Overview

Recently one of our Engineers ran into a problem while setting up a honeypot in Threat Manager. The deployment wouldn’t complete, and there was no logging to help figure out what was wrong .

Something was being executed from Threat Manager to the distant server, but it didn’t seem to complete correctly .

I was asked to come onto this problem and help the Engineer get things set up.

Description

To help out I suggested a different approach.

Threat Manager provides two methods of setting up Honey Pots.

• One click setup with a button
• Downloading the PowerShell file directly

The one click setup is great, but there may be barriers along the way, such as permission issues or remote script execution firewalls.

For example your server may be setup with one of these:

• PowerShell script disabled: Disable-PSRemoting (Microsoft.PowerShell.Core) - PowerShell | Microsoft Learn
• WinRM not setup properly: Installation and configuration for Windows Remote Management - Win32 apps | Microsoft Learn
• Remote PowerShell execution policies: Set-ExecutionPolicy (Microsoft.PowerShell.Security) - PowerShell | Microsoft Learn

Downloading the PowerShell script to execute directly on the server is quite useful, not only it bypasses potential remote execution, but it also provides a clearer view of any errors occurring during execution .

Once the script has been downloaded. It has been copy pasted into the remote server and executed within PowerShell ISE:

^ Example of the script failing with explicit error.

Running the script locally worked like a charm, and the honeypot setup was successfully completed . This experience solved the problem in the Engineer’s lab and made them prepared assist the client with their deployment.