- I built and deployed a Cloud-based Virtual Machine honeynet primarily using Microsoft Azure and setting up a SIEM (System Information and Event Management) system using Microsoft Sentinel to connect to our VM, to lure and monitor any potential real-time cyber threats.
- To enhance our testing, we will intentionally leave RDP (Remote Desktop Protocol) access open on port 3389 to observe any real-time malicious threats attempting to access our machine. By the end, be sure to disable the RDP open port and add MFA (Multi-Factor Authentication) to be safe.
https://docs.google.com/document/d/1xWjh1lzxSRHYalbmf3YXON9Lol1dJ2OV78h1DZI3_WY/edit?usp=sharing
- First we need to download Microsoft Azure and create an account. Once we have that done, we can create a VM by clicking create and naming our container "eren999VM_group" and the VM itself "eren999VM." Once the VM is created, deployed, and running, we can create a Log Analytics workspace via Microsoft Sentinel to monitor traffic.
- Now that the VM is running and the Log Analytics workspace is ready, we need to add a data source (Windows Event Logs) to actually see the events and utilize the workspace effectively. This can be done by navigating to Sentinel>Data Connectors>Content Hub>Windows Security Events>Install to connect to our VM.
- In the VM workspace, under the Network Settings tab, we can see that the RDP connection on port 3389 is open. I went back to generate an alert for activities containing keywords such as “success,” “fail,” “user,” “admin,” and “program” to see if any connections were made.
- It looks like there’s a significant hit on “program” and “user.” Based on suspicious account names correlated with Event ID 4625 (failed login attempts), we can see that brute force attempts were made to gain access, but all attempts failed.
- I investigated these IP addresses using VirusTotal, revealing that most of the traffic originates from Russia and Ukraine, with several IPs marked as malicious just a few days ago.
- Although there were no successful logins, it’s important to set up alerts for Event ID 4624 (successful logins) and monitor the malicious IP addresses for potential future access.
- I also checked for more common attack vectors such as EventID 4104 (PowerShell execution) and 4698 (scheduled tasks) which are often used by malware for persistence but didn’t get any hits.
- I also blocked all the malicious IPs’ inbound and outbound traffic via the Firewall/Network Settings tab.
- Then we received another alert with Event ID 4798 (local group access) and detected a potential malicious executable, WmiPrvSE[.]exe. After performing OSINT, I didn’t find any hits on Talos Intelligence or VirusTotal, but HybridAnalysis flagged it as suspicious.
- HybridAnalysis confirms that this executable is malicious and should be further investigated, as it can adjust token privileges and hide processes by launching under different user credentials.
- I checked how many times this executable was associated with the event and whether any child processes were opened.
- There were 44 instances, but no child processes were launched.
- I wanted to see if this malicious executable correlates with the earlier brute force attack, so I queried for any associations between the failed login events, the malicious IPs', and the executable.
- Considering the time gap of several hours and that there are no results in the past 24 hours may suggest they are 2 different attacks, but we can never really be too sure, so it's best to continue monitoring these threats and setting up more alerts. I utilized Sentinel's Playbook to Automate a force stop on the VM if my alert triggers that the executable was seen again.
