In this project phase, I will illustrate the procedure for accessing the virtual machine and demonstrate how to monitor the Event Viewer within it. Subsequently, as part of a controlled experiment, I will disable the firewall to entice potential attackers to target our virtual machine. Following this, I will acquire an online PowerShell script designed to extract the longitude and latitude of the attackers' location. To execute this script, it will be necessary to establish an account on Geolocation.io in order to obtain the requisite API Key. Lastly, we will execute the script to test if we can obtain precise geolocation data pertaining to the attackers' origin.
Logging into the VM with Remote Desktop Application
Observe Event Viewer on VM
Turn off the firewall in the VM
Get the API Key from Gelocation.io
Download PowerShell Script
Run the Script to get Geolocation Data from Attackers
Logging In the Virtual Machine
In Azure Portal search bar, search: Virtual Machine
Click on honeypot > copy the Public IP Address
Go on our own Desktop > click on start menu > open up Remote Desktop Connection Application
Paste the Public IP Address to the Remote Desktop Connection Application and use the account information that you sign up the subscription with
Remote Desktop Connection
5. Once finished loading up the VM, apply No to all the setting
VM Startup Settings
Obesrve Event Viewer on VM
1. In the Virtual Machine > click start menu > type in Event Viewer and start it up
2. Inside the Event Viewer > Windows Logs > Security > Audit Failure are the ones that we will be gathering.
Event Viewer
3. The Audit Failure contains:
- Account Name, Workstation Name, IP Address
Audit Failure
Turning off the Firewall in VM
1. In the Virtual Machine > click start menu > type in wf.msc and open it
wf.msc
2. Click on Windows Defender Firewall Properties
Windows Defender Firewall
3. Turn the Firewall state: Off, for Domain Profile, Private Profile, and Public Profile > Apply
4. This will allow my Desktop Device to ping the VM which doesn't allow before turning off the firewall.
Desktop Ping VM
Get API Key from Geolocation.io
1. Sign up on [Geolocation.io](https://ipgeolocation.io/signup.html)
2. Verify Email and login to get the API Key
API Key Obtained
Fetching PowerShell Script
1. [PowerShell Script](https://github.com/joshmadakor1/Sentinel-Lab/blob/main/Custom_Security_Log_Exporter.ps1) by Josh Madakor
2. Copy the whole code on the GitHub website
3. Go back to the VM > Start menu > Search: Windows PowerShell ISE and run it as administrator
4. Windows PowerShell ISE > File > New
5. Paste the whole code into PowerShell ISE
6. Change the API KEY to your own that you got from Geolocation.io
PowerShell ISE
7. Save it on Desktop > name: Log_Exporter
Running and TestingPowerShell Script
1. PwerShell ISE > Click Run
PowerShell ISE Run Script
2. Check if the log file is created
- VM start menu > search: run > Run program: C:\ProgramData\
Navigate to logfile
3. Test if the Log will update
- Go back to your Desktop > Start menu search: Remote Desktop Connect
- Attempt to fail to log to the VM with
- Username: Testing
Description:
In this project phase, I will illustrate the procedure for accessing the virtual machine and demonstrate how to monitor the Event Viewer within it. Subsequently, as part of a controlled experiment, I will disable the firewall to entice potential attackers to target our virtual machine. Following this, I will acquire an online PowerShell script designed to extract the longitude and latitude of the attackers' location. To execute this script, it will be necessary to establish an account on Geolocation.io in order to obtain the requisite API Key. Lastly, we will execute the script to test if we can obtain precise geolocation data pertaining to the attackers' origin.
Logging In the Virtual Machine
In Azure Portal search bar, search: Virtual Machine
Click on honeypot > copy the Public IP Address
Go on our own Desktop > click on start menu > open up Remote Desktop Connection Application
Paste the Public IP Address to the Remote Desktop Connection Application and use the account information that you sign up the subscription with
Remote Desktop Connection
5. Once finished loading up the VM, apply No to all the setting
VM Startup Settings
Obesrve Event Viewer on VM
1. In the Virtual Machine > click start menu > type in Event Viewer and start it up 2. Inside the Event Viewer > Windows Logs > Security > Audit Failure are the ones that we will be gathering.Event Viewer
3. The Audit Failure contains: - Account Name, Workstation Name, IP Address
Audit Failure
Turning off the Firewall in VM
1. In the Virtual Machine > click start menu > type in wf.msc and open itwf.msc
2. Click on Windows Defender Firewall Properties
Windows Defender Firewall
3. Turn the Firewall state: Off, for Domain Profile, Private Profile, and Public Profile > Apply 4. This will allow my Desktop Device to ping the VM which doesn't allow before turning off the firewall.
Desktop Ping VM
Get API Key from Geolocation.io
1. Sign up on [Geolocation.io](https://ipgeolocation.io/signup.html) 2. Verify Email and login to get the API KeyAPI Key Obtained
Fetching PowerShell Script
1. [PowerShell Script](https://github.com/joshmadakor1/Sentinel-Lab/blob/main/Custom_Security_Log_Exporter.ps1) by Josh Madakor 2. Copy the whole code on the GitHub website 3. Go back to the VM > Start menu > Search: Windows PowerShell ISE and run it as administrator 4. Windows PowerShell ISE > File > New 5. Paste the whole code into PowerShell ISE 6. Change the API KEY to your own that you got from Geolocation.ioPowerShell ISE
7. Save it on Desktop > name: Log_Exporter
Running and TestingPowerShell Script
1. PwerShell ISE > Click RunPowerShell ISE Run Script
2. Check if the log file is created - VM start menu > search: run > Run program: C:\ProgramData\
Navigate to logfile
3. Test if the Log will update - Go back to your Desktop > Start menu search: Remote Desktop Connect - Attempt to fail to log to the VM with - Username: Testing
Log is working
