Skip to content

Latest commit

 

History

History
353 lines (235 loc) · 15.8 KB

README.md

File metadata and controls

353 lines (235 loc) · 15.8 KB

Azure Sentinel (SIEM) Honeypot Home Lab

Azure Homelab Cover

Description

Welcome to the Azure Sentinel Honeypot Homelab walkthrough! In this guide, we will explore how to set up and utilize a powerful and educational Homelab using Microsoft Azure Sentinel. Honeypots are decoy systems designed to attract and monitor malicious activity, providing valuable insights into potential threats and attackers' tactics. A SIEM (Security Information and Event Management) is a comprehensive security solution that helps organizations collect, analyze, and respond to security events in real-time. With Azure Sentinel, Microsoft's cloud-native SIEM (Security Information and Event Management) solution, we can gain a comprehensive view of security events and automate threat detection and response. Unleash the power of our homelab where cybersecurity meets innovation! Track and log attacks from around the globe and witness our mesmerizing attack map take shape. Discover the thrilling world of cyber warfare with us!

Learning Objectives

  • Setting up and rolling out various Azure components including Virtual Machines (VMs), Log Analytics Workspaces, and Azure Sentinel
  • Competence and experience with Microsoft Azure Sentinel, a SIEM (Security Information and Event Management) Log Management Tool
  • Third-party API Calls
  • Using KQL to query logs
  • Learn how to read the Security Event Logs in Windows
  • Utilize Workbooks (World Map) to make an interactive map showing attack statistics

Technologies + Requirements

  • Microsoft Azure + Account
  • Azure Services: Sentinel, Log Analytics Workspace, Workbooks, Network Security Groups
  • Powershell
  • Remote Desktop Protocol (RDP)
  • Third-party API: ipgeolocation.io
  • Customized Powershell Script authored by Josh Madakor

Overview:

Azure Homelab Schematic

Step 1: Create a Microsoft Azure Account: Azure

Microsoft offers $200 in Azure credit for 30 days when you initially sign up

Azure Sign Up

Step 2: Setup our honey pot virtual machine

Vulnerable Windows VM

Honeypot VM

Basics

  • After signing up, click "Go to the Azure Portal" , or visit portal.azure.com
  • In the search bar type "virtual machines"
  • Under Create tab click on Azure virtual machine

Project Details

  • Create a new resource group and give it a name (honeypot-lab)

A resource group is a container that helps organize and manage related cloud resources.

Instance Details

  • Give your virtual machine a name (honeypot-vm)
  • Choose a recommended region: ((US) West 3)
  • Availability options: No infrastructure redundancy required
  • Security type: Standard
  • Image: Windows 10 Pro, version 22H2 - x64 Gen2
  • VM Architecture: x64
  • Size: Default is fine (Standard_D2s_v3 – 2vcpus, 8 GiB memory)

Administrator account

  • Set up a username and password for the virtual machine.

IMPORTANT: these identification details will be used to log into the virtual machine. (Make sure to keep them in mind)

Inbount port rules

  • Public inbound ports -> Allow selected ports: RDP (3389)

Licensing

  • Confirm Licensing
  • Select Next : Disks >

Honeypot VM Config

Disks

  • Leave everything as is
  • Select Next : Networking >

Networking

Network interface

  • NIC network security group: Advanced -> Create new

A Network Security Group (NSG) in Azure is a virtual firewall that filters and controls network traffic to protect Azure resources.

  • By clicking the three dots, delete Inbound rules (1000: default-allow-rdp)
  • Add an inbound rule
  • Destination port ranges: * (wildcard for anything)
  • Protocol: Any
  • Action: Allow
  • Priority: 100 (low)
  • Name: Anything (allow-any-inbound)
  • Select Review + Create

Network Security Group

The VM will be simple to detect if the firewall is set up to accept traffic from anywhere.

Step 3 : Provisioning a Log Analytics Workspace

  • Search for "Log analytics workspaces"
  • Select Create Log Analytics workspace
  • Place it in the identical resource group as the VM (honeypot-lab)
  • Give it the name you choose (honeypot-law)
  • Add to the same region (West US 3)
  • Select Review + Create

Log Analytics workspace

Custom logs with geographic information to map the locations of attackers will be absorbed into Log Analytics workspaces together with the Windows Event Viewer logs.

Step 4 : Setup Microsoft Defender for Cloud

  • Search for "Microsoft Defender for Cloud"
  • Under Management click on "Environment settings" -> Subscription Name -> Log Analytics Workspace Name (honeypot-law)

Microsoft Defender

Settings | Defender plans

  • Foundational CSPM (Cloud Security Posture Management): ON
  • Servers: ON
  • SQL servers on machines: OFF
  • Click Save

Microsoft Defender 2

Settings | Data collection

  • Select "All Events"
  • Click Save

Step 5 : Link Virtual Machine to the Log Analytics Workspace

  • Look for "Log Analytics workspaces"
  • Select workspace name (honeypot-law) -> "Virtual machines" -> virtual machine name (honeypot-vm)
  • Hit Connect

Link LAW to VM

Step 6 : Setup Microsoft Sentinel

  • Look for "Microsoft Sentinel"
  • Hit Create Microsoft Sentinel
  • Choose Log Analytics Workspace name (honeypot-law)
  • Hit Add

Microsoft Sentinel

Step 7 : Turn OFF the Virtual Machine's firewall

Testing Firewall - first we can test the firewall by pinging the VM's IP address. The purpose of this is to check if the target device with that specific IP address is reachable and responsive on the network. "PING" is a basic network troubleshooting tool used to test connectivity between your device and the target device.

For Windows:

  1. Open the Command Prompt: Press the Windows key, type "cmd," and press Enter to open the Command Prompt
  2. Type the Ping Command: In the Command Prompt window, type the following command and press Enter:

ping (ip-adress)

  1. Replace with the actual IP address you want to ping. For example:

ping 20.163.108.170

For macOS and Linux

  1. Open the Terminal: On macOS, you can find the Terminal in Applications > Utilities. On Linux, press Ctrl + Alt + T to open the Terminal.
  2. Type the Ping Command: In the Terminal window, type the following command and press Enter:

ping (ip-adress)

  1. Replace with the actual IP address you want to ping. For example:

ping 20.163.108.170

Both :

  • Observe the Results: the ping command will start sending packets to the specified IP address, and you'll see the results with round-trip times and other statistics. To stop the ping process on both Windows and macOS/Linux, you can press Ctrl + C or Ctrl + Z

Microsoft Sentinel

As you can see above our firewall is set up to block out incoming ping requests. Next we will continue to disable the firewall...

  • Locate the honeypot VM (honeypot-vm) under Virtual Machines.
  • Copy the IP address from the VM
  • Using the credentials from step 2, access the virtual machine through Remote Desktop Protocol (RDP). Note: if your on a Mac you can download the "Microsoft Remote Desktop" application or use another VM host for Microsoft that supports the protocol.
  • Accept Certificate warning
  • Select NO for all Choose privacy settings for your device
  • Hit Start and search for "wf.msc" (Windows Defender Firewall)
  • Click "Windows Defender Firewall Properties"
  • Turn Firewall State OFF for Domain Profile | Private Profile | and Public Profile
  • Click Apply and Ok
  • To check if VM is reachable, ping it using the command line of the host ping -t (ip-adress)

FIREWALL-OFF

pingsuccessful

Ping successful :)

Step 8 : Automating the Security Log Exporter

  • In your VM launch Powershell ISE
  • Configure Edge browser without logging in
  • Copy Powershell Script and insert into Virtual Machine's Powershell (authored by Josh Madakor)
  • Choose New Script in Powershell ISE and paste script
  • Give it a name and save it to the desktop (log_exporter)

psscript

1000 API calls per day are free with this account. A monthly cap of 150,000 API calls is available for 15 dollars.

  • Once logged in, copy the API key and paste it into line 2 of the script. $API_KEY = "<API key>"
  • Click Save
  • To generate log data continually, run the PowerShell ISE script (green play button) in the virtual machine

ip-geo

Data will be exported from Windows Event Viewer and imported into the IP Geolocation service by the script. The latitude and longitude will then be extracted, and a new log file called failed_rdp.log will be created in the location specified below: C:\ProgramData\failed_rdp.log

Step 9 : Log Analytics Workspace: Make a Custom Log

  • To add the extra information from the IP Geolocation service to Azure Sentinel, create a custom log
  • Search "Run" in VM and type "C:\ProgramData"
  • Open file named "failed_rdp" hit CTRL + A to select all and CTRL + C to copy selection
  • On the host PC, open notepad and paste the information
  • Save to desktop as "failed_rdp.log" Note: make sure it's saved as a (.txt) text file. I had issues with formatting when saving in (.rtf) rich text format.
  • In Azure go to Log Analytics Workspaces -> Log Analytics workspace name (honeypot-law) -> Custom logs -> Add custom log

Sample

  • Select Sample log saved to Desktop (failed_rdp.log) and click Next

Record delimiter

  • Look over sample logs -> Click Next

Collection paths

  • Type: Windows
  • Path: "C:\ProgramData\failed_rdp.log

Details

  • Name and describe the custom log (FAILED_RDP_WITH_GEO) before pressing the Next button
  • Click Create

customlog

Step 10 : Query + Extract Fields from Custom Log

  • Navigate to the newly established workspace (honeypot-law) in Log Analytics Workspaces -> Logs
  • We then can run a query and extract the different data filtering by different fields such as latitude, longitude, destinationhost, etc.

As of March 31st, 2023, Microsoft has disabled the creation of new custom fields and has migrated to KQL. You can learn more about it here

  • Copy/Paste the following query into the query window and Run Query
FAILED_RDP_WITH_GEO_CL 
| extend username = extract(@"username:([^,]+)", 1, RawData),
         timestamp = extract(@"timestamp:([^,]+)", 1, RawData),
         latitude = extract(@"latitude:([^,]+)", 1, RawData),
         longitude = extract(@"longitude:([^,]+)", 1, RawData),
         sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData),
         state = extract(@"state:([^,]+)", 1, RawData),
         label = extract(@"label:([^,]+)", 1, RawData),
         destination = extract(@"destinationhost:([^,]+)", 1, RawData),
         country = extract(@"country:([^,]+)", 1, RawData)
| where destination != "samplehost"
| where sourcehost != ""
| summarize event_count=count() by timestamp, label, country, state, sourcehost, username, destination, longitude, latitude

Kusto Query Language (KQL) is used to query and extract logs from data stored in Azure Log Analytics or Azure Data Explorer. KQL is a powerful and expressive query language that allows you to perform advanced data analysis, filtering, aggregation, and visualization. With some practice composing questions and simple instructions, the language is meant to be simple to read and use.

querynextract

Step 11 : Create World Attack Map in Microsoft Sentinel

  • Access Microsoft Sentinel to view the Overview page and available events
  • Click on Workbooks and Add workbook then click Edit
  • Delete default widgets (three dots -> remove)
  • Click Add->Add query
  • You can Copy/Paste the previous query or this one into the query window and Run Query
Failed_RDP_Geolocation_CL
| parse RawData with * "latitude:" Latitude ",longitude:" Longitude ",destinationhost:" DestinationHost ",username:" Username ",sourcehost:" Sourcehost ",state:" State ", country:" Country ",label:" Label ",timestamp:" Timestamp
| where DestinationHost != "samplehost"
| where Sourcehost != ""
| summarize event_count=count() by Sourcehost, Latitude, Longitude, Country, Label, DestinationHost
  • When results appear, select Map from the Visualization drop-down box.
  • Choose Map Settings to make additional adjustments

Layout Settings

  • Location info using: Latitude/Longitude
  • Latitude: latitude
  • Longitude: longitude
  • Size by: event_count

Color Settings

  • Coloring Type: Heatmap
  • Color by: event_count
  • Aggregation for color: Sum of Values
  • Color palette: Green to Red

Metric Settings

  • Metric Label: label
  • Metric Value: event_count
  • Click Apply button and Save and Close
  • Save as "Failed RDP International Map" in the same region and under the resource group (honeypot-lab)
  • Keep refreshing the map to show more inbound failed RDP attacks

Note: Only unsuccessful RDP attempts will be shown on the map, not any additional attacks the VM might be facing.

fail_rdpmap

Event Viewer showcasing failed RDP logon efforts. Event ID: 4625

event-viewer

Data processing from a custom Powershell script using a third party API

ps-logs

Step 12 : Shut Down Resources

CRUCIAL: DON'T SKIP !

  • Look for "Resource groups" -> name of resource group
  • Key in the name of the resource group (honeypot-lab) to verify removal of resources
  • Select the Apply force delete for selected Virtual machines and Virtual machine scale sets box
  • Click Delete

dpvs-resources

Resources will use free credits if they are not eliminated, and costs may start to accrue.