Microsoft Azure RDP Honeypot Project
The simple goal of this project is to deploy a Microsoft Azure Virtual Machine and expose the RDP Port to the internet and then collect logs, geographical data, and plot it onto a live map. A quick summary of tasks:
- Create a Free Microsoft Azure Account (Requires a Credit Card)
- Create a Resource Group
- Create a Windows 11 Virtual Machine
- Create a Log Analytics Workspace
- Activate Microsoft Defender for Cloud
- Utilize Microsoft Sentinel (SIEM)
- Remote Desktop into Windows 11 Virtual Machine
- Review Event Viewer
- Create an IPGeoLocation Account (Free)
- Download and Run a PowerShell Script
- Export a Sample Log File
- Create a Custom Log
- Run some Kusto Language Queries (KQL)
- Create a Microsoft Sentinel Workspace
- Enjoy watching your Virtual Machine get Attacked
Part 1: Create a Free Microsoft Azure Account
I had already created this account from a previous lab so I reused my existing account. The free account does require a credit card on file, but Microsoft gives you a free credit ($200.00) to use in your virtual environment within the first 30 days. To create a free account use the following link:
https://azure.microsoft.com/en-us/free
Part 2: Create a Resource Group
Once you have logged into the Microsoft Azure portal use the search bar to find the Resource Group section then select Create.
Follow the on screen prompts and fill in the required information:
- Subscription: (Since this is a free account there should only be one)
- Resource Group: Give your Resource Group a name (i.e. rg_honeypot_lab)
- Region: I just left it default to (US) East US, but you can change this to a location that is more fitting for you. Just keep in mind to keep your future resources in the same location for simplicity’s sake.
Once you have filled in the above information Select “Review + Create” then verify your settings and then select Create (Bottom Left)
Part 3: Create a Windows 11 Virtual Machine
Utilize the Search Menu and search for and select Virtual Machines then select Create (Azure Virtual Machine).
On the Create Virtual Machine screen enter all required information. In my example I entered the following information on the Basics tab:
- Subscription: Azure Subscription 1
- Resource Group: rg_honeypot_lab
- Virtual Machine Name: honeypotvmlab
- Region: (US) East US
- Availability Options: Default
- Availability Zone: Zones 1 (Default)
- Security Type: Standard
- Image: Windows 11 Pro, Version 22H2 — x64 Gen2
- VM Architecture: x64
- Run with Azure Spot Discount: Unchecked (Default)
- Size: Standard_D2s_v3–2 vcpus, 8 GiB memory (Default)
- Administrator Account: Pick your Administrator’s Username (Please Do Not Use “Administrator” or “Admin” as these are very common usernames).
- Public Inbound Ports: Allow Selected Ports
- Select Inbound Ports: RDP (3389)
- Select the Check Box Under the Licensing Section
At the bottom of the screen select “Next: Disks” to move onto the next section.
In the Disks section no changes will be made. Select “Next: Networking” to move onto the next section.
On the Network Tab the following was done:
Virtual Network: Default
Subnet: Default
Public IP: Default
NIC Network Security Group: Selected Advanced
Configure Network Security Group: Selected “Create New” just under the drop down.
A Default Rule will exist “1000: Default-Allow-RDP” select this rule and then select remove.
Next select “+ Add an inbound rule”
On the “Add inbound security rule” set the following:
Source: Any
Source Port Ranges: *
Destination: Any
Service: Custom
Destination Port Ranges: *
Protocol: Any
Action: Allow
Priority: 100
Name: Danger_Do_Not_Use
Note: The point of the name it to make sure you do not use these settings in a normal production environment. In this lab we will use this inbound security rule.
Select Add to add the newly created Inbound Security Rule.
You will now land back onto the “Create Network Security Group” screen with the newly Rule added select OK at the bottom of the screen.
Now back on the Network Tab of the Create a Virtual Machine screen select “Review + Create” as no additional changes are required:
On the “Review + Create” screen wait for your settings to pass validation then select Create
Your Virtual Machine is now being generated and it may take a few minutes to complete.
Part 4: Log Analytics Workspace
Use the Search bar to Search for Log Analytics Workspaces and then select Log Analytics Workspaces then select Create.
Fill in the required fields:
Subscription: Azure Subscription 1 (Default)
Resource Group: rg_honeypot_lab
Name: law-honeypot
Region: East US
Then select “Review + Create”
Once your Log Analytics Workspace passes validation select Create.
From the Log Analytics Workspaces screen select the “law-honeypot” then select Virtual machines (Deprecated).
Select the Virtual Machine “honeyportvmlab”
Then select Connect.
Note: This process may take a couple of minutes to complete. This is an indicator of what it should look like when it completes.
Part 5: Microsoft Defender for Cloud (Formerly Security Center)
Navigate to Microsoft Defender for Cloud > Environment Settings > Azure Subscription 1 > law-honeypot
On the Defender Plans section select Enable All Plans and then Turn Off SQL Servers on Machines and then select Save.
Next navigate to the Data Collection section and select “All Events” then select Save.
Part 6: Microsoft Sentinel
Navigate to Microsoft Sentinel and then select Create.
On the “Add Microsoft Sentinel to a workspace” screen select the Log Analytics Workspace “law-honeypot” then select Add at the bottom left.
You have now successfully added Microsoft Sentinel to the Log Analytics Workspace.
Part 7A: Log into the Windows 11 Virtual Machine
Navigate back to the Virtual Machines section and select the virtual machine you have created. On the Overview section find the Public IP Address of your Virtual Machine and take note of it.
Next use a Remote Desktop Connection client to connect to your Virtual Machine. There are typically free Remote Desktop Connection Applications for most any system you might be running this lab for example:
- Windows: Has a built in application named “Remote Desktop Connection”
- macOS: You can download the free Microsoft Remote Desktop Application.
- Linux: Remmina (You may need to research how to install it on your Linux Device).
- Apple iOS / Apple iPadOS: Microsoft Remote Desktop can be downloaded from the Apple App Store
- Android OS: Remote Desktop can be downloaded from the Google Play Store.
Note: Before logging into the Virtual Machine please make sure to fail the username or password at least 1 time so that a Windows Security Log will be generated for a failed login. We will use that in a later step.
At the first prompt after logging in uncheck all privacy settings then select Accept.
Launch Microsoft Edge and run through the prompts as we will need the internet browser in a later step.
Part 7B: Windows Event Viewer (Virtual Machine)
From the Windows Search bar search for & launch Event Viewer.
Within Event Viewer navigate to Event Viewer > Windows Logs > Security
Next select “Filter Current Log…” then enter “4625” then select “OK”.
If you open up any 4625 event and read through the information provided you will see some key information:
- An account failed to log on.
- Account Name: This is the username the person used to attempt to log in with.
- Workstation Name: The name of the computer that attempted to log in.
- Source Network Address: The public IP from where this user attempted to connect from (Note: If the attacker is behind a VPN it will show the IP of the VPN and not the user’s true public IP. This is done to conceal where the attacker is actually attacking from).
Part 7C: IPGeoLocation
Next we created an account with IPGeoLocation https://ipgeolocation.io/signup.html
There is a free version of this service that does not require a credit card, but is limited to 1,000 API Calls per day. You will need to copy this key for use in a coming step.
Part 7D: Disable Windows Firewall (Virtual Machine)
From the Windows Search bar search for and launch Windows Defender Firewall.
Select “Turn Windows Defender Firewall on or off”
Next Select “Turn off Windows Defender” in both sections shown in the image below then select “OK”
Part 7E: Download PowerShell Script (Virtual Machine)
Via the Microsoft Edge browser on the Virtual Machine navigate to:
In the Code section copy the code.
Launch PowerShell ISE
Select File > New
Paste the code into the “Untitled.ps1” window.
On Line 2 replace the API Key with the API key you had generated from Part 7C
Next Save the PowerShell script as it should now have your API Key Applied. In my example I named mine “Log_Exporter.ps1” and saved it to the Desktop, but it can be named whatever you wish.
Next Select the “Run Script” button. For the remainder of this lab we will keep this script running to allow it to continuously injest data as it arrives. If your Virtual Machine is being attacked you will see entries start to appear in the next box similar to the example where you failed to log in.
If you have any failed Login’s from the Windows Event viewer section they should start outputting into the PowerShell windows (Blue Window Below)
Next navigate to C:\ProgramData\ to locate the failed_rdp.txt file that has been generated by the above PowerShell script. Copy this file from your Virtual Machine to your Local Computer. If copying the file becomes a problem then simply copy the data from within the file then paste it into a text file on your local machine.
Part 8: Log Analytics Workspace (Round 2)
Navigate back to Log Analytics Workspace in the Azure Portal and select the workspace “law-honeypot”. Then select Tables > Create > New custom log (MMA-based).
On the Sample tab for the Sample Log select the “failed_rdp.txt” text file you copied from the Virtual machine in the previous section then select Next.
On the Record Delimiter tab no changes are required. Select Next.
On the Collection Paths tab enter the following information:
Type: Windows
Path: C:\ProgramData\failed_rdp.log
Note: This is the path of where the “failed_rdp.log” file resides on the Virtual Machine.
Select Next.
On the Details tab give the custom log name a name then select Next.
Custom Log Name: RDP_Fail_With_Geo_Location
On the Review + Create screen select Create after validating the information.
Next navigate back to Log Analytics Workspace > law-honeypot > Logs to run a Query against the logs.
Note: Usually there are 2 windows you have to close before you can see the Query screen.
In the New Query copy and paste the following command:
RDP_Fail_With_Geo_Location_CL
| extend username = extract(@"username:([^,]+)", 1, RawData),
timestamp = extract(@"timestamp:([^,]+)", 1, RawData),
latitude = extract(@"latitude:([^,]+)", 1, RawData),
longitude = extract(@"longitude:([^,]+)", 1, RawData),
sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData),
state = extract(@"state:([^,]+)", 1, RawData),
label = extract(@"label:([^,]+)", 1, RawData),
destination = extract(@"destinationhost:([^,]+)", 1, RawData),
country = extract(@"country:([^,]+)", 1, RawData)
| where destination != "samplehost"
| where sourcehost != ""
| summarize event_count=count() by latitude, longitude, sourcehost, label, destination, countryThen select Run and the results should be similar to the following:
Next Select Save > Save As Query
Give the Query a Name and then leave all settings default and select Save.
Part 9: Microsoft Sentinel (Round 2)
Navigate to Microsoft Sentinel > law-honeypot > Workbooks > Add Workbook.
Edit the new Workbook and remove the default preset settings so you have a blank Workbook.
Then select the Add > Add Query
Similar to before we are going to copy & paste the following Query in and run the Query to verify it is working as expected.
RDP_Fail_With_Geo_Location_CL
| extend username = extract(@"username:([^,]+)", 1, RawData),
timestamp = extract(@"timestamp:([^,]+)", 1, RawData),
latitude = extract(@"latitude:([^,]+)", 1, RawData),
longitude = extract(@"longitude:([^,]+)", 1, RawData),
sourcehost = extract(@"sourcehost:([^,]+)", 1, RawData),
state = extract(@"state:([^,]+)", 1, RawData),
label = extract(@"label:([^,]+)", 1, RawData),
destination = extract(@"destinationhost:([^,]+)", 1, RawData),
country = extract(@"country:([^,]+)", 1, RawData)
| where destination != "samplehost"
| where sourcehost != ""
| summarize event_count=count() by latitude, longitude, sourcehost, label, destination, country
Next select Visualization > Map
Mimic settings similar to this and then select Save and Close.
Next Save the Workbook
Okay so at this point its a waiting game. You will likely want to watch 2 different screens.
Screen 1: Microsoft Sentinel > law-honeypot > Workbooks > View Saved Workbook (Bottom Right Side) which should give you an empty map like this where you can hit the refresh button after some time has passed it will hopefully populate.
Screen 2: Windows 11 Virtual Machine > PowerShell ISE Window. As time progresses and attackers start to discover your Vulnerable device they will start attacking and your PowerShell script will start to spam the box with awesome updates similar to the following:
Part 10: Clean Up (VERY IMPORTANT)
At the end of this lab your Virtual Machine must be shut down and deleted as the $200.00 credit will eventually run out. Please make sure to make sure you have cleaned up your Virtual Machines & that the hard drive of the virtual machine is also deleted. All of this should be done in your Azure Portal. Hope you enjoyed the ride and thanks for making it to the end!
Special Thanks
Just wanted to give a special thanks to Josh Madakor for making such awesome content on YouTube including this lab. Also a thank you to Josh’s YouTube community for providing workarounds needed. Please make sure to check out his channel and give him some kudos!
Resource:
YouTube Channel:
