Rootkits detection

The Wazuh agent periodically scans the monitored system to detect rootkits both at the kernel and the user space level. This type of malware usually replaces or changes existing operating system components, in order to alter the behavior of the system. Rootkits can hide other processes, files, and network connections.

Wazuh uses different detection mechanisms to look for system anomalies or well-known intrusions. This is done periodically by the Rootcheck component:

Action Detection mechanism Binary System call
Detection of hidden processes

Comparing output of system

binaries and system calls

ps setsid
getpgid
kill
Detection of hidden files

Comparing output of system

binaries and system calls

ls stat
opendir
readdir
Scanning /dev ls opendir
Detection of hidden ports

Comparing output of system

binaries and system calls

netstat bind
Detection of known rootkits Using a malicious file database - stat
fopen
opendir

Inspecting files content using

signatures

- fopen

Detecting file permission and

ownership anomalies

- stat

Below is an example of an alert generated when a hidden process is found. In this case, the affected system is running a Linux kernel-level rootkit (named Diamorphine):

{
  "agent": {
      "id": "1030",
      "ip": "10.0.0.59",
      "name": "diamorphine-POC"
  },
  "decoder": {
      "name": "rootcheck"
  },
  "full_log": "Process '562' hidden from /proc. Possible kernel level rootkit.",
  "rule": {
      "description": "Host-based anomaly detection event (rootcheck).",
      "id": "510",
      "level": 7
  },
  "timestamp": "2020-07-12T18:07:00-0800"
}

More information about how does Wazuh detect rootkits can be found at the user manual.