Summary
For a few months I’ve had a basic Azure Linux box with SSH open to the world to collect the usernames brute forced and the IP address of the bot trying.
This worked OK for a while but I was only taking the username and nothing else, plus it was slightly risky if the attacker ever guessed a username or password.
What I really wanted to see was the Username and Password that was being used. From this I could build a list of compromised passwords and build out some Threat Intel of threat actors and the tools they are using. After googling around it became clear I needed some form of Honeypot that would collect the Logons and also let the attacker in. This way I can see what commands are run post breach.
After downloading and playing with a few, I stumbled across Cowrie. This ticked all the boxes needed for a simple SSH sandbox
- Simple and flexible install
- Robust log export
- Low overhead
- Logs Usernames, Passwords and Commands
Setup Cowrie
You can install Cowrie as a standalone service or run it inside a docker.
The below instructions are to install and run Cowrie without Docker. I plan on moving my current setup to Docker soon and will update with the changes needed to run inside docker later.
Install the System Dependency
sudo apt-get install git python-virtualenv libssl-dev libffi-dev build-essential libpython3-dev python3-minimal authbind virtualenvCreate Cowrie User
sudo adduser --disabled-password cowrieClone Repo
git clone https://github.com/cowrie/cowrie cd cowrieSetup Python Virtual Environment
virtualenv --python=python3 cowrie-env source cowrie-env/bin/activateSetup Authbind for port 22
sudo apt-get install authbind sudo touch /etc/authbind/byport/22 sudo chown cowrie:cowrie /etc/authbind/byport/22 sudo chmod 770 /etc/authbind/byport/22Start Cowrie
bin/cowrie start
Sentinel Logs
Now you have Cowrie setup the ingestion of the logs into Sentinel is straightforward. To take the logs from the VM you will need to have the OMS agent setup on your Sentinel Instance.
This can be done direct from the Workspace Sentinel is attached to or by using the following commands
wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w <YOUR WORKSPACE ID> -s <YOUR WORKSPACE PRIMARY KEY>
Once installed and the VM is sending Heartbeats you need to setup the Custom Log collector.
Open the Log Workspace and navigate to:
Settings > Custom Logs > Add Custom Log
When prompted, upload the cowrie.json file, this can be found in: Cowrie/var/log/cowrie/cowrie.json
It takes about 15min for logs to start showing in sentinel
Now the logs are in they need to be parsed, inside the Cowrie Github you will find a Function Parser that takes the RAW logs and transforms them into something useful
Hunting
Now we have the logs in Sentinel we can start to extract interesting info:
What Usernames are used the most?
What passwords are used?
Where are the Attackers located?
Show Usernames and Password
Take the Cowrie logs and search for Usernames and Passwords
Cowrie
| where EventID contains "success"
| project TimeGenerated, SourceIp, Username, Password
Show Commands
Take the Cowrie logs and search for commands
Cowrie
| where EventID contains "command"
| project TimeGenerated, Input, SourceIp
Geolocate IP
My biggest pet peeve with Sentinel is GeoLocation isn’t possible by default when searching logs!
With a little hack its possible to import a CSV with locations and then transform all the IP addresses in the Cowrie table with the expropriate location
let IP_List = externaldata(network:string, continent_code:string ,continent_name:string, country_iso_code:string, country_name:string)["https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv"] with (format="csv",ignoreFirstRecord=true);
Cowrie
| distinct tostring(SourceIp)
| evaluate ipv4_lookup(IP_List, tostring(SourceIp), network)
| summarize count() by country_name