Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include a yara.(bat|exe) active response script to detect malicious files in Windows endpoints out-of-the-box using YARA. #16636

Open
TheMuntu opened this issue Apr 5, 2023 · 0 comments
Open

Include a yara.(bat|exe) active response script to detect malicious files in Windows endpoints out-of-the-box using YARA. #16636

TheMuntu opened this issue Apr 5, 2023 · 0 comments
Labels
feed/active response Active response scripts (not the module) level/task module/active response type/enhancement/usability

Comments

@TheMuntu
Copy link

TheMuntu commented Apr 5, 2023
edited

Wazuh version Component Install type Install method Platform
4.4.x Wazuh component Manager/Agent Packages/Sources OS version

Description

This issue aims to have a unified yara.(bat|exe) script that can be used to detect malicious files on Windows endpoints. This out-of-the-box script will eliminate the need for extensive manual configuration or writing of custom scripts by users.

Sample script

This is a sample of a yara.(bat|exe) script that can be improved and included out-of-the-box.

@echo off

setlocal enableDelayedExpansion

reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT


if %OS%==32BIT (
    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)

if %OS%==64BIT (
    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)

set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)


set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%

for /F "tokens=* USEBACKQ" %%F in (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) do (
set syscheck_file_path=%%F
)

del /f %json_file_path%
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
echo %syscheck_file_path% >> %log_file_path%
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
)

exit /b

Expected configuration

To use this script, add the following configuration to the Wazuh server /var/ossec/etc/ossec.conf file:

<command>
   <name>yara</name>
   <executable>yara.(bat|exe)</executable>
   <timeout_allowed>no</timeout_allowed>
</command>

<active-response>
   <disabled>no</disabled>
   <command>yara</command>
   <location>local</location>
   <rules_id><USER_DEFINED_RULES_ID></rules_id>
</active-response>

Reference: Using the YARA integration and FIM

Expected execution flow

The steps for the execution of this active response script yara.(bat|exe) will be:

  • File integrity monitoring is configured for directories of interest.
  • The active response parameters are configured on the Wazuh server to execute the yara.(bat|exe) script when specific rules (rules that indicate that a file has been detected as malware) are triggered.
  • A new file is downloaded to the monitored directory on the Windows endpoint.
  • This file is detected as malware.
  • The alert shows on the dashboard.

Detection alert samples

image

{
  "agent": {
    "ip": "172.20.10.7",
    "name": "windows",
    "id": "004"
  },
  "manager": {
    "name": "wazuh-manager"
  },
  "data": {
    "log_type": "INFO",
    "yara_rule": "SUSP_Just_EICAR_RID2C24",
    "yara_scanned_file": "c:\\programdata\\microsoft\\windows\\start"
  },
  "rule": {
    "firedtimes": 1,
    "mail": true,
    "level": 12,
    "description": "File \"c:\\programdata\\microsoft\\windows\\start\" is a positive match. Yara rule: SUSP_Just_EICAR_RID2C24",
    "groups": [
      "yara"
    ],
    "id": "108001"
  },
  "decoder": {
    "name": "yara_decoder"
  },
  "full_log": "wazuh-yara: INFO - Scan result: SUSP_Just_EICAR_RID2C24 c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\eicar.com.txt ",
  "input": {
    "type": "log"
  },
  "@timestamp": "2022-11-01T14:41:36.492Z",
  "location": "active-response\\active-responses.log",
  "id": "1667313696.37990",
  "timestamp": "2022-11-01T14:41:36.492+0000",
  "_id": "eZWkM4QBB_PjcBLBETmq"
}

Expected outcome: The file c:\programdata\microsoft\windows\start menu\programs\startup\eicar.com.txt signature is detected .
Fields of interest: data.yara_scanned_file.
Alert generation guide: [Using the YARA integration and FIM](https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html)

General notes

  • The script should be able to generate alerts for when the file does not exist, and other possible error cases.
  • In addition to creating the script, the documentation should be updated to include instructions and examples for using the active response script.
@TheMuntu TheMuntu mentioned this issue Apr 5, 2023
Open
10 tasks
@Spades0 Spades0 changed the title Include a yara.(bat|exe) active response script to detect malicious files in Windows endpoints out-of-the-box using YARA. Include a yara.(bat|exe) active response script to detect malicious files in Windows endpoints out-of-the-box using YARA. Apr 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feed/active response Active response scripts (not the module) level/task module/active response type/enhancement/usability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vikman90 @TheMuntu