Credit goes to Josh Madakor for this lab! You can find his video here.
- Configuration & Deployment of Microsoft Azure virtual machines, Log Analytics Workspaces, and Microsoft Sentinel
- Hands-on experience with a SIEM (Security Information and Event Management)
- Understanding Windows Security Event logs
- Using KQL to query logs
- Display attack data on a dashboard with Workbooks (Failed RDP World Map)
- Microsoft Azure
- Remote Desktop Protocol (RDP)
- 3rd Party API: ipgeolocation.io
- Custom Powershell Script by Josh Madakor
- Navigate to Microsoft Azure and create a free acount
- Your free account will give you $200 credit for the lab!
- Create a Virtual Machine (VM)
- Set a user name and password. Remember these as you will need them to log
into the Virtual Machine
- Leave Disk as all defaults
- In the networking section create a new inbound security rule to allow all
inbound traffic,
- Create your VM
- Search for "Microsoft Defender for Cloud"
- Select "Environment Settings" and under Name select the Log Analytics
Workspace that you named.
- Set both Cloud Security Posture Management and Servers to ON. Leave SQL
servers on machines OFF
- Don't forget to click "Save"
WARNING: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. If you use the Log Analytics agent to ingest data to Azure Monitor, migrate to the new Azure Monitor agent prior to that date.
- Navigate to Microsoft Sentinel
- Create Microsoft Sentinel
- Select your Log Analytics Workspace name
- Click add!
- Log into your Windows VM via RDP
- Once logged in type
wf.msc
in Start - Click on Windows Defender Firewall Properties and turn the firewall off for
Domain, Private and Public Profiles.
- Try pinging you Virtual Machine from your host. This should work.
- In the Windows VM download the Powershell script
- Open the script in Powershell ISE
- Save the script. I saved it as "log-exporter"
- Navigate to https://ipgeolocation.io/ and sign up. You need to get the
provided api key and paste it into the script.
- Run the script and navigate to
C:\ProgramData\failed_rdp
- Copy the contents of
failed_rdp
- This will allow us to ingest the data that we are getting from the previous script
- Navigate to the Log Analytics Workspace
- Create a custom log by clicking on Tables and New custom log (MMA-based)
- Give a name to your custom log
- Click "Next" for Record delimiter
- Choose Windows for Collection paths and give it the path to the
failed_rdp.log
in the Windows VM which would beC:\ProgramData\failed_rdp.log
- Name your custom log such as
FAILED_RDP_WITH_GEO
- Click Create
It may take some time for Azure to sync the VM and Log Analytics so be patient if you don't get results immediately.
- Navigate to Microsoft Sentinel > Workbooks > Add workbook
- Edit the workbook and remove the default widgets
- Add a new query and paste the KQL query below:
FAILED_RDP_WITH_GEO_CL | extend username = extract(@"username:([^,]+)", 1, RawData),
timestamp = extract(@"timestamp:([^,]+)", 1, RawData),
latitude = extract(@"latitude:([^,]+)", 1, RawData),
longitude = extract(@"longitude:([^,]+)", 1, RawData),
sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData),
state = extract(@"state:([^,]+)", 1, RawData),
label = extract(@"label:([^,]+)", 1, RawData),
destination = extract(@"destinationhost:([^,]+)", 1, RawData),
country = extract(@"country:([^,]+)", 1, RawData)
| where destination != "samplehost"
| where sourcehost != ""
| summarize event_count=count() by latitude, longitude, sourcehost, label, destination, country
- Run the Query!
- You can continue refreshing the map to display more failed RDP attacks. Here the honey pot has was ran over night.
I hope you have enjoyed going through the lab, as much as I did! Don't forget to deprovision your Azure services when you have decided to stop gathering failed RDP attacks so you don't get charged!