🤖 AI Summary
Windows systems—targeted in 93% of ransomware attacks—pose critical security risks in IT/OT environments. Method: This paper designs and implements a high-interaction Windows 11 honeypot system tailored to real-world enterprise settings, featuring novel multi-protocol deception (RDP/SSH), dynamic SMTP credential harvesting with attribution, and integrated capabilities including NetFlow/sFlow traffic collection, Sysmon-based host logging, deceptive token injection, ELK-based log analytics, and SIEM-driven real-time alerting. Contribution/Results: Deployed in production for 34 days, the system captured 5.79 million unauthorized connections, 1.24 million login attempts, and 359 verified attack sessions—enabling full attack-chain reconstruction. It harvested 1,250 valid SMTP credentials. Empirical results demonstrate the system’s effectiveness and innovation in advanced threat detection, behavioral attribution, and defensive coordination.
📝 Abstract
Windows operating systems (OS) are ubiquitous in enterprise Information Technology (IT) and operational technology (OT) environments. Due to their widespread adoption and known vulnerabilities, they are often the primary targets of malware and ransomware attacks. With 93% of the ransomware targeting Windows-based systems, there is an urgent need for advanced defensive mechanisms to detect, analyze, and mitigate threats effectively. In this paper, we propose HoneyWin a high-interaction Windows honeypot that mimics an enterprise IT environment. The HoneyWin consists of three Windows 11 endpoints and an enterprise-grade gateway provisioned with comprehensive network traffic capturing, host-based logging, deceptive tokens, endpoint security and real-time alerts capabilities. The HoneyWin has been deployed live in the wild for 34 days and receives more than 5.79 million unsolicited connections, 1.24 million login attempts, 5 and 354 successful logins via remote desktop protocol (RDP) and secure shell (SSH) respectively. The adversary interacted with the deceptive token in one of the RDP sessions and exploited the public-facing endpoint to initiate the Simple Mail Transfer Protocol (SMTP) brute-force bot attack via SSH sessions. The adversary successfully harvested 1,250 SMTP credentials after attempting 151,179 credentials during the attack.