- Setting up and rolling out various Azure components including Virtual Machines (VMs), Log Analytics Workspaces, and Azure Sentinel
- Competence and experience with Microsoft Azure Sentinel, a SIEM (Security Information and Event Management) Log Management Tool
- Third-party API Calls
- Using KQL to query logs
- Learn how to read the Security Event Logs in Windows
- Utilize Workbooks (World Map) to make an interactive map showing attack statistics
- Microsoft Azure + Account
- Azure Services: Sentinel, Log Analytics Workspace, Workbooks, Network Security Groups
- Powershell
- Remote Desktop Protocol (RDP)
- Third-party API: ipgeolocation.io
- Customized Powershell Script authored by Josh Madakor
Step 1: Create a Microsoft Azure Account: Azure
Microsoft offers $200 in Azure credit for 30 days when you initially sign up
Vulnerable Windows VM
- After signing up, click "Go to the Azure Portal" , or visit
portal.azure.com - In the search bar type "
virtual machines" - Under Create tab click on Azure virtual machine
- Create a new resource group and give it a name (honeypot-lab)
A resource group is a container that helps organize and manage related cloud resources.
- Give your virtual machine a name (honeypot-vm)
- Choose a recommended region: ((US) West 3)
- Availability options: No infrastructure redundancy required
- Security type: Standard
- Image: Windows 10 Pro, version 22H2 - x64 Gen2
- VM Architecture: x64
- Size: Default is fine (Standard_D2s_v3 – 2vcpus, 8 GiB memory)
- Set up a username and password for the virtual machine.
IMPORTANT: these identification details will be used to log into the virtual machine. (Make sure to keep them in mind)
- Public inbound ports -> Allow selected ports: RDP (3389)
- Confirm Licensing
- Select Next : Disks >
- Leave everything as is
- Select Next : Networking >
Network interface
- NIC network security group: Advanced -> Create new
A Network Security Group (NSG) in Azure is a virtual firewall that filters and controls network traffic to protect Azure resources.
- By clicking the three dots, delete Inbound rules (1000: default-allow-rdp)
- Add an inbound rule
- Destination port ranges: * (wildcard for anything)
- Protocol: Any
- Action: Allow
- Priority: 100 (low)
- Name: Anything (allow-any-inbound)
- Select Review + Create
The VM will be simple to detect if the firewall is set up to accept traffic from anywhere.
- Search for "Log analytics workspaces"
- Select Create Log Analytics workspace
- Place it in the identical resource group as the VM (honeypot-lab)
- Give it the name you choose (honeypot-law)
- Add to the same region (West US 3)
- Select Review + Create
Custom logs with geographic information to map the locations of attackers will be absorbed into Log Analytics workspaces together with the Windows Event Viewer logs.
- Search for "Microsoft Defender for Cloud"
- Under Management click on "Environment settings" -> Subscription Name -> Log Analytics Workspace Name (honeypot-law)
Settings | Defender plans
- Foundational CSPM (Cloud Security Posture Management): ON
- Servers: ON
- SQL servers on machines: OFF
- Click Save
Settings | Data collection
- Select "All Events"
- Click Save
- Look for "Log Analytics workspaces"
- Select workspace name (honeypot-law) -> "Virtual machines" -> virtual machine name (honeypot-vm)
- Hit Connect
- Look for "Microsoft Sentinel"
- Hit Create Microsoft Sentinel
- Choose Log Analytics Workspace name (honeypot-law)
- Hit Add
Testing Firewall - first we can test the firewall by pinging the VM's IP address. The purpose of this is to check if the target device with that specific IP address is reachable and responsive on the network. "PING" is a basic network troubleshooting tool used to test connectivity between your device and the target device.
- Open the Command Prompt: Press the Windows key, type "cmd," and press Enter to open the Command Prompt
- Type the Ping Command: In the Command Prompt window, type the following command and press Enter:
ping (ip-adress)
- Replace with the actual IP address you want to ping. For example:
ping 20.163.108.170
- Open the Terminal: On macOS, you can find the Terminal in Applications > Utilities. On Linux, press Ctrl + Alt + T to open the Terminal.
- Type the Ping Command: In the Terminal window, type the following command and press Enter:
ping (ip-adress)
- Replace with the actual IP address you want to ping. For example:
ping 20.163.108.170
- Observe the Results: the ping command will start sending packets to the specified IP address, and you'll see the results with round-trip times and other statistics. To stop the ping process on both Windows and macOS/Linux, you can press Ctrl + C or Ctrl + Z
As you can see above our firewall is set up to block out incoming ping requests. Next we will continue to disable the firewall...
- Locate the honeypot VM (honeypot-vm) under Virtual Machines.
- Copy the IP address from the VM
- Using the credentials from step 2, access the virtual machine through Remote Desktop Protocol (RDP). Note: if your on a Mac you can download the "Microsoft Remote Desktop" application or use another VM host for Microsoft that supports the protocol.
- Accept Certificate warning
- Select NO for all Choose privacy settings for your device
- Hit Start and search for "wf.msc" (Windows Defender Firewall)
- Click "Windows Defender Firewall Properties"
- Turn Firewall State OFF for Domain Profile | Private Profile | and Public Profile
- Click Apply and Ok
- To check if VM is reachable, ping it using the command line of the host
ping -t (ip-adress)
Ping successful :)
- In your VM launch Powershell ISE
- Configure Edge browser without logging in
- Copy Powershell Script and insert into Virtual Machine's Powershell (authored by Josh Madakor)
- Choose New Script in Powershell ISE and paste script
- Give it a name and save it to the desktop (log_exporter)
- Create a profile with ipgeolocation.io
1000 API calls per day are free with this account. A monthly cap of 150,000 API calls is available for 15 dollars.
- Once logged in, copy the API key and paste it into line 2 of the script.
$API_KEY = "<API key>" - Click Save
- To generate log data continually, run the PowerShell ISE script (green play button) in the virtual machine
Data will be exported from Windows Event Viewer and imported into the IP Geolocation service by the script. The latitude and longitude will then be extracted, and a new log file called failed_rdp.log will be created in the location specified below: C:\ProgramData\failed_rdp.log
- To add the extra information from the IP Geolocation service to Azure Sentinel, create a custom log
- Search "Run" in VM and type "C:\ProgramData"
- Open file named "failed_rdp" hit CTRL + A to select all and CTRL + C to copy selection
- On the host PC, open notepad and paste the information
- Save to desktop as "failed_rdp.log" Note: make sure it's saved as a (.txt) text file. I had issues with formatting when saving in (.rtf) rich text format.
- In Azure go to Log Analytics Workspaces -> Log Analytics workspace name (honeypot-law) -> Custom logs -> Add custom log
- Select Sample log saved to Desktop (failed_rdp.log) and click Next
- Look over sample logs -> Click Next
- Type: Windows
- Path: "C:\ProgramData\failed_rdp.log
- Name and describe the custom log (FAILED_RDP_WITH_GEO) before pressing the Next button
- Click Create
- Navigate to the newly established workspace (honeypot-law) in Log Analytics Workspaces -> Logs
- We then can run a query and extract the different data filtering by different fields such as latitude, longitude, destinationhost, etc.
As of March 31st, 2023, Microsoft has disabled the creation of new custom fields and has migrated to KQL. You can learn more about it here
- Copy/Paste the following query into the query window and Run Query
FAILED_RDP_WITH_GEO_CL
| extend username = extract(@"username:([^,]+)", 1, RawData),
timestamp = extract(@"timestamp:([^,]+)", 1, RawData),
latitude = extract(@"latitude:([^,]+)", 1, RawData),
longitude = extract(@"longitude:([^,]+)", 1, RawData),
sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData),
state = extract(@"state:([^,]+)", 1, RawData),
label = extract(@"label:([^,]+)", 1, RawData),
destination = extract(@"destinationhost:([^,]+)", 1, RawData),
country = extract(@"country:([^,]+)", 1, RawData)
| where destination != "samplehost"
| where sourcehost != ""
| summarize event_count=count() by timestamp, label, country, state, sourcehost, username, destination, longitude, latitudeKusto Query Language (KQL) is used to query and extract logs from data stored in Azure Log Analytics or Azure Data Explorer. KQL is a powerful and expressive query language that allows you to perform advanced data analysis, filtering, aggregation, and visualization. With some practice composing questions and simple instructions, the language is meant to be simple to read and use.
- Access Microsoft Sentinel to view the Overview page and available events
- Click on Workbooks and Add workbook then click Edit
- Delete default widgets (three dots -> remove)
- Click Add->Add query
- You can Copy/Paste the previous query or this one into the query window and Run Query
Failed_RDP_Geolocation_CL
| parse RawData with * "latitude:" Latitude ",longitude:" Longitude ",destinationhost:" DestinationHost ",username:" Username ",sourcehost:" Sourcehost ",state:" State ", country:" Country ",label:" Label ",timestamp:" Timestamp
| where DestinationHost != "samplehost"
| where Sourcehost != ""
| summarize event_count=count() by Sourcehost, Latitude, Longitude, Country, Label, DestinationHost- When results appear, select Map from the Visualization drop-down box.
- Choose Map Settings to make additional adjustments
- Location info using: Latitude/Longitude
- Latitude: latitude
- Longitude: longitude
- Size by: event_count
- Coloring Type: Heatmap
- Color by: event_count
- Aggregation for color: Sum of Values
- Color palette: Green to Red
- Metric Label: label
- Metric Value: event_count
- Click Apply button and Save and Close
- Save as "Failed RDP International Map" in the same region and under the resource group (honeypot-lab)
- Keep refreshing the map to show more inbound failed RDP attacks
Note: Only unsuccessful RDP attempts will be shown on the map, not any additional attacks the VM might be facing.
Event Viewer showcasing failed RDP logon efforts. Event ID: 4625
Data processing from a custom Powershell script using a third party API
CRUCIAL: DON'T SKIP !
- Look for "Resource groups" -> name of resource group
- Key in the name of the resource group (honeypot-lab) to verify removal of resources
- Select the Apply force delete for selected Virtual machines and Virtual machine scale sets box
- Click Delete
Resources will use free credits if they are not eliminated, and costs may start to accrue.