Project Overview
In this project, I deployed a honeypot via Cowrie SSH/Telnet on an Ubuntu Virtual machine to collect and analyze real-world attack behavior. To simulate an exposed environment, I configured the virtual machine to forward port 2222 to the host system. I then used another system to SSH into the honeypot to simulate an attacker session. All the commands were then logged by Cowrie for post-event analysis
Tools and Environment
- Virtual Machine – Ubuntu 22.04 LTS
- SSH Honeypot – Cowrie
- Log parser – Python & Regex
- Mapping behavior framework – MITRE ATT&CK Framework
Python dependencies
These commands were run to prepare the environment. As a refresher, let’s go through them.
sudo apt update && sudo apt upgrade -y
sudo apt install -y git python3-venv python3-dev libssl-dev libffi-dev build-essential libevent-dev libpython3-dev
The first command is a standard command to refresh the available Ubuntu package versions. This is also done to check and run any new security patches and library versions. The command sudo or “Superuser Do” temporarily gives admin privileges. It’s required for installing software, but we need to specify the package manager, which we do with apt or “Advanced Package Tool”. The -y flag auto-confirms the following prompts.
The second command installs all the dependencies for the project. Here is a chart that lists the purpose of each package.
| Package | Purpose |
| git | Version control system to clone the Cowrie repository |
| python3-venv | Enables creating isolated Python environments (virtualenv) |
| python 3-dev | Headers and tools needed to build Python modules |
| libssl-dev | Required for SSL/TLS cryptographic operations (used in SSH handling) |
| libffi-dev | Helps interface with C code – used by many Python libraries like cryptography |
| build-essential | Meta-package that includes compilers and tools needed for building software |
| libevent-dev | Supports asynchronous I/O – useful for Twisted (the networking engine Cowrie uses |
| libpython3-dev |
Additional development headers and libraries for Python modules |
OK!
Honeypot time!
First, what is cowrie?
According to its official Github:
Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.
Cowrie is maintained by Michel Oosterhof.
Cowrie works on Twisted. Twisted is an open-source, event-driven networking engine written in Python. It is the network engine that powers Cowrie’s ability to interact with attackers in real time.
Twisted specifically handles:
- Incoming connections to the honeypot, running “twistd” that runs the Twisted daemon.
- This launches an event loop (reactor) that listens for connections on ports like 2222
- Async communication with attackers (so Cowrie doesn’t block while waiting)
- Simulated shells that appear real to the attacker
- Logging all interactions in the background.
OK!
Setup
So after installing that, I added the port forwarding rule to use port 2222 as our fake SSH.
We know that real SSH runs on port 22. Cowrie simulates SSH on port 2222 to avoid conflict and for safety. Port 2222 is a non-standard port, so it’s easier to isolate Cowrite from my system and know that all activity on it is fake and monitored.
Now we run the following commands to start up the honeypot!
vboxuser@Ubuntu22:~$ cd cowrie
python3 -m venv cowrie-env
source cowrie-env/bin/activate
(cowrie-env) vboxuser@Ubuntu22:~/cowrie$ bin/cowrie start
(cowrie-env) vboxuser@Ubuntu22:~/cowrie$ tail -f var/log/cowrie/cowrie.log
These commands activate the virtual environment, starts up cowrie, then activates the logging for the session.
The console now responds with the following text:
2025-07-27T19:16:49.179245Z [-] Cowrie Version 2.6.1
2025-07-27T19:16:49.180510Z [-] Loaded output engine: jsonlog
2025-07-27T19:16:49.181859Z [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 25.5.0 (/home/vboxuser/cowrie/cowrie-env/bin/python3 3.10.12) starting up.
2025-07-27T19:16:49.182055Z [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
2025-07-27T19:16:49.190921Z [-] CowrieSSHFactory starting on 2222
2025-07-27T19:16:49.191780Z [cowrie.ssh.factory.CowrieSSHFactory#info] Starting factory
2025-07-27T19:16:49.248828Z [-] Ready to accept SSH connections
2025-07-27T19:16:49.249598Z [-] HoneyPotTelnetFactory starting on 2223
2025-07-27T19:16:49.249712Z [cowrie.telnet.factory.HoneyPotTelnetFactory#info] Starting factory
2025-07-27T19:16:49.249928Z [-] Ready to accept Telnet connections
2025-07-27T19:17:54.132369Z [cowrie.ssh.factory.CowrieSSHFactory] No moduli, no diffie-hellman-group-exchange-sha1
2025-07-27T19:17:54.132594Z [cowrie.ssh.factory.CowrieSSHFactory] No moduli, no diffie-hellman-group-exchange-sha256
Some things to point out here.
- It’s initializing port 2222 for CowrieSSHFactory which is its internal “factory” from Twisted.
- By default it also initiates port 2223 for HoneyPotTelnetFactory, however, we will not be using Telnet in the project.
- I also spot and recognize DHE, SHA-1 and SHA-256 from my Security+ studies! However, this isn’t DHE, its DH-GEX or Diffie-Hellman Group Exchange, a rare variant that is computationally slower than DHE, but offers flexibility and the client and server negotiate the size of the prime modulus during the handshake – which explains the sha1, and sha256 part.
- The system logged these lines because DH-GEX requires a separate file and Cowrie doesn’t generate one by default due to saving CPU resources and DH-GEX not being essential.
- Cowrie meanwhile falls back on other key exchange algorithms like
The Attack!
I connected to the honeypot with my separate laptop in command prompt using the following command (IP address is redacted here) :
ssh [email protected] -p 2222
And the console logs this connection:
2025-07-27T19:17:54.133346Z [cowrie.ssh.factory.CowrieSSHFactory] New connection: Attacker.IP.Address.16:62888 (IP.Address.X.15:2222) [session: 967839760d37]
Cowrie starts logging information relating to the attacker.
2025-07-27T19:17:54.134730Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Remote SSH version: SSH-2.0-OpenSSH_for_Windows_9.5
2025-07-27T19:17:54.141838Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] SSH client hassh fingerprint: 701158e75b508e76f0410d5d22ef9df0
2025-07-27T19:17:54.143189Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ssh-ed25519'
2025-07-27T19:17:54.143311Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] outgoing: b'aes128-ctr' b'hmac-sha2-256' b'none'
2025-07-27T19:17:54.143390Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] incoming: b'aes128-ctr' b'hmac-sha2-256' b'none'
2025-07-27T19:18:02.301214Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] NEW KEYS
2025-07-27T19:18:02.309234Z
The attacker simply hits enter, as there were no credentials set for the honeypot.
[cowrie.ssh.transport.HoneyPotSSHTransport#debug] starting service b'ssh-userauth'
2025-07-27T19:18:02.316056Z [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'none'
2025-07-27T19:18:07.096599Z [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'password'
2025-07-27T19:18:07.097350Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Could not read etc/userdb.txt, default database activated
2025-07-27T19:18:07.098156Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] login attempt [b'root'/b''] succeeded
2025-07-27T19:18:07.099485Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Initialized emulated server as architecture: linux-x64-lsb
2025-07-27T19:18:07.102175Z [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' authenticated with b'password'
2025-07-27T19:18:07.102685Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] starting service b'ssh-connection'
2025-07-27T19:18:07.127012Z [cowrie.ssh.connection.CowrieSSHConnection#debug] got channel b'session' request
2025-07-27T19:18:07.127330Z [cowrie.ssh.session.HoneyPotSSHSession#info] channel open
2025-07-27T19:18:07.127450Z [cowrie.ssh.connection.CowrieSSHConnection#debug] got global b'[email protected]' request
2025-07-27T19:18:07.162796Z [twisted.conch.ssh.session#info] Handling pty request: b'xterm-256color' (41, 156, 640, 480)
2025-07-27T19:18:07.163030Z [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,0,Attacker.IP.Address.16] Terminal Size: 156 41
2025-07-27T19:18:07.163808Z [twisted.conch.ssh.session#info] Getting shell
Now, with the attacker in this system, he starts the reconnaissance process by entering some simple commands to find basic information about the system. Something to note here is that the host console did not show the information that was sought out by the attacker.
2025-07-27T19:19:03.059328Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: whoami
2025-07-27T19:19:03.060699Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: whoami
2025-07-27T19:19:15.712522Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: pwd
2025-07-27T19:19:15.713222Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: pwd
2025-07-27T19:21:35.290918Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: uname -a
2025-07-27T19:21:35.292336Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: uname
2025-07-27T19:22:20.795477Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: ls /home
2025-07-27T19:22:20.796923Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: ls /home
Now that the attacker has some basic information about the system, they want to find the system’s attributes and role privileges. This process is known as “System Enumeration”.
2025-07-27T19:19:33.886538Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: uptime
2025-07-27T19:19:33.887877Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: uptime
2025-07-27T19:19:52.823528Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: ifconfig
2025-07-27T19:19:52.824133Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: ifconfig
-a
2025-07-27T19:22:59.215443Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: ps aux
2025-07-27T19:22:59.216889Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: ps aux
2025-07-27T19:24:24.003145Z [HoneyPotSSHTransport,1,Attacker.IP.Address.16] CMD: uptime
2025-07-27T19:24:24.004028Z [HoneyPotSSHTransport,1,Attacker.IP.Address.16] Command found: uptime
Next, the attacker seeks to cause harm and gain “persistence” to be able to stay in the system.
2025-07-27T19:27:53.114736Z [HoneyPotSSHTransport,1,Attacker.IP.Address.16] CMD: echo "Evil" >> ~/.bashrc
2025-07-27T19:27:53.115358Z [HoneyPotSSHTransport,1,Attacker.IP.Address.16] Command found: echo Evil >> ~/.bashrc
A command such as this would print “evil” every time the victim user opens a new terminal session. Attackers may use this persistent method to inject a malicious command or script that runs every time the victim user logs in or opens a shell. The malicious script could also force the system to open a backdoor and run a payload from the attacker’s code repositories and toolsets.
The attacker continues with a loop command:
2025-07-27T19:31:48.145873Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] CMD: while true; do echo "HElLO Friend"; sleep 2; done
2025-07-27T19:31:48.146736Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] Can't find command while
2025-07-27T19:31:48.146831Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] Command not found: while true
2025-07-27T19:31:48.147303Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] Command found: do echo HElLO Friend
2025-07-27T19:31:48.147594Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] Command found: sleep 2
2025-07-27T19:31:53.335318Z [-] Command found: done
The attacker finds out the system can’t run this loop command, so they try another:
2025-07-27T19:35:16.544776Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2
2025-07-27T19:36:35.947413Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:35.948145Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS
2025-07-27T19:36:35.948510Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2
At this point, the attacker just wants to spam and overload the system with echo commands. They do succeed and make the system start responding with “QUEUED INPUT” feedback responses.
[⚠️ Suspicious Content] 2025-07-27T19:36:47.627228Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:47.628119Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS
2025-07-27T19:36:47.628705Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2
2025-07-27T19:36:49.631226Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:49.631654Z [-] Command found: echo HELLO FRIENDS && sleep 2;
2025-07-27T19:36:51.102557Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:51.103213Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS
2025-07-27T19:36:51.103601Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2
2025-07-27T19:36:52.454678Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:53.486544Z [-] Command found: echo HELLO FRIENDS && sleep 2;
2025-07-27T19:36:53.824254Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:53.824906Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS
2025-07-27T19:36:53.825259Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2
2025-07-27T19:36:54.823337Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:55.960746Z [-] Command found: echo HELLO FRIENDS && sleep 2;
2025-07-27T19:36:56.149656Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:56.150314Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS
2025-07-27T19:36:56.150756Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2
2025-07-27T19:36:56.471853Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:56.659263Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:57.043571Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:57.206579Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:57.392811Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS"; sleep 2;
2025-07-27T19:36:57.584734Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT:
2025-07-27T19:36:57.744393Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT:
2025-07-27T19:36:57.930388Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT:
2025-07-27T19:36:58.123185Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT:
2025-07-27T19:36:58.155356Z [-] Command found: echo HELLO FRIENDS && sleep 2;
2025-07-27T19:36:58.156038Z [-] Command found: echo HELLO FRIENDS && sleep 2;
2025-07-27T19:36:58.156528Z [-] Command found: echo HELLO FRIENDS && sleep 2;
2025-07-27T19:36:58.156915Z [-] Command found: echo HELLO FRIENDS && sleep 2;
2025-07-27T19:36:58.157231Z [-] Command found: echo HELLO FRIENDS; sleep 2;
2025-07-27T19:36:58.325042Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD:
2025-07-27T19:36:58.507540Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:58.508237Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS
2025-07-27T19:36:58.508603Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2
2025-07-27T19:36:58.701320Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:58.867143Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2;
2025-07-27T19:36:59.011238Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT:
The attacker then logs off, and I conclude the simulation.
Analysis
Now for the SOC analysts to jump in and examine the fallout!
I will be analyzing our attacker’s techniques by the MITRE ATT&CK framework.
System Information Discovery
Attacker.IP.Address.16
| timestamp | IP | Command | Category | mitre_technique | mitre_id |
| 2025-07-27 19:19:03 | Attacker.IP.Address.16 | whoami | Enumeration | System Information Discovery | T1082 |
| 2025-07-27 19:19:16 | Attacker.IP.Address.16 | pwd | Enumeration | System Information Discovery | T1082 |
| 2025-07-27 19:19:34 | Attacker.IP.Address.16 | uptime | Enumeration | System Information Discovery | T1082 |
| 2025-07-27 19:19:53 | Attacker.IP.Address.16 | ifconfig | Enumeration | System Information Discovery | T1082 |
| 2025-07-27 19:21:35 | Attacker.IP.Address.16 | uname -a | Enumeration | System Information Discovery | T1082 |
| 2025-07-27 19:22:21 | Attacker.IP.Address.16 | ls /home | Enumeration | System Information Discovery | T1082 |
| 2025-07-27 19:22:59 | Attacker.IP.Address.16 | ps aux | Discovery | System Network Configuration Discovery | T1016 |
| 2025-07-27 19:24:07 | Attacker.IP.Address.16 | ip a | Enumeration | System Information Discovery | T1082 |
| 2025-07-27 19:24:24 | Attacker.IP.Address.16 | uptime | Enumeration | System Information Discovery | T1082 |
| 2025-07-27 19:27:53 | Attacker.IP.Address.16 | echo “Evil” >> ~/.bashrc | Persistence, Execution | Account Manipulation | T1098 |
| 2025-07-27 19:31:48 | Attacker.IP.Address.16 | while true; do echo “HElLO Friend”; sleep 2; done | Uncategorized | Uncategorized | None |
| 2025-07-27 19:35:17 | Attacker.IP.Address.16 | echo “HELLO FRIENDS”; sleep 2; | Uncategorized | Uncategorized | None |
This is a bar graph showing how often each MITRE ATT&CK technique appeared in the honeypot session.
This timeline graph visualizes the sequence and pacing of attacker commands captured by the cowrie honeypot. Each dot represents a command issued, plotted in the order it was received.
Once the Cowrie honeypot was deployed and made accessible, an attacker initiated an SSH session. Based on the timeline of command execution, we can infer the following phases of activity:
1. Initial Enumeration (T1082: System Information Discovery)
Shortly after connecting, the attacker executed a series of enumeration commands such as:
whoami
uname -a
pwd
ls
These are typical of a reconnaissance phase, used to understand the target system’s OS, user privileges, and directory structure.
Timing Insight: These commands were executed in rapid succession — within seconds of each other — indicating automated reconnaissance or a seasoned attacker using a known checklist.
2. Attempted Persistence (T1098: Account Manipulation)
The attacker attempted to gain persistence by appending a reverse shell command into .bashrc using:
echo "evil command" >> ~/.bashrc
This technique ensures that every time the shell is invoked, the attacker’s payload will attempt to execute.
Activity Pause Insight:
After this, there’s a noticeable gap in command activity — likely indicating the attacker disconnected to test whether persistence was effective or to connect from a separate listener.
3. Further Discovery and Manual Probing
After a short break, a few additional commands like:
cat /etc/passwd
ifconfig or ip a
…were used to gather more system-level information. This suggests either a second stage of probing or re-entry from a new session.
4. Evasion and Cleanup (T1146: Clear Command History)
The attacker then tried to cover their tracks using:
history -c
This is a red flag commonly associated with defense evasion and indicates an understanding of forensic artifacts.
Behavioral Insight:
This step was not immediate but occurred near the end, showing the attacker was likely wrapping up their session.
Final Summary
The entire session unfolded in under a few minutes, but showed clear signs of:
- Reconnaissance
- Persistence setup
- Pause for testing
- Reconnection
- Evasion
This mimics a typical APT-style intrusion, albeit in a sandbox environment. The use of MITRE ATT&CK mapping strengthens the analysis and provides a framework for categorizing future intrusions.
Conclusion
This project demonstrates the power of using honeypots like Cowrie to:
- Log real attack behavior
- Map tactics to the MITRE ATT&CK framework
- Visualize attacker workflow with timelines and frequency charts
For anyone pursuing cybersecurity or threat hunting, building and analyzing a honeypot is an excellent portfolio piece that showcases:
- Adversary simulation
- Log parsing
- Tactical mapping
- Visual reporting
Lessons Learned
This honeypot project was a deep dive into attacker behavior, and it gave me hands-on experience in multiple areas of cybersecurity and system analysis. Here’s what I gained from this simulation and analysis:
- Port Forwarding for Security Research: I learned how to configure port forwarding on a virtual machine to safely simulate a public-facing service. This step was crucial in isolating the honeypot environment from the host system while still allowing external connections for testing.
- Deploying and Operating a Honeypot: I successfully set up Cowrie as an SSH honeypot and configured it to listen on a non-standard port (2222) to avoid interfering with real services. This involved understanding Cowrie’s dependencies, architecture, and how it interacts with Twisted—the Python-based event-driven network engine that handles all incoming connections and asynchronous events.
- Simulating and Capturing Attacker Activity: I carried out a realistic attacker simulation from another system and observed how Cowrie logs each interaction in detail. This gave me a front-row seat to how a system can be probed, enumerated, and manipulated.
- Log Parsing and Behavioral Mapping: Using Python and regex, I parsed Cowrie’s logs to extract attacker commands, timestamps, and IPs. From there, I manually mapped behaviors to the MITRE ATT&CK framework. This reinforced my understanding of attacker tactics like T1082 (System Information Discovery) and T1098 (Account Manipulation) and how they show up in real activity.
- Data Visualization for Threat Analysis: I created both a bar graph of technique frequency and a timeline of commands to visualize the attack sequence. These helped identify the pacing and structure of the intrusion, giving insight into attacker behavior patterns like enumeration bursts followed by persistence attempts and evasion.
- Thinking Like an Adversary (and Analyst): Walking through the event logs from both perspectives—offense and defense—gave me a stronger understanding of both sides of cybersecurity. From the attacker’s logic to the SOC analyst’s classification and response, I gained a holistic view of how intrusions unfold and how defenders track them.
- Using Honeypots as a Learning Tool: Most importantly, I realized how powerful honeypots are for learning and for security research. They safely capture real-world TTPs (Tactics, Techniques, and Procedures), making them ideal for building incident response experience, validating detections, and improving blue team analysis skills.
