oobeSystem"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> <AutoLogon> <Password> <Value>FAKE_PASSWORD_123!</Value> <PlainText>true</PlainText> </Password> <Username>fake_admin</Username> <Enabled>true</Enabled> <LogonCount>999</LogonCount> </AutoLogon> </component> </settings> </unattend>
Step 2: Monitor Access Attempts
Use Windows Event Logs or SIEM tools (Splunk, ELK) to detect unauthorized access:
Check Event Logs for file access Get-WinEvent -LogName "Security" -FilterXPath "[EventData[Data[@Name='ObjectName'] and (Data='C:\Windows\Panther\unattend.xml')]]"
Step 3: Deploy Honeytokens
Tools like Canary Tokens (https://canarytokens.org/) generate fake credentials that alert you when used:
Generate a fake AWS key (triggers email alert if used) curl -X POST https://canarytokens.org/generate -d "aws_id=FAKE_ACCESS_KEY&[email protected]"
You Should Know: Advanced Deception Tactics
1. Fake Domain Admin Accounts
Create decoy accounts with high-privilege naming conventions (svc_backup, adm.john), but assign zero permissions.
Create a fake admin account New-ADUser -Name "adm.fake" -AccountPassword (ConvertTo-SecureString "FakePass123!" -AsPlainText -Force) -Enabled $true
2. Honey Files with Triggers
Place fake files like `passwords.txt` or `backup_creds.db` with embedded tracking scripts.
Linux: Create a fake SSH key and monitor access echo "FAKE-RSA-KEY" > /var/www/html/secret_key.txt inotifywait -m /var/www/html/secret_key.txt -e access
3. RDP Honeypots
Set up a fake RDP server with CrowdSec (https://crowdsec.net/) to log brute-force attempts:
Deploy a decoy RDP server docker run -d -p 3389:3389 cmikkelsen/rdp-honeypot
What Undercode Say
Deception techniques are a powerful way to detect early-stage attacks. By exploiting threat actors’ greed for credentials, defenders gain critical time to respond.
Expected Output:
- Alerts when attackers access
unattend.xml. - Logs of fake account login attempts.
- Notifications from honeytoken triggers.
Prediction:
As ransomware groups automate credential hunting, deceptive files will become a standard detection method—forcing attackers to waste time on fake leads.
Related Links:
References:
Reported By: Spenceralessi Ransomware – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
