The purpose of this lab is to utilize Microsoft Sentinel to keep track of unsuccessful Remote Desktop Protocol (RDP) login attempts made by attackers worldwide on an exposed Windows 10 virtual machine set up in Microsoft Azure. The failed login events and geolocation data are extracted using a PowerShell script on the virtual machine, processed using the Log Analytics Workspace on Microsoft Azure, and visualized in Microsoft Sentinel on Microsoft Azure.
The procedures to build this lab can be found here, and it was adapted from Josh Madakor.
This lab uses Microsoft Azure, which is a cloud computing platform that offers a wide range of services for building, deploying, and managing applications and services through Microsoft's global network of data centres. It provides tools and resources for businesses to scale and grow their operations in a secure and reliable environment.
Here is the information about the virtual machine created on Microsoft Azure. The virtual machine was named honeypot-vm and runs the Windows 10 operating system. Information about the virtual machine can be found on this screen, such as the computer name, operating system, public and private IP addresses, and the hardware used. Furthermore, the virtual machine can be accessed via RDP.
The Windows Defender Firewall of the Windows 10 virtual machine was turned off for the Domain, Private, and Public profiles, allowing connections from outside.
Here are some chunks of the PowerShell script utilized to retrieve unsuccessful login events from the Security Log in Event Viewer. The retrieved IP address is then sent to a third-party API to get geolocation information that will be combined with the event details to create a custom log file.
The XML filter used on the PowerShell script to filter failed login events (ID = 4625) on Event Viewer.
This section of the code extracts fields from the events filtered from the Security Log in Event Viewer by the XML filter.
The IP address extracted from the Security Log in Event Viewer was used to make web requests to the geolocation API.
Below is the PowerShell ISE, with the PowerShell script used to extract failed login attempts from Security Log in Event Viewer running and outputting to the terminal the detected failed login attempts. At the right is an example of a failed login attempt event on Event Viewer. Some relevant fields are Account Name, the used username, Source Network Address, the attacker IP address, Event ID, Logged, and Computer.
This text file is the custom log file (failed_rdp.log) generated by the PowerShell script. It has information about the failed RDP login attempt, such as the username attempted, the source IP address and the geolocation data gathered using the IP address. It is the file that is ingested by Log Analytics Workspace on Microsoft Azure.
Azure Log Analytics Workspace is a centralized repository for collecting, analysing, and visualizing log data from various sources within the Azure ecosystem. It provides insights into system performance, security threats, and operational efficiency for better decision-making.
The failed_rdp.log was imported in real-time from the virtual machine, and its content was stored in the RawData field of the created FAILED_RDP_WITH_GEO_CL table. A KQL query was used to extract the data from the RawData field and create new fields on the FAILED_RDP_WITH_GEO_CL table, named according to the extracted data.
Microsoft Sentinel is a cloud-native security information and event management (SIEM) service that helps organizations detect, investigate, and respond to threats across their entire environment. It provides intelligent security analytics and threat intelligence to help protect against cyberattacks.
The visualization of failed RDP login attempts on the world map was created on Microsoft Sentinel. The attackers' IP address and geolocation (latitude, longitude, and country) were obtained from the FAILED_RDP_WITH_GEO_CL table using a KQL query.
During the first hour, two failed RDP login attempts were registered from me and three from the United Kingdom.
After 24 hours of exposure, the virtual machine had 844 failed RDP login attempts from India, 447 from Palestine, 338 from Japan, and 533 from other countries.
Over a 48-hour period, there were a significant number of failed RDP login attempts on the virtual machine, originating from various countries. There were 1.75k failed attempts from the Netherlands, 1.05k from Pakistan, 844 from India, and 3.09k from other countries.
This bar plot displays the top 10 usernames most frequently used by attackers, obtained from the FAILED_RDP_WITH_GEO_CL table through a KQL query. The most commonly used username is ADMINISTRATOR, followed by ADMIN, administrator, Administrator, and admin.
