How I Set Up a Cowrie Honeypot to Capture Real SSH Attacks

Project Overview In this project, I deployed a honeypot via Cowrie SSH/Telnet on an Ubuntu Virtual machine to collect and analyze real-world attack behavior. To simulate an exposed environment, I configured the virtual machine to forward port 2222 to the host system. I then used another system to SSH into the honeypot to simulate an attacker session. All the commands were then logged by Cowrie for post-event analysis Tools and Environment Virtual Machine - Ubuntu 22.04 LTSSSH Honeypot - Cowrie Log parser - Python & Regex Mapping behavior framework - MITRE ATT&CK Framework Virtual Machine - Ubuntu 22.04 LTS SSH Honeypot - Cowrie Log parser - Python & Regex Mapping behavior framework - MITRE ATT&CK Framework Python dependencies These commands were run to prepare the environment. As a refresher, let's go through them. sudo apt update && sudo apt upgrade -y sudo apt install -y git python3-venv python3-dev libssl-dev libffi-dev build-essential libevent-dev libpython3-dev sudo apt update && sudo apt upgrade -y sudo apt install -y git python3-venv python3-dev libssl-dev libffi-dev build-essential libevent-dev libpython3-dev The first command is a standard command to refresh the available Ubuntu package versions. This is also done to check and run any new security patches and library versions. The command sudo or “Superuser Do” temporarily gives admin privileges. It’s required for installing software, but we need to specify the package manager, which we do with apt or “Advanced Package Tool”. The -y flag auto-confirms the following prompts. The second command installs all the dependencies for the project. Here is a chart that lists the purpose of each package. PackagePurposegitVersion control system to clone the Cowrie repositorypython3-venvEnables creating isolated Python environments (virtualenv)python 3-devHeaders and tools needed to build Python moduleslibssl-devRequired for SSL/TLS cryptographic operations (used in SSH handling)libffi-devHelps interface with C code - used by many Python libraries like cryptographybuild-essentialMeta-package that includes compilers and tools needed for building softwarelibevent-devSupports asynchronous I/O - useful for Twisted (the networking engine Cowrie useslibpython3-devAdditional development headers and libraries for Python modules PackagePurposegitVersion control system to clone the Cowrie repositorypython3-venvEnables creating isolated Python environments (virtualenv)python 3-devHeaders and tools needed to build Python moduleslibssl-devRequired for SSL/TLS cryptographic operations (used in SSH handling)libffi-devHelps interface with C code - used by many Python libraries like cryptographybuild-essentialMeta-package that includes compilers and tools needed for building softwarelibevent-devSupports asynchronous I/O - useful for Twisted (the networking engine Cowrie useslibpython3-devAdditional development headers and libraries for Python modules PackagePurposegitVersion control system to clone the Cowrie repositorypython3-venvEnables creating isolated Python environments (virtualenv)python 3-devHeaders and tools needed to build Python moduleslibssl-devRequired for SSL/TLS cryptographic operations (used in SSH handling)libffi-devHelps interface with C code - used by many Python libraries like cryptographybuild-essentialMeta-package that includes compilers and tools needed for building softwarelibevent-devSupports asynchronous I/O - useful for Twisted (the networking engine Cowrie useslibpython3-devAdditional development headers and libraries for Python modules PackagePurpose Package Purpose gitVersion control system to clone the Cowrie repository git Version control system to clone the Cowrie repository python3-venvEnables creating isolated Python environments (virtualenv) python3-venv Enables creating isolated Python environments (virtualenv) python 3-devHeaders and tools needed to build Python modules python 3-dev Headers and tools needed to build Python modules libssl-devRequired for SSL/TLS cryptographic operations (used in SSH handling) libssl-dev Required for SSL/TLS cryptographic operations (used in SSH handling) libffi-devHelps interface with C code - used by many Python libraries like cryptography libffi-dev Helps interface with C code - used by many Python libraries like cryptography build-essentialMeta-package that includes compilers and tools needed for building software build-essential Meta-package that includes compilers and tools needed for building software libevent-devSupports asynchronous I/O - useful for Twisted (the networking engine Cowrie uses libevent-dev Supports asynchronous I/O - useful for Twisted (the networking engine Cowrie uses libpython3-devAdditional development headers and libraries for Python modules libpython3-dev Additional development headers and libraries for Python modules Additional development headers and libraries for Python modules Additional development headers and libraries for Python modules OK! Honeypot time! First, what is cowrie? According to its official Github: According to its official Github Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system. Cowrie is maintained by Michel Oosterhof. Cowrie Cowrie works on Twisted. Twisted is an open-source, event-driven networking engine written in Python. It is the network engine that powers Cowrie’s ability to interact with attackers in real time. Twisted specifically handles: Twisted specifically handles: Incoming connections to the honeypot, running “twistd” that runs the Twisted daemon.This launches an event loop (reactor) that listens for connections on ports like 2222Async communication with attackers (so Cowrie doesn't block while waiting)Simulated shells that appear real to the attackerLogging all interactions in the background. Incoming connections to the honeypot, running “twistd” that runs the Twisted daemon. This launches an event loop (reactor) that listens for connections on ports like 2222 Async communication with attackers (so Cowrie doesn't block while waiting) Simulated shells that appear real to the attacker Logging all interactions in the background. OK! Setup So after installing that, I added the port forwarding rule to use port 2222 as our fake SSH. We know that real SSH runs on port 22. Cowrie simulates SSH on port 2222 to avoid conflict and for safety. Port 2222 is a non-standard port, so it’s easier to isolate Cowrite from my system and know that all activity on it is fake and monitored. Now we run the following commands to start up the honeypot! vboxuser@Ubuntu22:~$ cd cowrie python3 -m venv cowrie-env source cowrie-env/bin/activate (cowrie-env) vboxuser@Ubuntu22:~/cowrie$ bin/cowrie start (cowrie-env) vboxuser@Ubuntu22:~/cowrie$ tail -f var/log/cowrie/cowrie.log vboxuser@Ubuntu22:~$ cd cowrie python3 -m venv cowrie-env source cowrie-env/bin/activate (cowrie-env) vboxuser@Ubuntu22:~/cowrie$ bin/cowrie start (cowrie-env) vboxuser@Ubuntu22:~/cowrie$ tail -f var/log/cowrie/cowrie.log These commands activate the virtual environment, starts up cowrie, then activates the logging for the session. The console now responds with the following text: 2025-07-27T19:16:49.179245Z [-] Cowrie Version 2.6.1 2025-07-27T19:16:49.180510Z [-] Loaded output engine: jsonlog 2025-07-27T19:16:49.181859Z [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 25.5.0 (/home/vboxuser/cowrie/cowrie-env/bin/python3 3.10.12) starting up. 2025-07-27T19:16:49.182055Z [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor. 2025-07-27T19:16:49.190921Z [-] CowrieSSHFactory starting on 2222 2025-07-27T19:16:49.191780Z [cowrie.ssh.factory.CowrieSSHFactory#info] Starting factory 2025-07-27T19:16:49.248828Z [-] Ready to accept SSH connections 2025-07-27T19:16:49.249598Z [-] HoneyPotTelnetFactory starting on 2223 2025-07-27T19:16:49.249712Z [cowrie.telnet.factory.HoneyPotTelnetFactory#info] Starting factory 2025-07-27T19:16:49.249928Z [-] Ready to accept Telnet connections 2025-07-27T19:17:54.132369Z [cowrie.ssh.factory.CowrieSSHFactory] No moduli, no diffie-hellman-group-exchange-sha1 2025-07-27T19:17:54.132594Z [cowrie.ssh.factory.CowrieSSHFactory] No moduli, no diffie-hellman-group-exchange-sha256 2025-07-27T19:16:49.179245Z [-] Cowrie Version 2.6.1 2025-07-27T19:16:49.180510Z [-] Loaded output engine: jsonlog 2025-07-27T19:16:49.181859Z [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 25.5.0 (/home/vboxuser/cowrie/cowrie-env/bin/python3 3.10.12) starting up. 2025-07-27T19:16:49.182055Z [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor. 2025-07-27T19:16:49.190921Z [-] CowrieSSHFactory starting on 2222 2025-07-27T19:16:49.191780Z [cowrie.ssh.factory.CowrieSSHFactory#info] Starting factory 2025-07-27T19:16:49.248828Z [-] Ready to accept SSH connections 2025-07-27T19:16:49.249598Z [-] HoneyPotTelnetFactory starting on 2223 2025-07-27T19:16:49.249712Z [cowrie.telnet.factory.HoneyPotTelnetFactory#info] Starting factory 2025-07-27T19:16:49.249928Z [-] Ready to accept Telnet connections 2025-07-27T19:17:54.132369Z [cowrie.ssh.factory.CowrieSSHFactory] No moduli, no diffie-hellman-group-exchange-sha1 2025-07-27T19:17:54.132594Z [cowrie.ssh.factory.CowrieSSHFactory] No moduli, no diffie-hellman-group-exchange-sha256 Some things to point out here. It’s initializing port 2222 for CowrieSSHFactory which is its internal "factory" from Twisted. By default it also initiates port 2223 for HoneyPotTelnetFactory, however, we will not be using Telnet in the project. I also spot and recognize DHE, SHA-1 and SHA-256 from my Security+ studies! However, this isn’t DHE, its DH-GEX or Diffie-Hellman Group Exchange, a rare variant that is computationally slower than DHE, but offers flexibility and the client and server negotiate the size of the prime modulus during the handshake – which explains the sha1, and sha256 part. The system logged these lines because DH-GEX requires a separate file and Cowrie doesn’t generate one by default due to saving CPU resources and DH-GEX not being essential. Cowrie meanwhile falls back on other key exchange algorithms like It’s initializing port 2222 for CowrieSSHFactory which is its internal "factory" from Twisted. By default it also initiates port 2223 for HoneyPotTelnetFactory, however, we will not be using Telnet in the project. I also spot and recognize DHE, SHA-1 and SHA-256 from my Security+ studies! However, this isn’t DHE, its DH-GEX or Diffie-Hellman Group Exchange, a rare variant that is computationally slower than DHE, but offers flexibility and the client and server negotiate the size of the prime modulus during the handshake – which explains the sha1, and sha256 part. The system logged these lines because DH-GEX requires a separate file and Cowrie doesn’t generate one by default due to saving CPU resources and DH-GEX not being essential. Cowrie meanwhile falls back on other key exchange algorithms like The Attack! I connected to the honeypot with my separate laptop in command prompt using the following command (IP address is redacted here) : ssh root@Host.IP.Address.61 -p 2222 ssh root@Host.IP.Address.61 -p 2222 And the console logs this connection: 2025-07-27T19:17:54.133346Z [cowrie.ssh.factory.CowrieSSHFactory] New connection: Attacker.IP.Address.16:62888 (IP.Address.X.15:2222) [session: 967839760d37] 2025-07-27T19:17:54.133346Z [cowrie.ssh.factory.CowrieSSHFactory] New connection: Attacker.IP.Address.16:62888 (IP.Address.X.15:2222) [session: 967839760d37] Cowrie starts logging information relating to the attacker. 2025-07-27T19:17:54.134730Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Remote SSH version: SSH-2.0-OpenSSH_for_Windows_9.5 2025-07-27T19:17:54.141838Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] SSH client hassh fingerprint: 701158e75b508e76f0410d5d22ef9df0 2025-07-27T19:17:54.143189Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ssh-ed25519' 2025-07-27T19:17:54.143311Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] outgoing: b'aes128-ctr' b'hmac-sha2-256' b'none' 2025-07-27T19:17:54.143390Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] incoming: b'aes128-ctr' b'hmac-sha2-256' b'none' 2025-07-27T19:18:02.301214Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] NEW KEYS 2025-07-27T19:18:02.309234Z 2025-07-27T19:17:54.134730Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Remote SSH version: SSH-2.0-OpenSSH_for_Windows_9.5 2025-07-27T19:17:54.141838Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] SSH client hassh fingerprint: 701158e75b508e76f0410d5d22ef9df0 2025-07-27T19:17:54.143189Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] kex alg=b'curve25519-sha256' key alg=b'ssh-ed25519' 2025-07-27T19:17:54.143311Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] outgoing: b'aes128-ctr' b'hmac-sha2-256' b'none' 2025-07-27T19:17:54.143390Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] incoming: b'aes128-ctr' b'hmac-sha2-256' b'none' 2025-07-27T19:18:02.301214Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] NEW KEYS 2025-07-27T19:18:02.309234Z The attacker simply hits enter, as there were no credentials set for the honeypot. [cowrie.ssh.transport.HoneyPotSSHTransport#debug] starting service b'ssh-userauth' 2025-07-27T19:18:02.316056Z [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'none' 2025-07-27T19:18:07.096599Z [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'password' 2025-07-27T19:18:07.097350Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Could not read etc/userdb.txt, default database activated 2025-07-27T19:18:07.098156Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] login attempt [b'root'/b''] succeeded 2025-07-27T19:18:07.099485Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Initialized emulated server as architecture: linux-x64-lsb 2025-07-27T19:18:07.102175Z [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' authenticated with b'password' 2025-07-27T19:18:07.102685Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] starting service b'ssh-connection' 2025-07-27T19:18:07.127012Z [cowrie.ssh.connection.CowrieSSHConnection#debug] got channel b'session' request 2025-07-27T19:18:07.127330Z [cowrie.ssh.session.HoneyPotSSHSession#info] channel open 2025-07-27T19:18:07.127450Z [cowrie.ssh.connection.CowrieSSHConnection#debug] got global b'no-more-sessions@openssh.com' request 2025-07-27T19:18:07.162796Z [twisted.conch.ssh.session#info] Handling pty request: b'xterm-256color' (41, 156, 640, 480) 2025-07-27T19:18:07.163030Z [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,0,Attacker.IP.Address.16] Terminal Size: 156 41 2025-07-27T19:18:07.163808Z [twisted.conch.ssh.session#info] Getting shell [cowrie.ssh.transport.HoneyPotSSHTransport#debug] starting service b'ssh-userauth' 2025-07-27T19:18:02.316056Z [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'none' 2025-07-27T19:18:07.096599Z [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' trying auth b'password' 2025-07-27T19:18:07.097350Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Could not read etc/userdb.txt, default database activated 2025-07-27T19:18:07.098156Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] login attempt [b'root'/b''] succeeded 2025-07-27T19:18:07.099485Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Initialized emulated server as architecture: linux-x64-lsb 2025-07-27T19:18:07.102175Z [cowrie.ssh.userauth.HoneyPotSSHUserAuthServer#debug] b'root' authenticated with b'password' 2025-07-27T19:18:07.102685Z [cowrie.ssh.transport.HoneyPotSSHTransport#debug] starting service b'ssh-connection' 2025-07-27T19:18:07.127012Z [cowrie.ssh.connection.CowrieSSHConnection#debug] got channel b'session' request 2025-07-27T19:18:07.127330Z [cowrie.ssh.session.HoneyPotSSHSession#info] channel open 2025-07-27T19:18:07.127450Z [cowrie.ssh.connection.CowrieSSHConnection#debug] got global b'no-more-sessions@openssh.com' request 2025-07-27T19:18:07.162796Z [twisted.conch.ssh.session#info] Handling pty request: b'xterm-256color' (41, 156, 640, 480) 2025-07-27T19:18:07.163030Z [SSHChannel session (0) on SSHService b'ssh-connection' on HoneyPotSSHTransport,0,Attacker.IP.Address.16] Terminal Size: 156 41 2025-07-27T19:18:07.163808Z [twisted.conch.ssh.session#info] Getting shell Now, with the attacker in this system, he starts the reconnaissance process by entering some simple commands to find basic information about the system. Something to note here is that the host console did not show the information that was sought out by the attacker. 2025-07-27T19:19:03.059328Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: whoami 2025-07-27T19:19:03.060699Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: whoami 2025-07-27T19:19:15.712522Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: pwd 2025-07-27T19:19:15.713222Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: pwd 2025-07-27T19:21:35.290918Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: uname -a 2025-07-27T19:21:35.292336Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: uname 2025-07-27T19:22:20.795477Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: ls /home 2025-07-27T19:22:20.796923Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: ls /home 2025-07-27T19:19:03.059328Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: whoami 2025-07-27T19:19:03.060699Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: whoami 2025-07-27T19:19:15.712522Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: pwd 2025-07-27T19:19:15.713222Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: pwd 2025-07-27T19:21:35.290918Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: uname -a 2025-07-27T19:21:35.292336Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: uname 2025-07-27T19:22:20.795477Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: ls /home 2025-07-27T19:22:20.796923Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: ls /home Now that the attacker has some basic information about the system, they want to find the system’s attributes and role privileges. This process is known as “System Enumeration”. 2025-07-27T19:19:33.886538Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: uptime 2025-07-27T19:19:33.887877Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: uptime 2025-07-27T19:19:52.823528Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: ifconfig 2025-07-27T19:19:52.824133Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: ifconfig -a 2025-07-27T19:22:59.215443Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: ps aux 2025-07-27T19:22:59.216889Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: ps aux 2025-07-27T19:24:24.003145Z [HoneyPotSSHTransport,1,Attacker.IP.Address.16] CMD: uptime 2025-07-27T19:24:24.004028Z [HoneyPotSSHTransport,1,Attacker.IP.Address.16] Command found: uptime 2025-07-27T19:19:33.886538Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: uptime 2025-07-27T19:19:33.887877Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: uptime 2025-07-27T19:19:52.823528Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: ifconfig 2025-07-27T19:19:52.824133Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: ifconfig -a 2025-07-27T19:22:59.215443Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] CMD: ps aux 2025-07-27T19:22:59.216889Z [HoneyPotSSHTransport,0,Attacker.IP.Address.16] Command found: ps aux 2025-07-27T19:24:24.003145Z [HoneyPotSSHTransport,1,Attacker.IP.Address.16] CMD: uptime 2025-07-27T19:24:24.004028Z [HoneyPotSSHTransport,1,Attacker.IP.Address.16] Command found: uptime Next, the attacker seeks to cause harm and gain "persistence" to be able to stay in the system. 2025-07-27T19:27:53.114736Z [HoneyPotSSHTransport,1,Attacker.IP.Address.16] CMD: echo "Evil" >> ~/.bashrc 2025-07-27T19:27:53.115358Z [HoneyPotSSHTransport,1,Attacker.IP.Address.16] Command found: echo Evil >> ~/.bashrc 2025-07-27T19:27:53.114736Z [HoneyPotSSHTransport,1,Attacker.IP.Address.16] CMD: echo "Evil" >> ~/.bashrc 2025-07-27T19:27:53.115358Z [HoneyPotSSHTransport,1,Attacker.IP.Address.16] Command found: echo Evil >> ~/.bashrc A command such as this would print “evil” every time the victim user opens a new terminal session. Attackers may use this persistent method to inject a malicious command or script that runs every time the victim user logs in or opens a shell. The malicious script could also force the system to open a backdoor and run a payload from the attacker’s code repositories and toolsets. The attacker continues with a loop command: 2025-07-27T19:31:48.145873Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] CMD: while true; do echo "HElLO Friend"; sleep 2; done 2025-07-27T19:31:48.146736Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] Can't find command while 2025-07-27T19:31:48.146831Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] Command not found: while true 2025-07-27T19:31:48.147303Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] Command found: do echo HElLO Friend 2025-07-27T19:31:48.147594Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:31:53.335318Z [-] Command found: done 2025-07-27T19:31:48.145873Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] CMD: while true; do echo "HElLO Friend"; sleep 2; done 2025-07-27T19:31:48.146736Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] Can't find command while 2025-07-27T19:31:48.146831Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] Command not found: while true 2025-07-27T19:31:48.147303Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] Command found: do echo HElLO Friend 2025-07-27T19:31:48.147594Z [HoneyPotSSHTransport,2,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:31:53.335318Z [-] Command found: done The attacker finds out the system can’t run this loop command, so they try another: 2025-07-27T19:35:16.544776Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:36:35.947413Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:35.948145Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS 2025-07-27T19:36:35.948510Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:35:16.544776Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:36:35.947413Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:35.948145Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS 2025-07-27T19:36:35.948510Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 At this point, the attacker just wants to spam and overload the system with echo commands. They do succeed and make the system start responding with “QUEUED INPUT” feedback responses. [⚠️ Suspicious Content] 2025-07-27T19:36:47.627228Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:47.628119Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS 2025-07-27T19:36:47.628705Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:36:49.631226Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:49.631654Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:51.102557Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:51.103213Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS 2025-07-27T19:36:51.103601Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:36:52.454678Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:53.486544Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:53.824254Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:53.824906Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS 2025-07-27T19:36:53.825259Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:36:54.823337Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:55.960746Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:56.149656Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:56.150314Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS 2025-07-27T19:36:56.150756Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:36:56.471853Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:56.659263Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:57.043571Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:57.206579Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:57.392811Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS"; sleep 2; 2025-07-27T19:36:57.584734Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: 2025-07-27T19:36:57.744393Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: 2025-07-27T19:36:57.930388Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: 2025-07-27T19:36:58.123185Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: 2025-07-27T19:36:58.155356Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:58.156038Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:58.156528Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:58.156915Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:58.157231Z [-] Command found: echo HELLO FRIENDS; sleep 2; 2025-07-27T19:36:58.325042Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: 2025-07-27T19:36:58.507540Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:58.508237Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS 2025-07-27T19:36:58.508603Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:36:58.701320Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:58.867143Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:59.011238Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: [⚠️ Suspicious Content] 2025-07-27T19:36:47.627228Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:47.628119Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS 2025-07-27T19:36:47.628705Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:36:49.631226Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:49.631654Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:51.102557Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:51.103213Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS 2025-07-27T19:36:51.103601Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:36:52.454678Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:53.486544Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:53.824254Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:53.824906Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS 2025-07-27T19:36:53.825259Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:36:54.823337Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:55.960746Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:56.149656Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:56.150314Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS 2025-07-27T19:36:56.150756Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:36:56.471853Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:56.659263Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:57.043571Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:57.206579Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:57.392811Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS"; sleep 2; 2025-07-27T19:36:57.584734Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: 2025-07-27T19:36:57.744393Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: 2025-07-27T19:36:57.930388Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: 2025-07-27T19:36:58.123185Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: 2025-07-27T19:36:58.155356Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:58.156038Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:58.156528Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:58.156915Z [-] Command found: echo HELLO FRIENDS && sleep 2; 2025-07-27T19:36:58.157231Z [-] Command found: echo HELLO FRIENDS; sleep 2; 2025-07-27T19:36:58.325042Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: 2025-07-27T19:36:58.507540Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] CMD: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:58.508237Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: echo HELLO FRIENDS 2025-07-27T19:36:58.508603Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] Command found: sleep 2 2025-07-27T19:36:58.701320Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:58.867143Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: echo "HELLO FRIENDS" && sleep 2; 2025-07-27T19:36:59.011238Z [HoneyPotSSHTransport,3,Attacker.IP.Address.16] QUEUED INPUT: The attacker then logs off, and I conclude the simulation. Analysis Now for the SOC analysts to jump in and examine the fallout! I will be analyzing our attacker’s techniques by the MITRE ATT&CK framework. System Information Discovery Attacker.IP.Address.16 timestampIPCommandCategorymitre_techniquemitre_id2025-07-27 19:19:03Attacker.IP.Address.16whoamiEnumerationSystem Information DiscoveryT10822025-07-27 19:19:16Attacker.IP.Address.16pwdEnumerationSystem Information DiscoveryT10822025-07-27 19:19:34Attacker.IP.Address.16uptimeEnumerationSystem Information DiscoveryT10822025-07-27 19:19:53Attacker.IP.Address.16 ifconfigEnumerationSystem Information DiscoveryT10822025-07-27 19:21:35Attacker.IP.Address.16 uname -aEnumerationSystem Information DiscoveryT10822025-07-27 19:22:21Attacker.IP.Address.16ls /homeEnumerationSystem Information DiscoveryT10822025-07-27 19:22:59Attacker.IP.Address.16ps auxDiscoverySystem Network Configuration DiscoveryT10162025-07-27 19:24:07Attacker.IP.Address.16ip aEnumerationSystem Information DiscoveryT10822025-07-27 19:24:24Attacker.IP.Address.16uptimeEnumerationSystem Information DiscoveryT10822025-07-27 19:27:53Attacker.IP.Address.16echo "Evil" >> ~/.bashrcPersistence, ExecutionAccount ManipulationT10982025-07-27 19:31:48Attacker.IP.Address.16while true; do echo "HElLO Friend"; sleep 2; doneUncategorizedUncategorizedNone2025-07-27 19:35:17Attacker.IP.Address.16echo "HELLO FRIENDS"; sleep 2;UncategorizedUncategorizedNone timestampIPCommandCategorymitre_techniquemitre_id2025-07-27 19:19:03Attacker.IP.Address.16whoamiEnumerationSystem Information DiscoveryT10822025-07-27 19:19:16Attacker.IP.Address.16pwdEnumerationSystem Information DiscoveryT10822025-07-27 19:19:34Attacker.IP.Address.16uptimeEnumerationSystem Information DiscoveryT10822025-07-27 19:19:53Attacker.IP.Address.16 ifconfigEnumerationSystem Information DiscoveryT10822025-07-27 19:21:35Attacker.IP.Address.16 uname -aEnumerationSystem Information DiscoveryT10822025-07-27 19:22:21Attacker.IP.Address.16ls /homeEnumerationSystem Information DiscoveryT10822025-07-27 19:22:59Attacker.IP.Address.16ps auxDiscoverySystem Network Configuration DiscoveryT10162025-07-27 19:24:07Attacker.IP.Address.16ip aEnumerationSystem Information DiscoveryT10822025-07-27 19:24:24Attacker.IP.Address.16uptimeEnumerationSystem Information DiscoveryT10822025-07-27 19:27:53Attacker.IP.Address.16echo "Evil" >> ~/.bashrcPersistence, ExecutionAccount ManipulationT10982025-07-27 19:31:48Attacker.IP.Address.16while true; do echo "HElLO Friend"; sleep 2; doneUncategorizedUncategorizedNone2025-07-27 19:35:17Attacker.IP.Address.16echo "HELLO FRIENDS"; sleep 2;UncategorizedUncategorizedNone timestampIPCommandCategorymitre_techniquemitre_id2025-07-27 19:19:03Attacker.IP.Address.16whoamiEnumerationSystem Information DiscoveryT10822025-07-27 19:19:16Attacker.IP.Address.16pwdEnumerationSystem Information DiscoveryT10822025-07-27 19:19:34Attacker.IP.Address.16uptimeEnumerationSystem Information DiscoveryT10822025-07-27 19:19:53Attacker.IP.Address.16 ifconfigEnumerationSystem Information DiscoveryT10822025-07-27 19:21:35Attacker.IP.Address.16 uname -aEnumerationSystem Information DiscoveryT10822025-07-27 19:22:21Attacker.IP.Address.16ls /homeEnumerationSystem Information DiscoveryT10822025-07-27 19:22:59Attacker.IP.Address.16ps auxDiscoverySystem Network Configuration DiscoveryT10162025-07-27 19:24:07Attacker.IP.Address.16ip aEnumerationSystem Information DiscoveryT10822025-07-27 19:24:24Attacker.IP.Address.16uptimeEnumerationSystem Information DiscoveryT10822025-07-27 19:27:53Attacker.IP.Address.16echo "Evil" >> ~/.bashrcPersistence, ExecutionAccount ManipulationT10982025-07-27 19:31:48Attacker.IP.Address.16while true; do echo "HElLO Friend"; sleep 2; doneUncategorizedUncategorizedNone2025-07-27 19:35:17Attacker.IP.Address.16echo "HELLO FRIENDS"; sleep 2;UncategorizedUncategorizedNone timestampIPCommandCategorymitre_techniquemitre_id timestamp IP Command Category mitre_technique mitre_id 2025-07-27 19:19:03Attacker.IP.Address.16whoamiEnumerationSystem Information DiscoveryT1082 2025-07-27 19:19:03 Attacker.IP.Address.16 whoami Enumeration System Information Discovery T1082 2025-07-27 19:19:16Attacker.IP.Address.16pwdEnumerationSystem Information DiscoveryT1082 2025-07-27 19:19:16 Attacker.IP.Address.16 pwd Enumeration System Information Discovery T1082 2025-07-27 19:19:34Attacker.IP.Address.16uptimeEnumerationSystem Information DiscoveryT1082 2025-07-27 19:19:34 Attacker.IP.Address.16 uptime Enumeration System Information Discovery T1082 2025-07-27 19:19:53Attacker.IP.Address.16 ifconfigEnumerationSystem Information DiscoveryT1082 2025-07-27 19:19:53 Attacker.IP.Address.16 ifconfig Enumeration System Information Discovery T1082 2025-07-27 19:21:35Attacker.IP.Address.16 uname -aEnumerationSystem Information DiscoveryT1082 2025-07-27 19:21:35 Attacker.IP.Address.16 uname -a Enumeration System Information Discovery T1082 2025-07-27 19:22:21Attacker.IP.Address.16ls /homeEnumerationSystem Information DiscoveryT1082 2025-07-27 19:22:21 Attacker.IP.Address.16 ls /home Enumeration System Information Discovery T1082 2025-07-27 19:22:59Attacker.IP.Address.16ps auxDiscoverySystem Network Configuration DiscoveryT1016 2025-07-27 19:22:59 Attacker.IP.Address.16 ps aux Discovery System Network Configuration Discovery T1016 2025-07-27 19:24:07Attacker.IP.Address.16ip aEnumerationSystem Information DiscoveryT1082 2025-07-27 19:24:07 Attacker.IP.Address.16 ip a Enumeration System Information Discovery T1082 2025-07-27 19:24:24Attacker.IP.Address.16uptimeEnumerationSystem Information DiscoveryT1082 2025-07-27 19:24:24 Attacker.IP.Address.16 uptime Enumeration System Information Discovery T1082 2025-07-27 19:27:53Attacker.IP.Address.16echo "Evil" >> ~/.bashrcPersistence, ExecutionAccount ManipulationT1098 2025-07-27 19:27:53 Attacker.IP.Address.16 echo "Evil" >> ~/.bashrc Persistence, Execution Account Manipulation T1098 2025-07-27 19:31:48Attacker.IP.Address.16while true; do echo "HElLO Friend"; sleep 2; doneUncategorizedUncategorizedNone 2025-07-27 19:31:48 Attacker.IP.Address.16 while true; do echo "HElLO Friend"; sleep 2; done Uncategorized Uncategorized None 2025-07-27 19:35:17Attacker.IP.Address.16echo "HELLO FRIENDS"; sleep 2;UncategorizedUncategorizedNone 2025-07-27 19:35:17 Attacker.IP.Address.16 echo "HELLO FRIENDS"; sleep 2; Uncategorized Uncategorized None This is a bar graph showing how often each MITRE ATT&CK technique appeared in the honeypot session. This timeline graph visualizes the sequence and pacing of attacker commands captured by the cowrie honeypot. Each dot represents a command issued, plotted in the order it was received. Once the Cowrie honeypot was deployed and made accessible, an attacker initiated an SSH session. Based on the timeline of command execution, we can infer the following phases of activity: 1. Initial Enumeration (T1082: System Information Discovery) 1. Initial Enumeration (T1082: System Information Discovery) Shortly after connecting, the attacker executed a series of enumeration commands such as: whoami uname -a pwd ls whoami uname -a pwd ls These are typical of a reconnaissance phase, used to understand the target system’s OS, user privileges, and directory structure. Timing Insight: These commands were executed in rapid succession — within seconds of each other — indicating automated reconnaissance or a seasoned attacker using a known checklist. 2. Attempted Persistence (T1098: Account Manipulation) 2. Attempted Persistence (T1098: Account Manipulation) The attacker attempted to gain persistence by appending a reverse shell command into .bashrc using: echo "evil command" >> ~/.bashrc echo "evil command" >> ~/.bashrc This technique ensures that every time the shell is invoked, the attacker's payload will attempt to execute. Activity Pause Insight: After this, there's a noticeable gap in command activity — likely indicating the attacker disconnected to test whether persistence was effective or to connect from a separate listener. 3. Further Discovery and Manual Probing 3. Further Discovery and Manual Probing After a short break, a few additional commands like: cat /etc/passwd ifconfig or ip a cat /etc/passwd ifconfig or ip a ...were used to gather more system-level information. This suggests either a second stage of probing or re-entry from a new session. 4. Evasion and Cleanup (T1146: Clear Command History) 4. Evasion and Cleanup (T1146: Clear Command History) The attacker then tried to cover their tracks using: history -c history -c This is a red flag commonly associated with defense evasion and indicates an understanding of forensic artifacts. Behavioral Insight: This step was not immediate but occurred near the end, showing the attacker was likely wrapping up their session. Final Summary Final Summary The entire session unfolded in under a few minutes, but showed clear signs of: ReconnaissancePersistence setupPause for testingReconnectionEvasion Reconnaissance Persistence setup Pause for testing Reconnection Evasion This mimics a typical APT-style intrusion, albeit in a sandbox environment. The use of MITRE ATT&CK mapping strengthens the analysis and provides a framework for categorizing future intrusions. Conclusion Conclusion This project demonstrates the power of using honeypots like Cowrie to: Log real attack behaviorMap tactics to the MITRE ATT&CK frameworkVisualize attacker workflow with timelines and frequency charts Log real attack behavior Map tactics to the MITRE ATT&CK framework Visualize attacker workflow with timelines and frequency charts For anyone pursuing cybersecurity or threat hunting, building and analyzing a honeypot is an excellent portfolio piece that showcases: Adversary simulationLog parsing Tactical mappingVisual reporting Adversary simulation Log parsing Tactical mapping Visual reporting Lessons Learned Lessons Learned This honeypot project was a deep dive into attacker behavior, and it gave me hands-on experience in multiple areas of cybersecurity and system analysis. Here’s what I gained from this simulation and analysis: Port Forwarding for Security Research: I learned how to configure port forwarding on a virtual machine to safely simulate a public-facing service. This step was crucial in isolating the honeypot environment from the host system while still allowing external connections for testing. Port Forwarding for Security Research: I learned how to configure port forwarding on a virtual machine to safely simulate a public-facing service. This step was crucial in isolating the honeypot environment from the host system while still allowing external connections for testing. Deploying and Operating a Honeypot: I successfully set up Cowrie as an SSH honeypot and configured it to listen on a non-standard port (2222) to avoid interfering with real services. This involved understanding Cowrie’s dependencies, architecture, and how it interacts with Twisted—the Python-based event-driven network engine that handles all incoming connections and asynchronous events. Deploying and Operating a Honeypot: I successfully set up Cowrie as an SSH honeypot and configured it to listen on a non-standard port (2222) to avoid interfering with real services. This involved understanding Cowrie’s dependencies, architecture, and how it interacts with Twisted—the Python-based event-driven network engine that handles all incoming connections and asynchronous events. Simulating and Capturing Attacker Activity: I carried out a realistic attacker simulation from another system and observed how Cowrie logs each interaction in detail. This gave me a front-row seat to how a system can be probed, enumerated, and manipulated. Simulating and Capturing Attacker Activity: I carried out a realistic attacker simulation from another system and observed how Cowrie logs each interaction in detail. This gave me a front-row seat to how a system can be probed, enumerated, and manipulated. Log Parsing and Behavioral Mapping: Using Python and regex, I parsed Cowrie's logs to extract attacker commands, timestamps, and IPs. From there, I manually mapped behaviors to the MITRE ATT&CK framework. This reinforced my understanding of attacker tactics like T1082 (System Information Discovery) and T1098 (Account Manipulation) and how they show up in real activity. Log Parsing and Behavioral Mapping: Using Python and regex, I parsed Cowrie's logs to extract attacker commands, timestamps, and IPs. From there, I manually mapped behaviors to the MITRE ATT&CK framework. This reinforced my understanding of attacker tactics like T1082 (System Information Discovery) and T1098 (Account Manipulation) and how they show up in real activity. Data Visualization for Threat Analysis: I created both a bar graph of technique frequency and a timeline of commands to visualize the attack sequence. These helped identify the pacing and structure of the intrusion, giving insight into attacker behavior patterns like enumeration bursts followed by persistence attempts and evasion. Data Visualization for Threat Analysis: I created both a bar graph of technique frequency and a timeline of commands to visualize the attack sequence. These helped identify the pacing and structure of the intrusion, giving insight into attacker behavior patterns like enumeration bursts followed by persistence attempts and evasion. Thinking Like an Adversary (and Analyst): Walking through the event logs from both perspectives—offense and defense—gave me a stronger understanding of both sides of cybersecurity. From the attacker's logic to the SOC analyst's classification and response, I gained a holistic view of how intrusions unfold and how defenders track them. Thinking Like an Adversary (and Analyst): Walking through the event logs from both perspectives—offense and defense—gave me a stronger understanding of both sides of cybersecurity. From the attacker's logic to the SOC analyst's classification and response, I gained a holistic view of how intrusions unfold and how defenders track them. Using Honeypots as a Learning Tool: Most importantly, I realized how powerful honeypots are for learning and for security research. They safely capture real-world TTPs (Tactics, Techniques, and Procedures), making them ideal for building incident response experience, validating detections, and improving blue team analysis skills. Using Honeypots as a Learning Tool: Most importantly, I realized how powerful honeypots are for learning and for security research. They safely capture real-world TTPs (Tactics, Techniques, and Procedures), making them ideal for building incident response experience, validating detections, and improving blue team analysis skills.