Blog Post

Microsoft Sentinel Blog
7 MIN READ

Cowrie honeypot and its Integration with Microsoft Sentinel.

VipulDabhi's avatar
VipulDabhi
Icon for Microsoft rankMicrosoft
Oct 04, 2024

Cowrie is an advanced honeypot designed to emulate SSH (Secure Shell) and Telnet services to attract, detect, and analyse malicious activities. As a type of cybersecurity tool, a honeypot like Cowrie is used to create a controlled environment that mimics real systems to lure attackers. Once attackers interact with Cowrie, their activities are logged(json), providing valuable insights into their methods and motives.

Key Features of Cowrie

  1. SSH and Telnet Emulation: Cowrie simulates SSH and Telnet services, which are commonly targeted by attackers seeking unauthorized access to systems.
  2. Detailed Logging: It captures detailed logs of attempted commands, executed commands, and interaction patterns. This helps in understanding attack methodologies and tools used by attackers.
  3. File and Command Logging: Besides logging commands, Cowrie also logs files uploaded and downloaded by attackers, offering a comprehensive view of their activities.
  4. Support for Interactive Sessions: Cowrie can simulate interactive command-line sessions, allowing it to capture more detailed information about attacker behaviour.
  5. Dynamic Configuration: The configuration of Cowrie can be tailored to mimic various environments and setups, enhancing its effectiveness in different scenarios.

Why Use Cowrie?

  1. Threat Intelligence
    Cowrie provides valuable insights into attack trends and techniques. By observing and analysing the interactions of attackers with the honeypot, security professionals can gather information on attack vectors, tools, and methodologies. This intelligence is crucial for improving security measures and defenses.

  2. Detection of Unknown Threats
    Honeypots like Cowrie can detect and log unknown or emerging threats that might not be caught by traditional security measures. Since attackers are drawn to the honeypot, it can uncover new vulnerabilities and attack methods before they impact real systems.

 

  1. Improved Security Posture:
    By studying the data collected from Cowrie, organizations can enhance their security posture. This includes refining intrusion detection systems (IDS), updating firewall rules, and improving overall security policies based on real-world data collected from the honeypot.

 

  1. Low Risk Deployment:
    Since Cowrie is designed to simulate services rather than be a real production environment, the risks associated with it are contained. Any malicious activity targeting the honeypot does not affect actual production systems, making it a safe and controlled way to study attacks.

Conclusion

Cowrie is a powerful and versatile tool for cybersecurity professionals looking to understand and combat malicious activities targeting SSH and Telnet services. By deploying Cowrie, organizations can gain crucial insights into attack patterns, detect emerging threats, and improve their overall security posture while maintaining a low-risk environment for research and analysis.


Integrating Cowrie honeypot with Microsoft Sentinel (SIEM & SOAR)

Integrating Cowrie with Microsoft Sentinel brings several benefits for enhancing cybersecurity operations. Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) service that provides intelligent security analytics and threat intelligence across the enterprise. By combining Cowrie’s detailed honeypot data with Sentinel’s advanced analytics and automation capabilities, organizations can achieve a more comprehensive and effective security posture.
Analytical Rules, Threat Hunting, Automation, Workbooks, Custom Parsers.

 


Step-by-Step Guide to Install Cowrie on Linux:

Github:
GitHub - cowrie/cowrie: Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io

  1. Update Your System

Start by updating your package lists and upgrading existing packages:


sudo apt update && sudo apt upgrade -y

  1. Install Required Dependencies

Install the necessary packages and libraries for Cowrie:


sudo apt install -y python3-pip python3-venv python3-dev libssl-dev libffi-dev build-essential git

  1. Create a Cowrie User

Create a dedicated user to run Cowrie:


sudo adduser --disabled-password --gecos 'Cowrie' cowrie

  1. Switch to the Cowrie User

Switch to the Cowrie user account:


sudo -u cowrie -i

  1. Clone the Cowrie Repository

Clone the Cowrie GitHub repository to the Cowrie user's home directory:

git clone https://github.com/cowrie/cowrie.git


Navigate into the Cowrie directory:

cd cowrie

  1. Set Up the Python Virtual Environment

Create and activate a Python virtual environment within the Cowrie directory:

python3 -m venv cowrie-env

source cowrie-env/bin/activate

  1. Install Cowrie’s Python Dependencies

Install the required Python packages using pip:

pip install -r requirements.txt

  1. Configure Cowrie

Copy the sample configuration files to create your own configuration:

cp cowrie.cfg.sample cowrie.cfg

cp userdb.txt.sample userdb.txt

Edit cowrie.cfg to adjust settings as needed. For basic usage, you might not need to make changes initially. Use a text editor like nano:

nano cowrie.cfg

 

  1. Start Cowrie

Start Cowrie using the provided startup script:

bin/cowrie start

You can stop Cowrie with:

bin/cowrie stop

And check its status with:

bin/cowrie status

  1. Verify the Installation

To ensure Cowrie is running, you can check the logs located in the cowrie/log directory:

tail -f log/cowrie.log

 

Accessing the cowrie using windows Command prompt and verifying logs flow.

Full potential and see how it captures and logs attacker activity

  1. Connect to Cowrie

To interact with Cowrie, connect to it using SSH or Telnet. For example, if Cowrie is configured to listen on port 2222 for SSH:

 

  1. Explore Cowrie’s Features
  2. Test Authentication
  • Try Different Usernames and Passwords: Cowrie will log any attempted logins, including failed attempts. Use common usernames like root, admin, or user, and various passwords to see how Cowrie records these attempts.
  • ssh -p 2222 root@ 172.210.56.197
    ssh -p 2222 admin@ 172.210.56.197
    ssh -p 2222 user@ 172.210.56.197
  • Check Logs: Cowrie logs authentication attempts in its log files. Monitor var/log/cowrie.log to see how these attempts are recorded.
  1. Execute Commands
  • Try Common Commands: Once logged in, you can execute common Unix commands to simulate normal or malicious activity. For example: Ls, whoami, uname -a
  1. Upload Files
  • Use SCP or SFTP (if configured): If Cowrie is set up to handle SCP or SFTP, you can try uploading files:
    scp -P 2222 localfile.txt user@172.210.56.197:/tmp
  1. Test Network Interactions
  • Check for Open Ports: Use tools like nmap to scan Cowrie and verify which ports are open
    nmap -p- 172.210.56.197

 

Leveraging Microsoft Sentinel with Cowrie: Parsers

To parse and normalize Cowrie logs in Microsoft Sentinel using Kusto Query Language (KQL), you can create a query that extracts and organizes the relevant information from the raw log data. Below is an example KQL query that parses the Cowrie logs, assuming the logs are stored in a custom log type (e.g., newCowrie_CL).

KQL Query for Parsing Cowrie Logs

 

The following KQL query will parse the log entries and present them in a normalized format. Adjust the field names based on your actual log structure and requirements.


// Query to normalize and extract information from Cowrie logs

newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid),
         URL = tostring(parse_json(RawData).url),
         Outfile = tostring(parse_json(RawData).outfile),
         SHA256 = tostring(parse_json(RawData).shasum),
         Sensor = tostring(parse_json(RawData).sensor),
         Message = tostring(parse_json(RawData).message),
        SourceIP = tostring(parse_json(RawData).src_ip),
         SessionID = tostring(parse_json(RawData).session)
| project EventID, URL, Outfile, SHA256, Sensor, Message, SourceIP, SessionID

Leveraging Microsoft Sentinel with Cowrie: Analytical Rules


Creating analytical rules in Microsoft Sentinel based on Cowrie logs can provide valuable insights into security threats and activities captured by the honeypot. Below are some prominent use cases and corresponding KQL queries that can be used to create these analytical rules:

  1. Detect Suspicious File Downloads

Use Case: Identify instances where files were downloaded from suspicious or known malicious URLs.

KQL Query:
newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid),
         URL = tostring(parse_json(RawData).url),
         SourceIP = tostring(parse_json(RawData).src_ip)
| where EventID == "cowrie.session.file_download"
| where URL contains "malicious-site.com" or URL contains "suspicious"
| project  SourceIP, URL

  1. Alert on High Number of Failed Login Attempts

Use Case: Detect brute-force or password-guessing attacks by monitoring a high volume of failed login attempts.

KQL Query:

newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid),
         SourceIP = tostring(parse_json(RawData).src_ip)
| where EventID == "cowrie.login.failed"
| summarize FailedAttempts = count() by SourceIP
| where FailedAttempts > 2
| project  SourceIP, FailedAttempts
| order by FailedAttempts desc

  1. Monitor Unusual File Execution

Use Case: Detect attempts to execute files or scripts that are unusual or not typical for the environment.

newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid),
         Command = tostring(parse_json(RawData).command)
         SourceIP = tostring(parse_json(RawData).src_ip)
| where EventID == "cowrie.session.command"
| where Command contains "wget" or Command contains "curl" or Command contains "chmod +x"
| project  SourceIP, Command

 

 

  1. Detect File Uploads and Downloads

Use Case: Monitor file uploads and downloads to detect potential exfiltration or data theft activities.


newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid),
         URL = tostring(parse_json(RawData).url),
         SourceIP = tostring(parse_json(RawData).src_ip),
         Outfile = tostring(parse_json(RawData).outfile)
| where EventID in ("cowrie.session.file_upload", "cowrie.session.file_download")
| project  EventID, SourceIP, URL, Outfile


Rule Description
: This rule monitors file upload and download activities, helping to identify potentially malicious file transfers.

  1. Detect Connection Events

Use Case: Track connection events to detect unusual patterns in access or possible reconnaissance activity.

newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid),
         SourceIP = tostring(parse_json(RawData).src_ip)
| where EventID == "cowrie.session.closed"
| project SourceIP

 

 

Leveraging Microsoft Sentinel with Cowrie: Workbooks

Azure Monitor Workbook for Cowrie logs involve using Kusto Query Language (KQL) to extract and visualize various aspects of the data. Here’s a guide to building a comprehensive and dynamic Workbook that includes various visualizations and insights from your Cowrie logs.

  1. Overview Dashboard

Purpose: Provides a high-level summary of all key metrics.

newCowrie_CL
| extend EventID = tostring(parse_json(RawData).eventid)
| summarize
    TotalEvents = count(),
    TotalSuccessfulLogins = countif(EventID == "cowrie.login.success"),
    TotalFailedLogins = countif(EventID == "cowrie.login.failed"),
    TotalFileUploads = countif(EventID == "cowrie.session.file_upload"),
    TotalFileDownloads = countif(EventID == "cowrie.session.file_download"),
    TotalCommands = countif(EventID == "cowrie.command.input"),
    TotalSessionClosed = countif(EventID == "cowrie.session.closed"),
    TotalSessionConnect = countif(EventID == " cowrie.session.connect ")
| project
    TotalEvents,
    TotalSuccessfulLogins,
    TotalFailedLogins,
    TotalFileUploads,
    TotalFileDownloads,
    TotalCommands,
    TotalSessionClosed,
    TotalSessionConnect

 

 

Microsoft Global Hackathon-2024- Cowrie-Sentinel Integration:
Introduction
Technical Deep Dive

Hackathon 2024- Cowrie-Sentinel Integratio (20-09-2024 22-09-17).wmv

Updated Oct 04, 2024
Version 1.0