HoneyWin: High-Interaction Windows Honeypot in Enterprise Environment

📅 2025-05-01
📈 Citations: 0
Influential: 0
📄 PDF

career value

217K/year
🤖 AI Summary
Windows systems—targeted in 93% of ransomware attacks—pose critical security risks in IT/OT environments. Method: This paper designs and implements a high-interaction Windows 11 honeypot system tailored to real-world enterprise settings, featuring novel multi-protocol deception (RDP/SSH), dynamic SMTP credential harvesting with attribution, and integrated capabilities including NetFlow/sFlow traffic collection, Sysmon-based host logging, deceptive token injection, ELK-based log analytics, and SIEM-driven real-time alerting. Contribution/Results: Deployed in production for 34 days, the system captured 5.79 million unauthorized connections, 1.24 million login attempts, and 359 verified attack sessions—enabling full attack-chain reconstruction. It harvested 1,250 valid SMTP credentials. Empirical results demonstrate the system’s effectiveness and innovation in advanced threat detection, behavioral attribution, and defensive coordination.

Technology Category

Application Category

📝 Abstract
Windows operating systems (OS) are ubiquitous in enterprise Information Technology (IT) and operational technology (OT) environments. Due to their widespread adoption and known vulnerabilities, they are often the primary targets of malware and ransomware attacks. With 93% of the ransomware targeting Windows-based systems, there is an urgent need for advanced defensive mechanisms to detect, analyze, and mitigate threats effectively. In this paper, we propose HoneyWin a high-interaction Windows honeypot that mimics an enterprise IT environment. The HoneyWin consists of three Windows 11 endpoints and an enterprise-grade gateway provisioned with comprehensive network traffic capturing, host-based logging, deceptive tokens, endpoint security and real-time alerts capabilities. The HoneyWin has been deployed live in the wild for 34 days and receives more than 5.79 million unsolicited connections, 1.24 million login attempts, 5 and 354 successful logins via remote desktop protocol (RDP) and secure shell (SSH) respectively. The adversary interacted with the deceptive token in one of the RDP sessions and exploited the public-facing endpoint to initiate the Simple Mail Transfer Protocol (SMTP) brute-force bot attack via SSH sessions. The adversary successfully harvested 1,250 SMTP credentials after attempting 151,179 credentials during the attack.
Problem

Research questions and friction points this paper is trying to address.

Detect malware targeting Windows in enterprise environments
Analyze ransomware attacks on Windows-based systems
Mitigate threats via high-interaction honeypot deception
Innovation

Methods, ideas, or system contributions that make the work stand out.

High-interaction Windows honeypot mimics enterprise IT
Comprehensive network traffic and host logging
Deceptive tokens and real-time alert capabilities
Y
Y. Aung
University of Derby
Y
Yee Loon Khoo
Singapore Institute of Technology
D
Davis Yang Zheng
Singapore Institute of Technology
B
Bryan Swee Duo
Singapore Institute of Technology
S
Sudipta Chattopadhyay
Singapore University of Technology and Design
Jianying Zhou
Jianying Zhou
Professor, Singapore University of Technology and Design (SUTD)
Applied CryptographyNetwork SecurityCyber-Physical SecurityMobile SecurityCloud Security
L
Liming Lu
Singapore Institute of Technology
W
Weihan Goh
Singapore Institute of Technology