honeycred
honeycred copied to clipboard
Responder bait
PowerShellDefense has a feature in Invoke-Honeycreds.ps1 that attempts to mount a share/access a resource with HTTP basic to bait responder into stealing credentials.
It would be great if agent did this--since a process has to keep running in order to keep creds in lsass anyway.