Introduction
Honeypots, in the context of cybersecurity, are decoys or sacrificial computers intended to lure in attackers. It mimics a potential target system and in doing so gains useful insights from the intrusion attempts of the hackers. It may also be used to gain information about the mode of operation of the hackers or to distract them from real systems and make them focus their efforts on the decoy.
In this guide, we'll walk through the process of creating a honeypot using Microsoft Azure. This involves setting up a virtual machine, configuring security measures, and leveraging Azure Sentinel for visualizing geodata related to potential attacks. We'll also be exposed to the Log Analytics Workspace in Azure and Kusto Query Language (KQL) which will be used to query logs in the project.
Azure Account Setup
To begin, create an Azure account using your college email (one ending in .edu), which provides $100 in free credits valid for a year.
Creating an Azure Virtual Machine
Create an Azure Virtual Machine. For this project I used the Windows 10 x64 Pro image, equipped with 2 vCPUs, 8 GB memory. I also created an admin account. (Be sure to remember the password as it will be used later to log in to the VM remotely.)
Resource Group and Network Security Group
In Azure, resources such as VMs and Log Analytics Workspaces can be group into a logical group which usually shares the same lifespan. This grouping of resources is called a Resource Group. Azure also allows us to establish and configure a Network Security Group (NSG), which serves as a virtual firewall. We will be allowing all traffic to the VM by setting source and destination as *.
Caution: Setting NSG configuration to allow all traffic is typically avoided for any resource you have on the cloud that is to be protected, but for the intent of our Honey Pot, this is ideal.
Log Analytics Workspace (LAW) and Microsoft Sentinel
Log Analytics Workspace (LAW) provides a centralized for collecting and analyzing data in Azure. We will set it up to ingest logs, including Windows event logs and custom logs for geographic location. Microsoft Sentinel will then connect to LAW to display geodata on a map. Set the Microsoft Defender for Cloud to collect all events and connect LAW to the VM for data collection.
Visualizing Geodata with Microsoft Sentinel
Remote Desktop Connection
Obtain the public IP address of the VM and connect via Remote Desktop Connection app in your system using the admin account credentials you created while setting up the VM. Inside the VM, turn off the firewall and verify by pinging its public IP from your machine.
Analyzing Event Logs
You can then explore the Event Viewer to identify failed login attempts (Event ID: 4625). This event id will be helpful when filtering records using KQL later.
Geolocating IP Addresses
If you look closer at the event log, you'll see that it only contains the source IP address for the failed login attempt. Since we eventaully need to plot the IP address, we'll need some way to convert this IP address into geological data. For this we'll use ipgeolocation.io's API to obtain geographical information for the IP addresses. This API is useful as it gives us Lattitude, Longitude, Country and similar information.
We'll use a powershell script for extracting the data from the Windows Event Logs and using the API key we'll convert the IP address to geological data.
Creating Custom Log in LAW
Fortunately for us, we can simply copy the custom log powershell script from https://github.com/joshmadakor1/Sentinel-Lab/blob/main/Custom_Security_Log_Exporter.ps1. This script basically continuously monitors and export failed login attempts to failed_rdp.log. Take care to replace the API key with a new key from ipgeolocation.io.
In Azure, create a custom log in LAW by uploading the failed_rdp.log file. This will take some time to fully upload however it will train the LAW to parse our custom log.
Extracting Fields using KQL
To visualize the data collected in LAW, we'll use a new workbook in Microsoft Sentinel. Further, we'll employ Kusto Query Language (KQL) to extract relevant fields from the raw custom log data which will be used by Azure Sentinel to plot the intrusion attempts. For this use the query below:
FAILED_RDP_WITH_GEO_CL
|extend username = extract(@"username:([^,]+)", 1, RawData),
timestamp = extract(@"timestamp:([^,]+)", 1, RawData),
latitude = extract(@"latitude:([^,]+)", 1, RawData),
longitude = extract(@"longitude:([^,]+)", 1, RawData),
sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData),
state = extract(@"state:([^,]+)", 1, RawData),
label = extract(@"label:([^,]+)", 1, RawData),
destination = extract(@"destinationhost:([^,]+)", 1, RawData),
country = extract(@"country:([^,]+)", 1, RawData)
|where destination != "samplehost"
|where sourcehost != ""
|summarize event_count=count() by timestamp, label, country, state, sourcehost, username, destination, longitude, latitude
This query basically extracts username, timestamp, latitude, longitude, sourcehost, state, label, destination and country from the raw log data and filters it to exclude the initial training data. It also summarizes event count by the extracted fields.
Conclusion
By following these steps, we've successfully set up a honeypot in Microsoft Azure, configured logging, and visualized geodata using Azure Sentinel. This comprehensive approach allows you to monitor and analyze potential security threats effectively. The intrusion map I obtained after letting the VM run for a couple of days is shown below:
Top comments (0)