Include a yara.(bat|exe)
active response script to detect malicious files in Windows endpoints out-of-the-box using YARA.
#16636
Labels
feed/active response
Active response scripts (not the module)
level/task
module/active response
type/enhancement/usability
Description
This issue aims to have a unified
yara.(bat|exe)
script that can be used to detect malicious files on Windows endpoints. This out-of-the-box script will eliminate the need for extensive manual configuration or writing of custom scripts by users.Sample script
This is a sample of a
yara.(bat|exe)
script that can be improved and included out-of-the-box.Expected configuration
To use this script, add the following configuration to the Wazuh server
/var/ossec/etc/ossec.conf
file:Reference: Using the YARA integration and FIM
Expected execution flow
The steps for the execution of this active response script
yara.(bat|exe)
will be:Detection alert samples
Expected outcome: The file
c:\programdata\microsoft\windows\start menu\programs\startup\eicar.com.txt
signature is detected .Fields of interest:
data.yara_scanned_file
.Alert generation guide: [Using the YARA integration and FIM](https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html)
General notes
The text was updated successfully, but these errors were encountered: