Rootkits detection
The Wazuh agent periodically scans the monitored system to detect rootkits both at the kernel and the user space level. This type of malware usually replaces or changes existing operating system components, in order to alter the behavior of the system. Rootkits can hide other processes, files, and network connections.
Wazuh uses different detection mechanisms to look for system anomalies or well-known intrusions. This is done periodically by the Rootcheck component:
Action |
Detection mechanism |
Binary |
System call |
---|---|---|---|
Detection of hidden processes |
Comparing output of system binaries and system calls |
ps |
setsid |
getpgid |
|||
kill |
|||
Detection of hidden files |
Comparing output of system binaries and system calls |
ls |
stat |
opendir |
|||
readdir |
|||
Scanning /dev |
ls |
opendir |
|
Detection of hidden ports |
Comparing output of system binaries and system calls |
netstat |
bind |
Detection of known rootkits |
Using a malicious file database |
- |
stat |
fopen |
|||
opendir |
|||
Inspecting files content using signatures |
- |
fopen |
|
Detecting file permission and ownership anomalies |
- |
stat |
|
Below is an example of an alert generated when a hidden process is found. In this case, the affected system is running a Linux kernel-level rootkit (named Diamorphine):
{
"agent": {
"id": "1030",
"ip": "10.0.0.59",
"name": "diamorphine-POC"
},
"decoder": {
"name": "rootcheck"
},
"full_log": "Process '562' hidden from /proc. Possible kernel level rootkit.",
"rule": {
"description": "Host-based anomaly detection event (rootcheck).",
"id": "510",
"level": 7
},
"timestamp": "2020-07-12T18:07:00-0800"
}
More information about how does Wazuh detect rootkits can be found at the user manual.