This was one of the first lab projects I completed. The main goal here is to get some exposure to a SIEM, get some experience within the azure environment setting up a virtual machine as well as the systems behind the telemetry. As the title says, this project's goal was to create a vulnerable machine and expose it to the internet for attacks to discover and attempt to brute force. Once discovered by ICMP, the attacker can attempt to remotely access the machine likely through RDP and attempt to login to the machine by using common or random usernames/passwords. All of these attempst to login to our machine generates a windows event #4625 for a failed login attempt. We will set a powershell script to pull information from these windows events and send to a 3rd party API to get geolocation data like latitude, longitude, State, Country, etc. From this we create the custom log that is ingested into Microsoft Log Analytics and subsequently quieried by Microsoft Sentinel and plotted on a map.
- Gain hands on experience within Microsoft Azure environment.
- Gain experience with Microsoft Sentinel SIEM
- Learned how to use powershell to forward logs to a 3rd party api and generate a custom log
- Learned how to query a custom log with KQL within Microsoft Sentinel
- Learned how to extract fields from a custom log and create a attack map
- Microsoft Azure Sentinel
- Microsoft Analytics Workspace
- Powershell
- Virtual Machines
- KQL
- Create windows vm, turn off firewall and enable ICMP
- Create and set up log analytics workspace to ingest logs, connect to VM
- Use powershell script to send IP address into geolocation API, to get back latitude and longitude of IP address; used in the custom logs
- Ingest custom logs into Log Analytics Workspace; extract fields from rawdata. (latitude, longitude, username, sourcehost IP, state/provice, Country, timestamp)
- Query custom log in Azure Sentinel, including sourcehost, and Country and plot on world map
Failed RDP attack map
Disclaimer: this is not a step by step guide for you to follow, please visit the link above to see the source video and follow along with that.