Rootkits detection
The Wazuh agent periodically scans the monitored system to detect rootkits both at the kernel and the user space level. This kind of malware usually replaces or changes the components of the existing operating system, in order to alter the system behavior. Rootkits can hide other processes, files, and network connections.
Wazuh uses different detection mechanisms to search for system anomalies or well-known intrusions. The Rootcheck component does this periodically:
Action |
Detection mechanism |
Binary |
System call |
---|---|---|---|
Detection of hidden processes |
Comparing output of system binaries and system calls |
ps |
setsid |
getpgid |
|||
kill |
|||
Detection of hidden files |
Comparing output of system binaries and system calls |
ls |
stat |
opendir |
|||
readdir |
|||
Scanning /dev |
ls |
opendir |
|
Detection of hidden ports |
Comparing output of system binaries and system calls |
netstat |
bind |
Detection of known rootkits |
Using a malicious file database |
- |
stat |
fopen |
|||
opendir |
|||
Inspecting files content using signatures |
- |
fopen |
|
Detecting file permission and ownership anomalies |
- |
stat |
|
Below is an example of an alert generated when a hidden process is found. In this case, the affected system is running a Linux kernel-level rootkit (named Diamorphine):
{
"agent": {
"id": "1030",
"ip": "10.0.0.59",
"name": "diamorphine-POC"
},
"decoder": {
"name": "rootcheck"
},
"full_log": "Process '562' hidden from /proc. Possible kernel level rootkit.",
"rule": {
"description": "Host-based anomaly detection event (rootcheck).",
"id": "510",
"level": 7
},
"timestamp": "2020-07-12T18:07:00-0800"
}
More information on how Wazuh detects rootkits can be found at the user manual.