Cowrie honeypot and its Integration with Microsoft Sentinel.
Cowrie is an advanced honeypot designed to emulate SSH (Secure Shell) and Telnet services to attract, detect, and analyse malicious activities. As a type of cybersecurity tool, a honeypot like Cowrie is used to create a controlled environment that mimics real systems to lure attackers. Once attackers interact with Cowrie, their activities are logged(json), providing valuable insights into their methods and motives.
Key Features of Cowrie
SSH and Telnet Emulation: Cowrie simulates SSH and Telnet services, which are commonly targeted by attackers seeking unauthorized access to systems.
Detailed Logging: It captures detailed logs of attempted commands, executed commands, and interaction patterns. This helps in understanding attack methodologies and tools used by attackers.
File and Command Logging: Besides logging commands, Cowrie also logs files uploaded and downloaded by attackers, offering a comprehensive view of their activities.
Support for Interactive Sessions: Cowrie can simulate interactive command-line sessions, allowing it to capture more detailed information about attacker behaviour.
Dynamic Configuration: The configuration of Cowrie can be tailored to mimic various environments and setups, enhancing its effectiveness in different scenarios.
Why Use Cowrie?
Threat Intelligence
Cowrie provides valuable insights into attack trends and techniques. By observing and analysing the interactions of attackers with the honeypot, security professionals can gather information on attack vectors, tools, and methodologies. This intelligence is crucial for improving security measures and defenses.
Detection of Unknown Threats
Honeypots like Cowrie can detect and log unknown or emerging threats that might not be caught by traditional security measures. Since attackers are drawn to the honeypot, it can uncover new vulnerabilities and attack methods before they impact real systems.
Improved Security Posture:
By studying the data collected from Cowrie, organizations can enhance their security posture. This includes refining intrusion detection systems (IDS), updating firewall rules, and improving overall security policies based on real-world data collected from the honeypot.
Low Risk Deployment:
Since Cowrie is designed to simulate services rather than be a real production environment, the risks associated with it are contained. Any malicious activity targeting the honeypot does not affect actual production systems, making it a safe and controlled way to study attacks.
Conclusion
Cowrie is a powerful and versatile tool for cybersecurity professionals looking to understand and combat malicious activities targeting SSH and Telnet services. By deploying Cowrie, organizations can gain crucial insights into attack patterns, detect emerging threats, and improve their overall security posture while maintaining a low-risk environment for research and analysis.
Integrating Cowrie honeypot with Microsoft Sentinel (SIEM & SOAR)
Integrating Cowrie with Microsoft Sentinel brings several benefits for enhancing cybersecurity operations. Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) service that provides intelligent security analytics and threat intelligence across the enterprise. By combining Cowrie’s detailed honeypot data with Sentinel’s advanced analytics and automation capabilities, organizations can achieve a more comprehensive and effective security posture.
Analytical Rules, Threat Hunting, Automation, Workbooks, Custom Parsers.
Step-by-Step Guide to Install Cowrie on Linux:
Github: GitHub – cowrie/cowrie: Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io
Update Your System
Start by updating your package lists and upgrading existing packages:
sudo apt update && sudo apt upgrade -y
Install Required Dependencies
Install the necessary packages and libraries for Cowrie:
sudo apt install -y python3-pip python3-venv python3-dev libssl-dev libffi-dev build-essential git
Create a Cowrie User
Create a dedicated user to run Cowrie:
sudo adduser –disabled-password –gecos ‘Cowrie’ cowrie
Switch to the Cowrie User
Switch to the Cowrie user account:
sudo -u cowrie -i
Clone the Cowrie Repository
Clone the Cowrie GitHub repository to the Cowrie user’s home directory:
git clone https://github.com/cowrie/cowrie.git
Navigate into the Cowrie directory:
cd cowrie
Set Up the Python Virtual Environment
Create and activate a Python virtual environment within the Cowrie directory:
python3 -m venv cowrie-env
source cowrie-env/bin/activate
Install Cowrie’s Python Dependencies
Install the required Python packages using pip:
pip install -r requirements.txt
Configure Cowrie
Copy the sample configuration files to create your own configuration:
cp cowrie.cfg.sample cowrie.cfg
cp userdb.txt.sample userdb.txt
Edit cowrie.cfg to adjust settings as needed. For basic usage, you might not need to make changes initially. Use a text editor like nano:
nano cowrie.cfg
Start Cowrie
Start Cowrie using the provided startup script:
bin/cowrie start
You can stop Cowrie with:
bin/cowrie stop
And check its status with:
bin/cowrie status
Verify the Installation
To ensure Cowrie is running, you can check the logs located in the cowrie/log directory:
tail -f log/cowrie.log
Accessing the cowrie using windows Command prompt and verifying logs flow.
Full potential and see how it captures and logs attacker activity
Connect to Cowrie
To interact with Cowrie, connect to it using SSH or Telnet. For example, if Cowrie is configured to listen on port 2222 for SSH:
Explore Cowrie’s Features
Test Authentication
Try Different Usernames and Passwords: Cowrie will log any attempted logins, including failed attempts. Use common usernames like root, admin, or user, and various passwords to see how Cowrie records these attempts.
ssh -p 2222 root@ 172.210.56.197
ssh -p 2222 admin@ 172.210.56.197
ssh -p 2222 user@ 172.210.56.197
Check Logs: Cowrie logs authentication attempts in its log files. Monitor var/log/cowrie.log to see how these attempts are recorded.
Execute Commands
Try Common Commands: Once logged in, you can execute common Unix commands to simulate normal or malicious activity. For example: Ls, whoami, uname -a
Upload Files
Use SCP or SFTP (if configured): If Cowrie is set up to handle SCP or SFTP, you can try uploading files:
scp -P 2222 localfile.txt user@172.210.56.197:/tmp
Test Network Interactions
Check for Open Ports: Use tools like nmap to scan Cowrie and verify which ports are open
nmap -p- 172.210.56.197
Leveraging Microsoft Sentinel with Cowrie: Parsers
To parse and normalize Cowrie logs in Microsoft Sentinel using Kusto Query Language (KQL), you can create a query that extracts and organizes the relevant information from the raw log data. Below is an example KQL query that parses the Cowrie logs, assuming the logs are stored in a custom log type (e.g., newCowrie_CL).
KQL Query for Parsing Cowrie Logs
The following KQL query will parse the log entries and present them in a normalized format. Adjust the field names based on your actual log structure and requirements.
// Query to normalize and extract information from Cowrie logs
newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid),
URL = tostring(parse_json(RawData).url),
Outfile = tostring(parse_json(RawData).outfile),
SHA256 = tostring(parse_json(RawData).shasum),
Sensor = tostring(parse_json(RawData).sensor),
Message = tostring(parse_json(RawData).message),
SourceIP = tostring(parse_json(RawData).src_ip),
SessionID = tostring(parse_json(RawData).session)
| project EventID, URL, Outfile, SHA256, Sensor, Message, SourceIP, SessionID
Leveraging Microsoft Sentinel with Cowrie: Analytical Rules
Creating analytical rules in Microsoft Sentinel based on Cowrie logs can provide valuable insights into security threats and activities captured by the honeypot. Below are some prominent use cases and corresponding KQL queries that can be used to create these analytical rules:
Detect Suspicious File Downloads
Use Case: Identify instances where files were downloaded from suspicious or known malicious URLs.
KQL Query:
newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid),
URL = tostring(parse_json(RawData).url),
SourceIP = tostring(parse_json(RawData).src_ip)
| where EventID == “cowrie.session.file_download”
| where URL contains “malicious-site.com” or URL contains “suspicious”
| project SourceIP, URL
Alert on High Number of Failed Login Attempts
Use Case: Detect brute-force or password-guessing attacks by monitoring a high volume of failed login attempts.
KQL Query:
newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid),
SourceIP = tostring(parse_json(RawData).src_ip)
| where EventID == “cowrie.login.failed”
| summarize FailedAttempts = count() by SourceIP
| where FailedAttempts > 2
| project SourceIP, FailedAttempts
| order by FailedAttempts desc
Monitor Unusual File Execution
Use Case: Detect attempts to execute files or scripts that are unusual or not typical for the environment.
newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid),
Command = tostring(parse_json(RawData).command)
SourceIP = tostring(parse_json(RawData).src_ip)
| where EventID == “cowrie.session.command”
| where Command contains “wget” or Command contains “curl” or Command contains “chmod +x”
| project SourceIP, Command
Detect File Uploads and Downloads
Use Case: Monitor file uploads and downloads to detect potential exfiltration or data theft activities.
newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid),
URL = tostring(parse_json(RawData).url),
SourceIP = tostring(parse_json(RawData).src_ip),
Outfile = tostring(parse_json(RawData).outfile)
| where EventID in (“cowrie.session.file_upload”, “cowrie.session.file_download”)
| project EventID, SourceIP, URL, Outfile
Rule Description: This rule monitors file upload and download activities, helping to identify potentially malicious file transfers.
Detect Connection Events
Use Case: Track connection events to detect unusual patterns in access or possible reconnaissance activity.
newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid),
SourceIP = tostring(parse_json(RawData).src_ip)
| where EventID == “cowrie.session.closed”
| project SourceIP
Leveraging Microsoft Sentinel with Cowrie: Workbooks
Azure Monitor Workbook for Cowrie logs involve using Kusto Query Language (KQL) to extract and visualize various aspects of the data. Here’s a guide to building a comprehensive and dynamic Workbook that includes various visualizations and insights from your Cowrie logs.
Overview Dashboard
Purpose: Provides a high-level summary of all key metrics.
newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid)
| summarize
TotalEvents = count(),
TotalSuccessfulLogins = countif(EventID == “cowrie.login.success”),
TotalFailedLogins = countif(EventID == “cowrie.login.failed”),
TotalFileUploads = countif(EventID == “cowrie.session.file_upload”),
TotalFileDownloads = countif(EventID == “cowrie.session.file_download”),
TotalCommands = countif(EventID == “cowrie.command.input”),
TotalSessionClosed = countif(EventID == “cowrie.session.closed”),
TotalSessionConnect = countif(EventID == ” cowrie.session.connect “)
| project
TotalEvents,
TotalSuccessfulLogins,
TotalFailedLogins,
TotalFileUploads,
TotalFileDownloads,
TotalCommands,
TotalSessionClosed,
TotalSessionConnect
Microsoft Global Hackathon-2024- Cowrie-Sentinel Integration:
Introduction
Technical Deep Dive
Hackathon 2024- Cowrie-Sentinel Integratio (20-09-2024 22-09-17).wmv
Microsoft Tech Community – Latest Blogs –Read More