In this lab, I will setup Azure Sentinel (SIEM) and connect it to a live virtual machine acting as a honey pot. We will observe live attacks (RDP Brute Force) from all around the world. We will use a custom PowerShell script to look up the attackers Geolocation information and plot it on the Azure Sentinel Map!
- Setting up Azure Sentinel
- Creating a Honeypot Server
- Importing and using Powershell scripts
- Azure Sentinel
logging in at https://portal.azure.com/#home i need to create a Virtual Machine
I'm setting up a basic Virtual machine with everything as standard the only part im changing is the 'Security type' to standard and the firewall setting within the setup to allow all ports. This will essentially allow all traffic from the internet to our virtual machine. We want this virtual machine to b open to anything RDP, SMB, pings, to get as much attacks as possible.
This needs to be setup to ingest logs from the virtual machine from Event Viewer. I will set up my own custom log that contains geographic data so we can plot on a map where the attacks are from.
I want to enable Defender for cloud for this virtual machine, i'm doing this to allow the ability to gather the logs from the virtual machine to the log analytics workspace.
In this step were going back tot he Log Analytics Workspace and were going to connect it to the virtual machine.
After clicking create we can see the server we created earlier so we will add Sentinel to this server
In this step we will connect to our WIN10 server using RDP from my personal PC with the admin credentials we created earlier. I have failed 1 login on purpose using the wrong password just so we have a failed login event.
Once loged on i'm going to Windows Event Viewer under Windows Logs > Security to look for the failed login. More specifically im looking at Event ID 4625.
Id i open up the Event you can see the reason for failure and also we can see the IP Address which we are going to use later. What we will be doing with the IP Adress is get the IP adress with Powershell and then use a IP Geolocation API to give us a Longitude, latitude, city etc
We will use: https://ipgeolocation.io/ to get the information we need.
Next on the WIN10 machine i need to turn off the Windows Firewall as right now i cant even ping the machine from my local PC and we want people to find this machine.
I have disabled the firewall on both the 'Domain Profile' tab, 'Private Profile' and the 'Public Profile' tab
Im going to copy the attched 'Custom_Security_Log_Exporter.ps1' script into Powershell ISE on the virtual WIN10 machine adding in the API i created from 'https://ipgeolocation.io/' and save it to the desktop as 'Log_Exporter.ps1'
What this script will do is contantly looks through the event log grabs all the failed login details like IP address and then runs it throught the Geolocate api and outputs this data to a new log file located in 'C:\ProgramData$($LOGFILE_NAME)' This script needs to be running contantly to allow this to happen. This script has sample data that will be output to the log that will alow me to train Log Analytics Workspace to accept and parse out the date we want to our log.
Lets run the script.
We can see in purple the EventID 4625 failed login events.
Opening up the log file we can see the sample data plus the failed logins from myself with all the extras data i mentioned earlier like Longitude and Latitude, City etc.
In this step i will bring in this cutom log into the Log analytics Workspace, we need to go to our workspace and select our workspace we created 'LAW_Honeypot1' and then under settings select
The first this it will ask for a sample log. Here will add a copy of the contents of the new log file we created, were copying this log as its on our virtual machine not on our host computer. This is going to be used to train the log analytics to choose the corect fields for the logs.
After importing we need to tell it where the logs are on our Virtual Machine. then give this a name, im naming mine 'Failed_RDP_GEO'
Within the logs we need to wait for the custom rule to show up, im to make a coffee then will check back in :)
Were back and we have logs.
In this step i need to extract the data from the above log from within the 'RawData' field to create my own fields with the data sperated. To do this i need to create a custom KQL Query
Failed_RDP_GEO_CL
| parse RawData with * "latitude:" Latitude ",longitude:" Longitude ",destinationhost:" Destinationhost ",username:" Username ",sourcehost:" Sourcehost ",state:" State ",country:" Country ",label:" Label ",timestamp:" Timestamp
| project
Latitude,Longitude,Destinationhost,Username,Sourcehost,State,Country,Label,Timestamp
This custom query parses out the fields i want to see and we can save this query.
In this step i need to open Sentinel and select 'Workbooks' from the menu then 'Add Workbook'
Now were going to click 'Add' then were going to 'Add Query' here again were going to use a custom KQL query to give us the data we need and add in 'summarize event_count=count() by' so we can use the 'Event Count' to Change the size of the dots on the map to show attack count size. I also want to remove the 'Sample Data' that was added and also remove and empty entries from the log.
Failed_RDP_GEO_CL
| parse RawData with * "latitude:" Latitude ",longitude:" Longitude ",destinationhost:" Destinationhost ",username:" Username ",sourcehost:" Sourcehost ",state:" State ",country:" Country ",label:" Label ",timestamp:" Timestamp
| project
Sourcehost,Latitude,Longitude,Country,Label,Destinationhost
| summarize event_count=count() by Sourcehost,Latitude,Longitude,Country,Label,Destinationhost
| where Destinationhost != "samplehost"
| where Sourcehost != ""
Forr some reason there were issues where the custom KQL query was only showing the sample data and did not include any of my failed login attempts. The issue was due to the custom .ps1 script attached had space after the country selector, so what does that even mean? Well the sample data records were recoreded in the custom log as:
",country:"
In the new log records because of this space i the above KQL query did not find these new events as they were logged as:
", country:"
Notice the space! I have now edited the script and removed the spaces from the logs file located in 'C:\ProgramData\failed_rdp.log'. now we have what we need, we now wait.
Date: 08/07/24 - I will leave all this set for a day or 2 then come back with an updated screen shot of anyone attempting to log into our honeypot server.
Date: 09/07/24 - Its now been about 24hrs since i last looked at the map, and if im honest im shocked at how quickly this was discoverable and people activly found it.
Below is the latest screen shot:
There is more to on this lab like securing everything and adding additional reporting features but for now this has been great fun setting this up. Some parts have been easy some have taken some time to configure like getting the exact KQL query to set this map up. This has given me great exposure to Microsoft Azure, setting up servers, Workspaces, Sentinel and workbooks.