SIEM Azure Sentinel Live Attacks
This Project will demonstrate log attacks.
STEPS
1.Resource GROUP
CREATE A RESOURCE GROUP THIS WILL HOST ALL OF THE RESOURCES FOR THIS PROJECT
2. Create VM
NEXT I HAVE TO CREATE A VIRTUAL MACHINE. NAME IT HONEYPOT. I USED A B1MS STANDARD SIZE WITH A WINDOWS 10 PRO 21H2 IMAGE . USERNAME: HONEYPOT Winnied@p00h
3. CREATE A FIREWALLL
WE WILL GO TO ADVANCED AND CREATE A FIREWALL. WILL ALLOW ALL TRAFFIC THROUGH THE FIREWALL. I DID THIS TO MAKE THE VM VERY DISCOVERABLE FOR PEOPLE TO DO SYN SCANS AND PING THE VM. THAT WAY I CAN COLLECT THE TRAFFIC
4. VM is created
Now our vm is created.
5.Log Anayltics
NEXT I HAVE TO CREATE A LOG ANALYTICS WORK SPACE.
6. Setting UP GATHERING VM LOGS IN SECURITY CENTER
NEXT WE HAVE TO SETUP THE ABILITY TO GATHER VM LOGS IN SECURITY CENTER WE HAVE TO TURN ON MICROSOFT DEFENDER AND SETUP THE SERVER. https://learn.microsoft.com/en-us/azure/defender-for-cloud/monitoring-components#enable-auto-provisioning-of-the-log-analytics-agent-and-extensions-
7.Azure anayltics work space
We will setup azure sentinel by choosing azure anayltics work space
8. Connect to vm through public IP
Connect to vm through public IP
9.
IN THE VM WE WILL OPEN EVENT VIEWER AND LOOK AT THE LOGS ON THE VM. WE MIMIC A BAD LOGIN AND TAKE THE IP FROM IT.
10.
THEN I WILL USE IPGEOLOCATION.IO TO DETECT THE LOCATION OF ATTACKS
11.
TURN WINDOWS FIREWALL off SO THE VM CAN RECIVE ICMP ECHO CALLS
12.
We willl then use a powershell script which will use a api key from ipgeolocation.io to receive geo data. And looksthrough event log and the IP address of failed logins to trace location. It also will create sample data if no log is ready.
https://github.com/Diealegend/Scripting/blob/main/Cybersecurity/Ipgeolocation.ps1
13.
Go to azure and create custom log in to bring in custom log by coping the contents. Make sure in the custom log settings to put the directory in which it will pull the log data from.
14.
IN MY LOGS NOTHING SHOWED UP FOR SECURITY EVENTS.
15.
WE RUN OUR TABLE LOG QUERY FOR OUR IMPORT YOU MIGHT HAVE TO FAKE LOGIN MULTIPLE TIMES TO GET ITEMS TO SHOW. FAILED_RDP_WITH_GEO_CL
16.
NEXT WE WILL SETUP A MAP IN SEINTNEL IN WORKBOOKSWE MUST USE THIS QUERY : Sentinel Map Query: FAILED_RDP_WITH_GEO_CL | summarize event_count=count() by sourcehost_CF, latitude_CF, longitude_CF, country_CF, label_CF, destinationhost_CF | where destinationhost_CF != "samplehost" | where sourcehost_CF != ""
At the end of this project I realize I am unable to use this query. So I used a KQL query to pull the data.
17.
I WASN'T ABLE TO RUN A QUERY AND CREATE CUSTOM TABLES TO RUN AUTOMATICALLY AND PARSE. I HAD TO MANUALLY UPLOAD THE FAILED LOGINS AND PARSE WITH THE QUERY ABOVE BUT IWAS ABLE TO IMPORT THE DATA.
https://github.com/Diealegend/Scripting/blob/main/Scripts/Azure_SEIM_QUERY.txt
18.
I WASN'T ABLE TO RUN A QUERY AND CREATE CUSTOM TABLES TO RUN AUTOMATICALLY AND PARSE. I HAD TO MANUALLY UPLOAD THE FAILED LOGINS AND PARSE WITH THE QUERY ABOVE BUT IWAS ABLE TO IMPORT THE DATA.
https://github.com/Diealegend/Scripting/blob/main/Scripts/Azure_SEIM_QUERY.txt
19.
FROM MY FINDINGS IT IS MOSTLY SOUTH KOREA TRYING TO EXPLOIT US. I BELIEVE THEY ARE USING A BRUTEFORCE BECAUSE IT IS THE SME NAMES BUT MORE FAILED LOGINS
20.
I THEN SETUP MY MAP FROM THE QUERY.
21.
The map then has a heat map of all our attacks.
Lessons Learned
This project provided valuable insights that reinforced my understanding of fundamental principles, such as the importance of correctly configuring firewalls. During the project, it became apparent that the virtual machine being targeted by attackers, primarily from South Korea according to the project documentation, commonly employed usernames such as "admin," "administrator," "test," and various service accounts. Another key takeaway from this experience was the recognition that advancements in technology can necessitate a different approach. Previously, I could have easily directed the attack log to my map using a simple custom log. However, due to the evolving technological landscape, I had to devise a query to analyze the data and integrate it into a heat map.
Engaging in a Microsoft Azure lab equipped me with key cybersecurity skills:
-
Firewall Management: Configuring and controlling network traffic.
-
Azure Sentinel Configuration: Customizing SIEM for event analysis.
-
Honeypot Deployment: Setting up and managing deceptive environments.
-
Attack Vector Analysis: Identifying potential breach points.
-
Log Analysis: Studying logs for patterns and correlations.
-
Threat Intelligence Integration: Incorporating threat feeds for awareness.
-
Incident Response Planning: Developing effective response strategies.
-
Global Threat Monitoring: Tracking attacks worldwide for landscape understanding.
-
Heatmap Generation: Visualizing attack origins geographically.
-
SIEM Alerts and Automation: Setting up automated responses to predefined rules.
-
Documentation and Reporting: Comprehensive reporting and documentation skills.
This experience has honed my ability to handle real-world security challenges in cloud environments.