- Microsoft Azure Resources: Network Security Groups, Virtual Machines, Virtual Networks
- Security Monitoring Tools: Microsoft Sentinel SIEM, Log Analytics Workspace
- Log Analysis: KQL (Kusto Query Language), Security Event Log Analysis
- Security Concepts: Honeypot Deployment, Security Baseline Violation (deliberate), Attack Surface Management
Basics Tab:
- Virtual network name: Enter
VNET-SOC-Lab - Resource group:
RG-SOC-Lab - Region:
US East 2
Basics Tab:
- Resource group:
RG-SOC-Lab - Virtual machine name: Enter
CORP-NET-EAST
Note
Avoid using 'honeypot' in the name, as attackers might identify the VM’s purpose and avoid targeting it
- Region:
US East 2 - Image:
Windows 10 Pro, version 22H2 - x64 Gen2 - Size:
Standard_D2s_v3 - 2 vcpus, 8 GiB memory - Administrator account: Enter secure credentials
- Tick ✅
I confirm I have an eligible Windows 10/11 license with multi-tenant hosting rights
Disks Tab:
OS disk type: Standard HDD (locally-redundant storage)
Networking Tab:
Virtual network: VNET-SOC-Lab
Tick ✅Delete public IP and NIC when VM is deleted
Monitoring Tab:
Boot diagnostics: Tick ✅Disable
Review + Create Tab:
Click the blue Create button
After the RG, VM, and VNET are created, the populated resource group should look like this—
From here, open up CORP-NET-EAST-nsg
Delete the RDP inbound security rule:
On the side panel on the left, navigate to Settings > Inbound security rules > + Add with the following settings—
Destination port ranges: *
Name: DANGER_AllowAnyCustomAnyInbound
-
Remotely access the
CORP-NET-EASTvirtual machine using theRemote Desktop ConnectionWindows application -
Open
wf.mscby searching for it in the search bar. When the Windows Defender Firewall with Advanced Security window appears, clickWindows Defender Firewall Properties -
On the Domain Profile tab, press the 'O' key and the desired settings will change. Repeat this process for the Private Profile and Public Profile tabs. Click
ApplyandOK -
Disconnect from the
CORP-NET-EASTvirtual machine
- Attempt to remotely access the
CORP-NET-EASTvirtual machine by using incorrect credentials 4 times
-
Remotely access the
CORP-NET-EASTvirtual machine with the legitimate credentials and openEvent Viewer, and navigate toWindows Logs>Security>Find… -
In the
Findpop-up window, search for4625which is the event ID for failed log-in attempts -
Observe the four failed log-in attempts from step 1 by double clicking them (below, it shows that
DREWS_PCattempted a connection with the IP address of the VPN I'm currently connected to)
- In
portal.azure.com, search forLog Analytics workspaces, click+ Create log analytics workspacebutton, set the Resource group toRG-SOC-Lab, set the Name toLAW-SOC-Lab-000, clickReview + Create, and clickCreateafter the validation completes
- In
portal.azure.com, search forMicrosoft Sentinel, click+ Create Microsoft Sentinel, add Microsoft Sentinel to theLAW-SOC-Lab-000workspace
-
In
Microsoft Sentinel, within theLAW-SOC-Lab-000workspace, navigate toContent management>Content hub, and in the search forWindows Security Eventsin theSearch…box -
Tick ✅
Windows Security Eventsand then click the blueInstallbutton in the panel on the right
-
When the install completes, click the blue
Managebutton that's where theInstallbutton used to be -
Tick ✅
Windows Security Events via AMAand then click the blueOpen connector pagebutton in the panel on the right
- Click
+Create data collection ruleand use the following settings
Basics Tab:
Set the Rule name to DCR-Windows and use the RG-SOC-Lab Resource group,
Resources Tab:
Expand Azure subscription 1 > RG-SOC-Lab > and tick ✅ CORP-NET-EAST
Review + Create:
Click the blue Create button
- In the
CORP-NET-EASTvirtual machine, navigate toSettings>Extensions + applicationsto observe thatAzureMonitorWindowsAgentis now in theTransitioningphase (eventually it should turn intoProvisioning succeeded)
- In
portal.azure.com, search forLog Analytics workspaces, selectLAW-SOC-Lab-000, and click on theLogstab, typeSecurityEventinto the textbox, and click▶ Run. At first, there shouldn't be many records. However, after I leave the virtual machine on for around 24 hours, I'll come back and analyze that data with KQL and see how many attacks took place.
- After the 24 hour mark, running this command will let me see how many attacks took place in total:
SecurityEvent
| where EventID == 4625
| count
- Then, these attacks can be queried to display the attacks with only the relevant information such as time generated, account username, the machine that generated the log, event ID, activity (what the event ID means), and IP address:
SecurityEvent
| where EventID == 4625
| project TimeGenerated, Account, Computer, EventID, Activity, IpAddress
- In
portal.azure.com, search forMicrosoft Sentinel, clickLAW-SOC-Lab-000, navigate toConfiguration>Watchlist, and click+ New
Basics Tab:
For the Name and Alias fields, enter geoip
Source Tab:
Under Upload file, upload geoip-summarized.csv and set the SearchKey to network
Review + Create Tab:
Click the blue Create button
- The file will begin to upload (when Status (Preview) changes from ♻️Uploading to ✅Succeeded, it's time to proceed)
- Running the command below will verify that the newly created Watchlist (in the Log Analytics workspace) works properly
SecurityEvent
_GetWatchlist("geoip")
- Use an attacker’s IP address (from the logs) to query the GeoIP Watchlist and map the attack location:
let GeoIPDB_FULL = _GetWatchlist("geoip");
let WindowsEvents = SecurityEvent
| where IpAddress == <insert attacker IP address here>
| where EventID == 4625
| order by TimeGenerated desc
| evaluate ipv4_lookup(GeoIPDB_FULL, IpAddress, network);
WindowsEvents
| project TimeGenerated, Computer, AttackerIP = IpAddress, cityname, countryname, latitude, longitude
-
In
portal.azure.com, search forMicrosoft Sentinel, clickLAW-SOC-Lab-000, navigate toThreat management>Workbooks, click+ Add Workbook, and then clickEdit -
Remove the default entries that Azure populates the new Workbook with
-
Click
+ Add, clickAdd query, and then move to theAdvanced Editortab -
Replace the current contents in the
Advanced Editortextbox with the following .json snippet
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let GeoIPDB_FULL = _GetWatchlist(\"geoip\");\nlet WindowsEvents = SecurityEvent;\nWindowsEvents | where EventID == 4625\n| order by TimeGenerated desc\n| evaluate ipv4_lookup(GeoIPDB_FULL, IpAddress, network)\n| summarize FailureCount = count() by IpAddress, latitude, longitude, cityname, countryname\n| project FailureCount, AttackerIp = IpAddress, latitude, longitude, city = cityname, country = countryname,\nfriendly_location = strcat(cityname, \" (\", countryname, \")\");",
"size": 3,
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "LatLong",
"locInfoColumn": "countryname",
"latitude": "latitude",
"longitude": "longitude",
"sizeSettings": "FailureCount",
"sizeAggregation": "Sum",
"opacity": 0.8,
"labelSettings": "friendly_location",
"legendMetric": "FailureCount",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "FailureCount",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed"
}
}
},
"name": "query - 0"
}- Click
Done Editing
- Save the Workbook with the save icon in the toolbar with the Title being
Windows VM Attack Mapand the Resource group beingRG-SOC-Lab(after clicking the blueSave Asbutton, also re-click the save icon in the toolbar)
Note
The map visualization is highly customizable. For example, the color scheme can be adjusted from Green-Orange-Red to Yellow-Orange-Red
