In this lab, I setup Azure Sentinel and connected it to a live virtual machine acting as a honey pot. This allowed me to observe live attacks, specifically RDP brute force attacks, from all around the world. I then used PowerShell script (from Josh Madakor) to look up the attackers geolocation information and plotted it on the Azure Sentinel map.
I had already created an account for a previous lab, so I do not have screenshots of this particular step... but, if you visit https://azure.microsoft.com/en-us/free/ you can sign up for a free account that grants you $200. After all that is done, you'll click on the Virtual Machines icon.
After you click on the VM icon, we will need to create our virtual machine. Next to Resource group click Create new and name the resource group whatever you'd like. I followed Josh Madakor's video initially, so I went with what we originally did, "Honeypot_lab". Next you'll name your virtual machine under Instance details. For Region, I just kept mine '(US) East US 2'. I kept Availability Zone on the default selection. Next, you will choose what OS the VM will run, I choose Windows 10 Pro for the image (vm OS). Lastly, create the admin sign in account with the details of your choosing. Leave the Public inbound ports and Select inbound ports on their default selections.
Click Next at the bottom of the screen, NOT Review and create. Once you get to the Networking tab, we're going to select Advanced under the NIC network security group. Think of this as the firewall for the VM. Once you click Advanced then a dropdown menu will appear and you will click Create to make a new one.
On the Create network security group page, we are going to get rid of the default rules for the NIC. Click the trashcan icon on the right.
Next, we will create our own inbound rule. On the Add inbound security rule make the following selections:
After you've completed this, go ahead and click Review + create button down at the bottom. Your VM should begin deploying.
As your VM is deploying, go to the search bar and search for Log Analytics Workspaces. Creating this will allow us to input logs from the VM. Go ahead a click the blue button Create log analytics workspace.
When you get to the Basics of creating our workspace, the drop down next to Resource Group should have the same resource group you created earlier when configuring the VM. For Instance details you can put whatever name you like. I named mine, "LAW-Honeypot", for Log Analytics Workspace for simplicity. Then click the blue button at the bottom that says, Create.
The next step will be to enable the ability to gather the logs. In the search bar, search for Microsoft Defender for Cloud. In the navigation pane, find Management and select Environment Settings. You should be able to see our workspace labeled with your honeypot name.
At the Settings page, you will want to turn OFF the SQL servers on machines and turn ON Servers.
On the navigation page, click on Data collection and select All Events
Back in the search bar, go back to Log Analytics Workspaces and select your titled workspace.
On the navigation pane to the left, scroll until you see Virtual Machines (deprecated) and select it. You should see our VM we created. Click the VM name and on the next window click Connect.
As the Log Analytics are loading, open up a new tab to portal.azure.com. Search for Sentinel. On the Microsoft Sentinel page, click the blue Create Microsoft Sentinel button.
Then, you should see our Honeypot workspace appear. Select your workspace and then click Add at the bottom of the screen.
In the search bar, search Virtual Machines. By this time, everything should be connected and ready to go and you will see your VM. Select the honeypot VM and copy your Public IP address for the VM.
Side note and troubleshooting - If your VM doesn't have an IP address (mine didn't initially), check to see if you have other VMs on your account (if this isn't your first time creating one). I ran into an issue because I had done a previous lab with two other VMs in Azure and the free trial doesn't allow you to have that many public IP addresses... ANYWAY, click on the VM and in the navigation pane, select Network Settings. In the new window pane you should see next to Public IP there is a (configure) hyperlink, click it. Now select the ipconfig1 at the bottom and check the box next to Associate public IP address. In the drop down menu, select your VM and click Create a public IP address. You should be able to just click OK, then Save, then Create. Azure should begin deploying the IPv4 configuration to the VM.
BACK TO STEP 7 - In Windows (your PC), search for Remote Desktop Connection. Enter your VM's Public IP address and then at the bottom of the authentication select More choices and select Use a different account.
Accept the certificate warning.
As the VM loads, and the privacy settings page pops up. Select NO for all the options then hit select.
Go ahead and set up Microsoft Edge. Then go to start and search Event Viewer.
In the VM, search for Event Viewer from the start menu. Then in the left navigation pane, expand the Windows Logs and then select Security. What you see are all the security events that have transpired so far.
Now, in Josh's example of this lab, he mistaken failed a login attempt and has a log for event # 4625. I did not fail a login attempt, therefore I did not have this event in my logs. Instead, for the sake of explaination, I used my successful login attempt instead.
If you also did not fail to login to the VM initially, go to YOUR computer and back to Remote Desktop and attempt to log in to the VM again with the wrong credentials. Go back to the VM and refresh the log. You should now see the Audit Failure with the event ID of 4625.
If you scroll you should see the Source Network Address copy it.
We are going to disable the firewall on our VM to allow hackers to discover the machine online. Go back to your computer and open a command line. Use the ping command and ping your VM. The request should time out.
So, go back to the VM and go to Start and search wf.msc. This will open a new window displaying the firewall configuration. At the bottom of the top pane, click Windows Defender Firewall Properties and turn ALL (Domain, Private, Public) the firewall off.
Back on your PC's command line, you should start seeing ping requests.
On the VM, go to Microsoft Edge and follow the link to download the PowerShell script from Github.
https://github.com/joshmadakor1/Sentinel-Lab/blob/main/Custom_Security_Log_Exporter.ps1
You will click on the Custom Security Log Export file. Josh explained in his video you can either download the script or just copy it. I went ahead and just copied it. Next, open PowerShell ISE on the VM. Once it opens, we'll click new and paste the script into PowerShell ISE.
Save the PowerShell script to the Desktop on the VM. Now, we will need our own API number. Go the Microsoft Edge on the VM and go to ipgeolocation.io and signup.
After you sign up and sign back in, you'll see your API key. Paste that into the PowerShell script at the top.
After you've completed that step, you can run the script. The script is capturing all the data from the Event Log that we opened earlier.
The log data from this script is programmed to save to a hidden path within the C-Drive. We have to manually access this drive since it is hidden. Go to start and search Run then open the file by typing *C:\ProgramData*
The folder will open and at the bottom you'll see the newly created log files. Open the failed_rdp file. That contains all the failed login attempts using that Event#4625 we talked about earlier.
Minimize your VM and go back to Azure. There have been updates to Azure since Josh originally completed this lab, so here are the steps I found to get the rest of this to work. First, search Log Analytics workspaces in Azure and select your honeypot workspace. In the left navigation pane, click Tables then in the main window click Create.
We will need to move the failed_rdp log file from our VM to our actual PC. Go to your VM and if you still have the file manager running, you can click on the failed_rdp file and select and copy the whole record. Open notepad on your pc and paste the log file. Make sure to save the log file somewhere easy (desktop).
Now, back on your PC in Azure, when you clicked create, select New custom log (MMA-based). Input your saved failed_rdp file into the dropdown in the next window. Then at the bottom click, Next. On the Collections Path tab, under Type select Windows and in the path type C:\ProgramData\failed_rdp.log as that is the path to the file in our VM. Click Next and then in the details tab name your log, I choose what Josh did, "Failed_RDP_With_Geo", then click Next and then Create on the next page.
On your PC, if you go to the left Navigation pane and select Logs, in the New Query 1, type SecurityEvent and you will be able to see the Windows logs from the VM.
Back in logs, type SecurityEvent | where EventIT == 4625 now you can see all the failed login attempts on our VM.
Our custom log will take some time to update. Take a break and check back periodically by typing Failed_RDP_With_Geo or whatever you named your custom log.
We are going to parse and organize the information for when we extract the data. To do this, copy the following script and run it.
You should now see the information from the raw data has been parsed and organized by country, state, sourcehost, username, destination, longitude, and latitude.
Leave your parsed log data open and open a new tab and go to portal.azure.com and then search for Sentinel. In Sentinel, select your Honeypot workspace.
Now, I had to take care of my daughter when I originally started this lab... so this information from Sentinel is over the course of a couple days... but, you can see the specific Failed_RDP_Honeypot instances highlighted by Sentinel.
In Sentinel, in the left navigation pane, select Workbooks.
At the top of the Workbooks page, select Add Workbook
Then click, Edit
At the far right of the Workbook, you should see the word Edit with the three dots. Click the dots and select to Remove the two predisposed widgets.
Then, when the Owl and the This Azure Sentinels Report has no content appears, below the Owl click Add
Now, we will run our query with our parsed categories. In the script of your workbook, copy the same script we used to categorized our rawdata. Then, at the top of the query panel there is a dropdown box under Visualiztion, select Map from that dropdown.
Make sure to save your map! What you can do, is buy the subscription to the ipgeolocation and allow the attacks to continue on and watch your map grow as more attacks happen. I choose to stay with the free trail and therefore only had 1,000 attacks logged.
I hope you enjoyed the lab! It was very interesting to see all this happen in real-time and gave me vaulable experience with Azure.