Aiden's honeypot!
First, one has to replace some registry keys from Explorer.exe (basic Windows Desktop GUI) with the honepot script.
This means when an adversary signs in or RDPs into a machine, they will be met with our honeypot and not the usual Windows UI
To administrate / attack the machine after doing this, open Task Manager via ctl+alt+delete and under file open a new task
#confirm you're in the right spot
get-itemproperty 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' | select Shell
#replace the reg key
set-itemproperty 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' -name 'Shell' -value 'powershell.exe -WindowStyle Hidden C:\ahp.ps1'
#confirm replacement
get-itemproperty 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' | select Shell
Your honeypot machine won't load a normal GUI, but a login UI that wastes an adversary's time and potentially forces them to burn a few passwords they might have collected.
A google chat API can be given in the script, to alert when the honeypot is used and what credential was attempted. It is currently commented out.
You can change all text, including username here
Pick up the script here
You could use this maliciously. You could run this script if you have a shell on a target's machine, and have the GUI pop up and the user input their creds only for it be sent to a google webhook that you control.
Noisy to bring this on disk though AND have it exfil to an external location (google chat)