Include a yara.sh active response script to detect malicious files in Linux/Unix endpoints out-of-the-box using YARA

[TheMuntu]

Wazuh version	Component	Install type	Install method	Platform
4.4.X	Wazuh agent (active response)	Manager/Agent	Packages/Sources	Linux/Unix

Description

This issue aims to have a unified yara.sh script that can be used to detect a malicious file on Linux/Unix endpoints. This out-of-the-box script will remove the need for users to write their own scripts to detect malicious files which may not be very effective for a wide range of events.

Sample script

This is a sample of a yara.sh script that can be improved and included out-of-the-box.

#!/bin/bash
# Wazuh - Yara active response
# Copyright (C) 2015-2022, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.


#------------------------- Gather parameters -------------------------#

# Extra arguments
read INPUT_JSON
YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1])
YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3])
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path)

# Set LOG_FILE path
LOG_FILE="logs/active-responses.log"

size=0
actual_size=$(stat -c %s ${FILENAME})
while [ ${size} -ne ${actual_size} ]; do
    sleep 1
    size=${actual_size}
    actual_size=$(stat -c %s ${FILENAME})
done

#----------------------- Analyze parameters -----------------------#

if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
then
    echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE}
    exit 1
fi

#------------------------- Main workflow --------------------------#

# Execute Yara scan on the specified filename
yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")"

if [[ $yara_output != "" ]]
then
    # Iterate every detected rule and append it to the LOG_FILE
    while read -r line; do
        echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE}
    done <<< "$yara_output"
fi

exit 0;

Expected configuration

On the Wazuh server, configure the yara.sh active response script to be executed when specific rule IDs, rule groups or rule levels are triggered.

<command>
   <name>yara</name>
   <executable>yara.sh</executable>
   <timeout_allowed>no</timeout_allowed>
</command>

<active-response>
   <disabled>no</disabled>
   <command>yara</command>
   <location>local</location>
   <rules_id><USER_DEFINED_RULES_ID></rules_id>
</active-response>

Reference: Using the YARA integration and FIM

Expected execution flow

The steps for the execution of this active response script yara.sh will be:

• File integrity monitoring is configured for directories of interest.
• The active response parameters are configured on the Wazuh server to execute the yara.sh script when specific rules (rules that indicate that a file has been detected as malware) are triggered.
• A new file is downloaded to the monitored directory on the Linux/Unix endpoint.
• This file is detected as malware.
• The alert shows on the dashboard.

Detection alert samples

{
        "timestamp": "2020-06-09T08:15:07.187+0000",
        "rule": {
                "level": 10,
                "description": "YARA HiddenWasp_Deployment detected.",
                "id": "100102",
                "firedtimes": 1,
                "mail": false,
                "groups": ["yara"]
        },
        "agent": {
                "id": "001",
                "name": "yara-agent",
                "ip": "10.0.2.x"
        },
        "manager": {
                "name": "wazuh-manager"
        },
        "id": "1591690507.38027",
        "full_log": "wazuh-yara: info: HiddenWasp_Deployment /home/user/script.sh",
        "decoder": {
                "name": "yara"
        },
        "data": {
                "yara_rule": "HiddenWasp_Deployment",
                "file_path": "/home/user/script.sh"
        },
        "location": "/var/ossec/logs/active-responses.log"
}

Expected outcome: The file is deleted /home/user/script.sh.
Fields of interest: data.file_path.
Alert generation guide: [Using the YARA integration and FIM](https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html)

General notes

• The script should be modified to work also on macOS.
• The script should be able to generate alerts for possible error cases.
• In addition to creating the script, the documentation should be updated to include instructions and examples for using the active response script.