Creating a VM Honeypot
Using Microsoft Azure, I created a box that logged and displayed incoming attacks from across the globe.
Creating a VM on Azure
Press enter or click to view image in full size
First of all I needed to create a VM using Azure. I have the $200 free money to play around with, with my new account which will be more than enough for this lab. There are a few resources out there to help set up this lab, Josh Madakor has a great video on this exact process.
I used Windows 10, with a standard security type, named it honeypot-lab and set the region to US West 2.
Running through the set up I made sure to create a new firewall to allow anything to scan it. Selecting all port ranges and any protocols to allow any type of scan to interact with it.
Press enter or click to view image in full size
After I created the firewall and set up the VM, I hit the create to deploy it. Next on the list is to extract logs from the VM to see what kind of traffic and scans are hitting the machine, and make sure we capture some geographic data to get an idea of where the attacks/scans are coming from.
Press enter or click to view image in full size
Press enter or click to view image in full size
Press enter or click to view image in full size
Now to set up the SIEM to visualize all the data that our virtual machine is spitting out. I navigated to Microsoft Sentinel and created one for the new VM that I spun up.
Press enter or click to view image in full size
Now I can log into the VM and set it up as a honeypot. I want to grab the event viewer security logs and map them out using the IP address as a geo locator. So we can see what countries are trying to log in with RDP.
Press enter or click to view image in full size
I need to make sure the firewall is off on the VM.
Press enter or click to view image in full size
Next I used the powershell script created by Josh Madakor that is able to export the log files. I needed to edit the powershell script to include an API key from ipgeoloction.io.
The script grabs the logs, the IP address, the location of the IP address thanks to the API key and creates a new log for me to export and review on Azure.
After running the script, I then needed to create the custom log with the data I am pulling from the VM. Tables -> Create -> New Custom Log (MMA). It wants a sample log first, to make sure it knows what to look for, so I used the sample data from the above mentioned script.
Press enter or click to view image in full size
Now I had to wait a bit before the sample logs would show up in a query.
Press enter or click to view image in full size
The next step is to use the raw data output and make it a little more readable. This step proved quite difficult, with some research and a look over the comments on Josh’s YouTube video, I found a KQL query that parses all the data and returns them into proper fields.
FAILED_WITH_GEO_CL
| parse RawData with * "latitude:" Latitude ",longitude:" Longitude ",destinationhost:" DestinationHost ",username:" Username ",sourcehost:" Sourcehost ",state:" State ", country:" Country ",label:" Label ",timestamp:" Timestamp
| project Latitude, Longitude, DestinationHost, Username, Sourcehost, State, Country, Label, TimestampI then created a new workbook in order to visualize it on a world map.
Press enter or click to view image in full size
After saving I just now had to wait for people to try and login to the machine. It didn’t take to long for someone from Hong Kong to try and access the RDP!
Press enter or click to view image in full size
I set the refresh time to 5 mins. I will update this over the next hour to see what else tries to connect.
Press enter or click to view image in full size
Morocco has joined the chat.
Press enter or click to view image in full size
4 hours later, Saudi Arabia have joined in.
That is going to conclude my adventure into Azure. It was a lot of fun seeing the results, although I was a little disappointed there weren’t more countries that hopped in!
Last updated