Made a Honeypot on Azure cloud running a Windows 10 Virtual Machine with all ports open to draw on brute force attacks and parse the logs via the SIEM
The Powershell script in this repository is responsible for parsing out Windows Event Log information for failed RDP attacks and using a third-party API to collect geographic information about the attackers' location.
The script is used in this demo where I set up Azure Sentinel (SIEM) and connect it to a live virtual machine acting as a honey pot. We will observe live attacks (RDP Brute Force) from all around the world. I will use a custom PowerShell script to Look up the attackers' Geolocation information and plot it on an Azure Sentinel Map!
This is the Query used to parse the log data and extract the location, usernames, passwords, and other fields from the log:
PowerShell: Extract RDP failed logon logs from Windows Event Viewer Utilities
ipgeolocation.io: IP Address to Geolocation API
Some steps are simple, like creating a virtual machine so I have skipped with the assumption that it's pretty easy for anyone to logging into Azure and click "create virtual machine"
After creating a virtual machine, it is time to make it open to the word. For this, I created a new network security group with inbound rules allowing all traffic.
I further proceeded to turn off the firewall in the machine to make it easy discoverable via pings.
Soon after that, I started getting failed authentication logs in event viewer:
I wanted to know where the attacks where coming from so I created a custom log in Log Analytics Workspace for this (This is now under the "Tables" section:
Log analytics worspace created and connected to the virtual machine
Creating "Table" which is the new way to create "custom logs" in Azure.
To create this custom log, I had to let Azure know what the logs would look like, so I copy the logs from the virtual machine and uploaded the sample to Azure to teach it what a failed authenticaton event would look like:
Azure is now logging failed authentication and providing me with the logs necessary for further investigation:
honeypot log analytics without parsing
Now, I want to programatically get the IP addresses from the logs and use the geolocation capabilities of "ipgeolocation.io" to get the lattitude and longitude of the attackers:
audit failure with the geoplocation
usign powershell to programatically get geolocations of attackers
Here we can see visually where the attackers are coming from:
