ad-honeypot-autodeploy: RDP Honeypot fully automatically


Deploy a small, intentionally insecure, vulnerable Windows Domain for RDP Honeypot fully automatically.

Runs on self-hosted virtualization using libvirt with QEMU/KVM (but it can be customized easily for cloud-based solutions).

Used for painlessly set up a small Windows Domain from scratch automatically (without user interaction) for the purpose of RDP Honeypot testing.

Features a Domain Controller, a Desktop Computer and a configured Graylog server for logging the actions of the bad guys.

RDP Honeypot

Automatic deployment phases

  1. Packer: download the necessary install media and setup the automated base virtual machine images unattended.

  2. Terraform: provision the libvirt virtualization infrastructure (network + virtual machines) using the packer-prepared virtual machine images.

  3. Ansible: Configure the infrastructure (DC, Desktop, Graylog) automatically, without user interaction.

After going through the Packer+Terraform+Ansible pipeline, the configured Windows Domain should be up and running, you could attach the RDP service of the Desktop to the public internet, and let’s monitor the events through the Graylog.


Features of the running system are:

  • a Windows Server 2016 as a Domain Controller
  • a Windows 10 Desktop (version 2004) as a Domain Computer
  • Graylog 3.3 (Open Source edition) running as a Log Collector on Ubuntu 18.04 LTS
  • Using VirtIO drivers for best performance
  • Enabled RDP and WinRM Services
  • Populated Windows Active Directory with random users
  • Sysmon (from Windows Sysinternals) installed and running on Domain Computers
  • NXLog Collector running a Domain Computers and forwarding logs to Graylog
  • Configured Graylog GeoIP lookup table and pipeline for IP addresses (useful for showing a map of invalid RDP login attempts)
  • Graylog World Map of RDP attacks

Install & Use