This section describes the checks performed by Wazuh to find the anomalies caused by an intruder or malware.
Malware can replace files, directories and commands on it's host system. Performing file integrity checks on the main directories of a system allows for the detection of these actions. More information File Integrity Monitoring Section
** Alert 1460948255.25442: mail - ossec,syscheck,pci_dss_11.5, 2016 Apr 17 19:57:35 (ubuntu) 10.0.0.144->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Integrity checksum changed for: '/test/hello' Size changed from '12' to '17' Old md5sum was: 'e59ff97941044f85df5297e1c302d260' New md5sum is : '7947eba5d9cc58d440fb06912e302949' Old sha1sum was: '648a6a6ffffdaa0badb23b8baf90b6168dd16b3a' New sha1sum is : '379b74ac9b2d2b09ff6ad7fa876c79f914a755e1'
A malicious process can prevent itself from being seen in a system's list of processes (trojan version of ps command). Rootcheck inspects all process IDs (PID) looking for discrepancies with different system calls (getsid, getpgid).
Diamorphine is a kernel-mode rootkit that is able to hide itself and other processes from ps. If we install this package and hide a process, we will get an alert like this:
** Alert 1460225922.841535: mail - ossec,rootcheck 2017 Feb 15 10:00:42 (localhost) 192.168.1.240->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Process '495' hidden from /proc. Possible kernel level rootkit.
Wazuh scans the entire file system looking for unusual files and permissions. Files owned by root with write permissions for other user accounts like suid files, hidden directories and files, are all inspected.
The /dev directory should only contain device-specific files. Any additional file(s) should be inspected because malware uses this partition to hide files.
If you create a hidden file on
/dev, Wazuh should alert because there is a hidden file in a directory that should only contain device-specific files. The following is the alert generated in that case:** Alert 1487182293.37491: - ossec,rootcheck, 2017 Feb 15 10:11:33 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' File '/dev/.hiddenfile' present on /dev. Possible hidden file. title: File present on /dev. file: /dev/.hiddenfile
Wazuh scans for any network interfaces on the system with promiscuous mode enabled. If the interface is in promiscuous mode, the output of the ifconfig command will indicate it. This may be an indicator that malware is present.
Rootcheck performs several checks using its own database of rootkit signatures: rootkit_files.txt, rootkit_trojans.txt and win_malware_rcl.txt. Unfortunately, these signatures are out of date.