function New-HoneyHash {
<#
.SYNOPSIS

Inject artificial credentials into LSASS. Inspired by Mark Baggett's article:
https://isc.sans.edu/diary/Detecting+Mimikatz+Use+On+Your+Network/19311/

Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

.DESCRIPTION

New-HoneyHash is a simple wrapper for advapi32!CreateProcessWithLogonW
that specifies the LOGON_NETCREDENTIALS_ONLY flag. New-HoneyHash will
prompt you for a password. Enter a fake password at the password prompt.

.PARAMETER Domain

Specifies the fake domain.

.PARAMETER Username

Specifies the fake user name.

.EXAMPLE

New-HoneyHash -Domain linux.org -Username root
#>
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $True, Position = 0)]
        [ValidateNotNullOrEmpty()]
        [String]
        $Domain,

        [Parameter(Mandatory = $True, Position = 1)]
        [ValidateNotNullOrEmpty()]
        [String]
        $Username
    )

    $SystemModule = [Microsoft.Win32.IntranetZoneCredentialPolicy].Module
    $NativeMethods = $SystemModule.GetType('Microsoft.Win32.NativeMethods')
    $SafeNativeMethods = $SystemModule.GetType('Microsoft.Win32.SafeNativeMethods')
    $CreateProcessWithLogonW = $NativeMethods.GetMethod('CreateProcessWithLogonW', [Reflection.BindingFlags] 'NonPublic, Static')
    $LogonFlags = $NativeMethods.GetNestedType('LogonFlags', [Reflection.BindingFlags] 'NonPublic')
    $StartupInfo = $NativeMethods.GetNestedType('STARTUPINFO', [Reflection.BindingFlags] 'NonPublic')
    $ProcessInformation = $SafeNativeMethods.GetNestedType('PROCESS_INFORMATION', [Reflection.BindingFlags] 'NonPublic')

    $Flags = [Activator]::CreateInstance($LogonFlags)
    $Flags.value__ = 2 # LOGON_NETCREDENTIALS_ONLY 
    $StartInfo = [Activator]::CreateInstance($StartupInfo)
    $ProcInfo = [Activator]::CreateInstance($ProcessInformation)

    $Password = Get-Credential "$($Domain)\$($UserName)"
    $PasswordPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($Password.Password)
    $StrBuilder = New-Object System.Text.StringBuilder
    $null = $StrBuilder.Append('cmd.exe')

    $Result = $CreateProcessWithLogonW.Invoke($null, @([String] $UserName,
                                             [String] $Domain,
                                             [IntPtr] $PasswordPtr,
                                             ($Flags -as $LogonFlags),     # LOGON_NETCREDENTIALS_ONLY 
                                             $null,
                                             [Text.StringBuilder] $StrBuilder,
                                             0x08000000, # Don't display a window
                                             $null,
                                             $null,
                                             $StartInfo,
                                             $ProcInfo))

    if (-not $Result) {
        throw 'Unable to create process as user.'
    }

    if ($ProcInfo.dwProcessId) {
        # Kill the cmd.exe process
        Stop-Process -Id $ProcInfo.dwProcessId
    }

    Write-Verbose '"Honey hash" injected into LSASS successfully! Use Mimikatz to confirm.'
}