Azure Honeypot - Failed RDP
HOME LAB
Brandon Nerios
5 min read
For this lab I decided to recreate Josh Madakor's (https://www.youtube.com/@JoshMadakor) cyber security lab in the cloud. In this lab we will setup Azure Sentinel as well as a honeypot virtual machine which we will monitor and collect the logs from to display a dashboard of failed RDP attempts on a world map.
The first thing we will need to do is setup the virtual machine honeypot in azure since typically this will take a while to create. We will go out to portal.azure.com once we are logged in there we will need to go over to the virtual machine section and click on the + icon to add a machine.
When creating the machine, you will need to remove all the default networking rules and setup a custom rule to allow anything to come in or out. This will make the machine discovered quickly and attempt to attack it will begin to flow in.
Once you add the custom network security rule you will then want to click on review and create. Now we will move on to setting up the Log Analytics Workspace. This workspace will ingest the logs from the honeypot.
At the top of your screen search for Log and it should pop up (Log Analytics Workspace). We will again click on the + icon to create an instance.
Once you have filled out the information above for the Log Analytics workspace you will want to click Review and create. Next, we will go to the security center to enable the ability to grab logs from the virtual machine. We will want to turn Defender on and enable it for just servers.
Next, we will setup Azure Sentinel. Again, click on the create button and select our honeypot workspace to initiate the creation. This will take some time you can just let it run in the background.
Now we should be able to login to the virtual machine via RDP. We will want to do that now so that we can turn off the windows defender firewall. We will want to login with the admin credentials we created in the setup. Also purposely mistyped my password so we could check the event viewer to see that log to make sure everything was working correctly.
Logging in via RDP
Checking event viewer for failed login attempt
Turning off windows defender firewall
Now that we have turned off the firewall. We will want to download the custom script from GitHub that will take the IP address of the logs and turn it into geolocation information such as country, state, city, etc. This script will save the information gathered at the location C:\ProgramData\failed_RDP.log
https://github.com/joshmadakor1/Sentinel-Lab/blob/main/Custom_Security_Log_Exporter.ps1
Once we have downloaded the script. We will want to run it and leave it running to capture the information. Each pink line in the PowerShell screen is an attempt that the script has captured.
Here I went out to the location C:\ProgramData\failed_RDP.log to verify the script was the capturing data.
Next, we will go into the Log Analytics Workspace to create a custom log to point back to the honeypot. When setting up the log you will just want to verify the information is being sorted properly and it is pointing at the right location. As you can see in one of my screenshots, I did not point it at first to the correct location 😊
Now that we have the custom log created. We can run queries on that log. In the first screenshot below you can see just the query by itself. However, all the information we gathered is bunched together. What we will need to do is separate the raw data. We will do so by right clicking on the raw data and extracting each field we want to sort.
Now that we have extracted all the fields we need we can see the query start to separate the logs into our custom fields.
Once we see the logs ingesting correctly, we can open the workbook section in Azure Sentinel to create our Dashboard map. On this Dashboard we took the logs and plotted them on the map to show the location of the attempted login and how many times they tried. The map bubble will also increase as the number of failed login attempts increases.
The next two screenshots show the final product of the map. The first one being when I select a specific bubble and the second one being when nothing is selected an overall view of the RDP attempts.
