This section describes the checks performed by Wazuh to find the anomalies caused by an intruder or malware.
Malware replaces files, directories and commands, so performing file integrity checking on the main directories allows us to detect these actions. More info File Integrity Monitoring Section
** Alert 1460948255.25442: mail - ossec,syscheck,pci_dss_11.5, 2016 Apr 17 19:57:35 (ubuntu) 10.0.0.144->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Integrity checksum changed for: '/test/hello' Size changed from '12' to '17' Old md5sum was: 'e59ff97941044f85df5297e1c302d260' New md5sum is : '7947eba5d9cc58d440fb06912e302949' Old sha1sum was: '648a6a6ffffdaa0badb23b8baf90b6168dd16b3a' New sha1sum is : '379b74ac9b2d2b09ff6ad7fa876c79f914a755e1'
A malicious process can prevent itself from being seen in a system’s list of processes (trojan version of ps command). Rootcheck inspects all process IDs (PID) looking for discrepancies with different system calls (getsid, getpgid).
Diamorphine is a kernel-mode rootkit able to hide itself from ps and also able to hide other processes. If we install this package and hide a process, we will get an alert like this:
** Alert 1460225922.841535: mail - ossec,rootcheck 2017 Feb 15 10:00:42 (localhost) 192.168.1.240->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Process '495' hidden from /proc. Possible kernel level rootkit.
Scan the entire file system looking for unusual files and permissions. Files owned by root with write permissions for other user accounts, suid files, hidden directories, and files are all inspected.
The /dev directory should only contain device-specific files. Any additional file should be inspected because malware uses this partition to hide files.
If you create a hidden file on /dev, Wazuh should alert because there is a hidden file in a directory that should only contain device-specific files. This is the alert generated in that case:** Alert 1487182293.37491: - ossec,rootcheck, 2017 Feb 15 10:11:33 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' File '/dev/.hiddenfile' present on /dev. Possible hidden file. title: File present on /dev. file: /dev/.hiddenfile
Scan for any network interfaces on the system with promiscuous mode enabled. If the interface is in promiscuous mode, the output of the ifconfig command will show that. If not, we might have a malware installed.