In this project, a mini honeynet was constructed in Microsoft Azure and log sources were integrated into a Log Analytics workspace. Microsoft Sentinel was employed to trigger alerts and create incidents based on the ingested logs. Additionally, metrics were measured in the insecure environment before security controls were applied, and then again after implementing security measures. It is noteworthy that the number of security events and incidents were drastically reduced after the security controls were applied, demonstrating their effectiveness.
- Azure Virtual Network (VNET)
- Network Security Group (NSG)
- Virtual Machines (1x Windows 10 Pro, 1x Linux Server)
- Log Analytic Workspace (with Kusto Query Language KQL Queries)
- Azure Private Link (Protects Azure Services)
- Azure Storage Account (For Data Storage)
- Microsoft Sentinel (For Security Information and Event Management (SIEM)
- Microsoft Defender (for Cloud to Protect Cloud Resources)
- NIST SP 800-53 (Security Controls)
- NIST SP 800-61 (Incident Handling)
- Go to portal.azure.com
- Search for "virtual machines"
- Create > Azure virtual machine
- Create new resource group and give it a unique name
A resource group is a collection of resources that share the same lifecycle, permissions, and policies.
- Name your VM
- Select a recommended region ((US) East US 2)
- Availability options: No infrastructure redundancy required
- Security type: Standard
- Image: Windows 10 Pro, version 21H2 - x62 Gen2
- VM Architecture: x64
- Size: Default is okay (Standard_D2s_v3 – 2vcpus, 8 GiB memory)
- Create a username and password for virtual machine
IMPORTANT NOTE: These credentials will be used to log into the virtual machine (Keep them handy)
- Leave all defaults
- Select Next : Networking >
- NIC network security group: Advanced > Create new
A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, the virtual machine. In other words, security rules management.
- Remove Inbound rules (1000: default-allow-rdp) by clicking three dots
- Add an inbound rule
- Destination port ranges: * (wildcard for anything)
- Protocol: Any
- Action: Allow
- Priority: 100 (low)
- Name: Anything (ALLOW_ALL_INBOUND)
- Select Review + create
Normally you would never allow all inbound traffic but for the purpose of this honeypot we want to make our machine easily discoverable for bad actors
We will create the Linux VM the same way as the Windows VM except for a few minor changes
- Make sure you choose the same resource group as the Windows VM
- Set to the same region as the Windows VM
- Image: Ubuntu Server 20.04
- Set Admin account to same username and password as the Windows VM so its easy to remember
- Confirm Licensing
- Select Next : Disks >
- Leave all Disks to Defaults
- Select Next : Networking >
- Copy same steps as you did for the Windows VM and allow all inbound traffic
Log Analytics Workspace is a repository for storing logs in JSON format. It's a versatile tool that helps manage and analyze large volumes of data
- Search for "Log analytics workspaces"
- Select Create Log Analytics workspace
- Put it in the same resource group as VM
- Give it a desired name
- Add to same Region as VM
- Select Review + create
Microsoft Sentinel is a cloud security information and event management service (SIEM). It is designed to provide security analytics and threat intelligence. We will forward the logs from Log Analytics Workspace to Sentinel
- Search for "Microsoft Sentinel"
- Click Create Microsoft Sentinel
- Select Log Analytics workspace name (honeypot-log)
- Click Add
In this instance the Watchlist is network blocks with corresponding latitude and longitude points , we are going to use this to derive geolocation from attackers so we can plot them on a map to see where the attacks are coming from
- First download Geo Data file Here
- Then in Azure search for "Microsoft Sentinel"
- Select the instance you've created
- Configurations > Watchlist
- Create New
- Name/Alias : geoip
- Source type: local file
- File Type : CSV
- Number of lines before row: 0
- Upload the Geo data file you've downloaded
- Search Key: Network
- Review and Create > Create
This could take awhile there are around 27000 rows
Microsoft Defender is a comprehensive cloud security solution. It offers tools and services designed to protect cloud-based resources, including virtual machines, databases, and containers.
- Search for "Microsoft Defender for Cloud"
- Scroll down to "Environment settings" > subscription name >
- Where you see your Log Analytics Workspace name , click the 3 dots to the right to edit settings
- Servers > Turn on > Save
- Settings > Data collection
- Select "All Events"
- Save
This will allow us to collect all security events from the logs
You can think of a Storage account as place to store files , it stores the logs from the Network Security Groups momentarily before it passes on to Log Analytics Workspace
- Search "Storage Account"
- Create New
- Select your resource
- Give storage Account unique name
- Choose same region as your VM's
- Review and Create
- Search "Network Security Group"
- Select your Windows VM
- Monitoring > NSG flow logs
- Create Flow logs
- Select resource and select both Windows and Linux VM then confirm selection
- Now choose the storage account that you've created
- Retention Days: 0
- Go to Analytics
- Make sure you are on Version 2
- Select Enable traffic analytics
- Traffic Analytics Processing Interval : 10mins
- Log Analytic Workspace : Choose your instance
- Review and Create
This is where Defender will determine if traffic is malicious or beniegn . We use this later to map the attacks
The data collection rule works in conjuction with Microsoft Defender to choose which logs are forwarded to Log Analytic Workspace , you dont want to forward all logs because that can become expensive
- Search "Log Analytics Workspace"
- Settings > Agents
- Select Data Collection Rules
- Create
- Choose rule name
- Choose same region as your Virtual MAchines
- Platform type : All
- Next > Resources
- Add Resources
- Choose the Resource group you've created , click the arrow to expand and select both your VM's
- Next > Collect and Deliver
- Add Data Source
- Select Linux Syslog
- The only log we want is the LOG_AUTH , which is the Authentication logs Leave it set to LOG_Debug , and turn the rest to none
- Next > Destination
- Add Data Source
- Windows Event Log
- For Application select information
- For Security select Audit Success and Failure Destination>
- Create the Data collection rule
We are creating a Data source that will log anytime our firewall is modified or if the system detects malware on the machine
- Search "Log Analytic Workspace
- Settings > Agents
- Select Data Collection Rule
- Choose the collection rule that you have created
- Data Sources > Windows Event Log
- Change from Basic to Custom
- Download Xpath queries Here
- Copy both queries and add them to the filter list
- Save
We need to put a Xpath query to filter event logs. These queries are to trigger alerts when the firewall has been modified or when malware is detected on the system
- Search Log Analytics Workspace
- Select your instance
- Agents >
- Expand Log Analytics Agent Instruction
- Copy the workspace ID and Primary Key into a notepad , you will need it later
- For Download Windows Agent (64) > right click > Copy link
- Open your windows virtual machine
- Paste the link from Download Windows Agent to in Microsoft edge
- Download the file
- Select connect agent to log analytics
- Paste the Workspace ID and Primary Key
- Azure cloud : Azure commercial
- Next > Finsih
We are building a Attack map for the Windows VM - RDP Authentication failures ,
Linux - SSH Authentication Failures &
Network Sucurity Groups - Malicous inbound network flow
- Go to JSON files Here - We are only going to be dealing with , nsg-malicious-allowed-in.json , linux-ssh-auth-fail.json , windows-rdp-auth-fail.json
- Go back to Azure portal , Search Sentinel
- Workbooks > Add Workbooks > Edit
- Remove the existing workbook
- Add > Add Query > Advanced Editor
- Copy the linux-ssh-auth-fail.json files from the link and paste them into the editor
- Done editing > Save > Name your map " linux-ssh-auth-fail.json"
- Repeat steps to create maps for the windows-rdp-auth-fail.json and nsg-malicious-allowed-in.json
- You Map shoud look like this :
- Go to Microsoft Sentinel > Analytics > Active Rules
- Create Schedule Query Rule
- NAME : TEST: Brute Force ATTEMPT - Windows
- Description : When the same person fails to log in to the same VM more then 10 times
- Next > Rule Logic
- Paste in the KQL Query -
SecurityEvent
| where EventID == 4625
| where TimeGenerated > ago(60m)
| summarize FailureCount = count() by AttackerIP = IpAddress, EventID, Activity, DestinationHostName = Computer
| where FailureCount >= 10
- Add new Entity
- IP > Address > Attacker IP
- Host > Hostname > DestinationHostname
- Run Query: every 5 minutes
- Look up Data from the past 5 hours
- Next > Incident Settings > Next > Save
- Click Here to download JSON files
- Go back Azure portal , Search Sentinel
- Analytics > Import
- Import in the JSON file you downloaded
Now that i've left the Vm's up for 24hrs with our firewall rules disabled. I've given bad actors plenty of time to attack the environment and generate incidents
As you can see once you click on the IP address it gives you the Geo location of the attacker. This IP address is located in China. This could be a red flag
Also The activity log section is where we observe the history of the triggered alerts for this incident. As you can see from the screenshot, the attacker has been triggering alerts over a span of hours. Lets investigate further
This gives us a visualization of the connections between the entites , you can also hover over the entity and see the related events connected with the IP address. Here we can see the IP address is associated with alot of alerts on our system
After seeing the visuals of all the alerts triggered by this IP address , I wanted to check the logs in Sentinel to see if this IP address has triggered any successful log on attempts. I did so by writing this KQL scripts:
this hacker was not able to brute force into the system. This IP address did not generate any successful login attempts. I will close this incident out as a false positive but before i do i'll make sure to notate everything i discovered in my investigation.
Each organization will have policies related to an incident response that should be followed. This event is just a walkthrough for possible actions to take in the detection of malware on a workstation.
The Azure lab was set up to ingest all of the logs into Log Analytics Workspace, Sentinel and Defender were configured, and alert rules were put in place.
I am going to lock down the Network Security Group assigned to that VM/Subnet , allow only neccesary traffic. Even though the would be attacker did not infiltrate our resources , the attacker should not have the oppurtunity to even brute force our system
- Go to virtual machines > Linux-VM > Networking > Click on the first rule > Change source to My IP address > Save
Azure Private Link is a service provided by Microsoft Azure that allows you to access Azure services and resources over a private connection. This means you can securely connect to these resources through a private IP address in your own virtual network (VNet), rather than over the public internet.
- Go to Key Vault
- Select your instance
- Go to Networking
- Firewalls and Virtual Networks > Disable Public Access
- Go to Private endpoint connections
- Create >
- Next > Resources
- Resource type : Key Vault
- Resource : Choose your instance
- Next > Create
- Go to Defender for Cloud >
- Regulatory Compliance >
- Manage Compliance Standards >
- Select your instance >
- Security Policy >
- Select NIST 800-53 Rev 5
The following table shows the metrics we measured in our insecure environment for 24 hours: Start Time 2024-07-15 17:04:29 Stop Time 2024-07-16 17:04:29
| Metric | Count |
|---|---|
| SecurityEvent | 19470 |
| Syslog | 3028 |
| SecurityAlert | 10 |
| SecurityIncident | 348 |
| AzureNetworkAnalytics_CL | 843 |
The following table shows the metrics we measured in our environment for another 24 hours, but after we have applied security controls: Start Time 2024-07-18 15:37 Stop Time 2024-07-19 15:37
| Metric | Count |
|---|---|
| SecurityEvent | 8778 |
| Syslog | 25 |
| SecurityAlert | 0 |
| SecurityIncident | 0 |
| AzureNetworkAnalytics_CL | 0 |
Thank you