Detect filesystem changes

Wazuh's syscheck system is responsible for file integrity monitoring (FIM) and registry change monitoring. In this exercise we will configure syscheck on windows-agent to monitor specific directories for changes, make changes within them and observe the alerts that are generated.

Preparation

To turn on Wazuh agent and syscheck debug logging on windows-agent, start Notepad with the "Run as administrator" option and enter this text:

windows.debug=2
rootcheck.sleep=0
syscheck.sleep=0

Save this as a new file called C:\Program Files (x86)\ossec-agent\local_internal_options.conf, making sure under "Save as type:" to choose "All Files" so that the file does not get a .txt extension appended to it.

Open the Windows Command Prompt or a PowerShell, using the "Run as administrator" option. Then create a couple of lab directories:

mkdir C:\apple
mkdir C:\orange

Configuring FIM

Run the Wazuh Agent Manager (C:\Program Files (x86)\ossec-agent\win32ui.exe) and click on View -> View Config, and replace the large default <syscheck> section with this:

<syscheck>
    <disabled>no</disabled>
    <scan_on_start>yes</scan_on_start>
    <frequency>300</frequency>
    <directories check_all="yes" realtime="yes" report_changes="yes">C:/apple</directories>
    <directories check_all="yes">C:/orange</directories>
</syscheck>

The above enables syscheck FIM on windows-agent, such that a periodic scan of C:\orange will take place shortly after the start or restart of the Wazuh agent, and then every 300 seconds thereafter. The C:\apple directory will be monitored in real time for file changes, while the C:\orange directory will only be periodically scanned for changes. Changes to existing text files in C:\apple will trigger an alert that includes the details of the actual text that was changed, while changes to C:\orange files will not include details of actual file content changes.

Note

In Wazuh configuration files, Windows file and directory paths are always expressed with forward slashes rather than traditional Windows backslashes. This is because the backslash tends to be interpreted as an escape character by Wazuh. Wazuh will find your Windows paths just fine even though the slashes look backwards.

Close and save your modified config file. Then restart Wazuh on windows-agent (Manage -> Restart).

In the Wazuh Agent Manager, click on View -> View Logs. You should see a couple of entries like this, accounting for the new syscheck monitoring of your two test directories:

2019/10/20 08:21:53 ossec-agent: INFO: Monitoring directory: 'c:/apple', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | realtime | report_changes | mtime | inode | attributes'.
2019/10/20 08:21:53 ossec-agent: INFO: Monitoring directory: 'c:/orange', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode | attributes'.

Testing FIM

At this point, add, modify, and delete files in these two test directories on the Windows agent, and watch your search results in Kibana for the query text "apple orange" (without quotes), to find syscheck events as they appear. Notice that alerts about changes in C:\apple\ show up promptly, while alerts about changes in C:\orange\ are not reported until the next periodic (5 minute) syscheck scan. You can force a periodic syscheck scan sooner by restarting the Windows agent, but still expect to wait a minute or so before the scan actually runs.

Note

When multiple terms are searched for in Kibana (like "apple orange") without being separated by a capitalized "AND", an "OR" relationship is assumed, resulting in a search for all records matching either of the terms included.

Inspecting the FIM events

Here are alerts produced by adding, editing, renaming, and deleting files in both directories:

Here is the full alert about the change of an existing file in C:\apple\. Notice the syscheck.diff field accounting for the actual content changed on the file (where "1 apple" was changed to "2 apples"). Also notice the many other file attribute changes accounted for.

FIM events in the Wazuh Kibana plugin

Of course, the nicest way to look over file changes is via the Wazuh Kibana plugin. You can get an overview of FIM events for all agents by clicking on the Wazuh plugin icon, and then on the Integrity monitoring dashboard. To focus in on just the FIM events for windows-agent, click on Wazuh, then on the Agents tab, then on the record of your windows-agent, and then on the Integrity monitoring dashboard, which would look similar to this:

Note

The default time windows in Kibana is only "Last 15 minutes" which may be too small to encompass your activities in this lab. Click on the time window value and change it to something broader if needed.

A look under the hood of syscheck

Each time a Wazuh agent runs a periodic syscheck FIM scan, the monitored file checksums and attributes are sent back to the Wazuh manager who stores them and looks for modifications by comparing the new values to the old values.

On the manager in the /var/ossec/queue/db/ directory we may find a .db file for each agent ID including the manager (000.db, 001.db, 002.db, 003.db). These are SQLite files each containing multiple tables including one related to syscheck.

[root@wazuh-manager centos]# sqlite3 /var/ossec/queue/db/000.db ".tables"
ciscat_results        sca_check_rules       sys_netiface
fim_entry             sca_policy            sys_netproto
metadata              sca_scan_info         sys_osinfo
pm_event              scan_info             sys_ports
sca_check             sys_hwinfo            sys_processes
sca_check_compliance  sys_netaddr           sys_programs

The following command shows the schema of the fim_entry table where the manager stores syscheck scan results for itself and its agents:

[root@wazuh-manager centos]# sqlite3 -header /var/ossec/queue/db/000.db "PRAGMA table_info(fim_entry);"
   cid|name|type|notnull|dflt_value|pk
   0|file|TEXT|0||1
   1|type|TEXT|1||0
   2|date|INTEGER|1|strftime('%s', 'now')|0
   3|changes|INTEGER|1|1|0
   4|size|INTEGER|0||0
   5|perm|TEXT|0||0
   6|uid|TEXT|0||0
   7|gid|TEXT|0||0
   8|md5|TEXT|0||0
   9|sha1|TEXT|0||0
   10|uname|TEXT|0||0
   11|gname|TEXT|0||0
   12|mtime|INTEGER|0||0
   13|inode|INTEGER|0||0
   14|sha256|TEXT|0||0
   15|attributes|INTEGER|0|0|0
   16|symbolic_path|TEXT|0||0

This file contains syscheck scan results including file hashes and other metadata, plus a count of how many times a given file has been seen to change.

The following command shows the syscheck-monitored files for the windows-agent (ID #003):

[root@wazuh-manager centos]# sqlite3 /var/ossec/queue/db/003.db 'select * from fim_entry where file like "%apple%"';

Change your configuration back to default

Before moving on to the next Lab, we need to change <syscheck> configuration back to the way it was.

Run the Wazuh Agent Manager (C:\Program Files (x86)\ossec-agent\win32ui.exe) and click on View -> View Config, and replace the <syscheck> section with this:

<syscheck>
   <!-- By default it is disabled. In the Install you must choose to enable it. -->
   <disabled>yes</disabled>

   <!-- Frequency that syscheck is executed default every 12 hours -->
   <frequency>43200</frequency>

   <!-- Default files to be monitored. -->
   <directories check_all="yes">%WINDIR%\regedit.exe</directories>
   <directories check_all="yes">%WINDIR%\system.ini</directories>
   <directories check_all="yes">%WINDIR%\win.ini</directories>

   <directories check_all="yes">%WINDIR%\SysNative\at.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\attrib.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\cacls.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\cmd.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\drivers\etc</directories>
   <directories check_all="yes">%WINDIR%\SysNative\eventcreate.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\ftp.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\lsass.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\net.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\net1.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\netsh.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\reg.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\regedt32.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\regsvr32.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\runas.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\sc.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\schtasks.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\sethc.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\subst.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\wbem\WMIC.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\WindowsPowerShell\v1.0\powershell.exe</directories>
   <directories check_all="yes">%WINDIR%\SysNative\winrm.vbs</directories>

   <!-- 32-bit programs. -->
   <directories check_all="yes">%WINDIR%\System32\at.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\attrib.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\cacls.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\cmd.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\drivers\etc</directories>
   <directories check_all="yes">%WINDIR%\System32\eventcreate.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\ftp.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\net.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\net1.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\netsh.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\reg.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\regedit.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\regedt32.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\regsvr32.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\runas.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\sc.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\schtasks.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\sethc.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\subst.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\wbem\WMIC.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe</directories>
   <directories check_all="yes">%WINDIR%\System32\winrm.vbs</directories>
   <directories check_all="yes" realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>

   <ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>

   <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

   <!-- Windows registry entries to monitor. -->
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
   <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
   <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
   <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

   <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

   <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
   <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
   <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
   <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
   <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
   <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

   <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>

   <!-- Windows registry entries to ignore. -->
   <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
   <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
   <registry_ignore type="sregex">\Enum$</registry_ignore>
   <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
   <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
   <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
   <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
   <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
   <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
   <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
   <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
   <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>

   <!-- Frequency for ACL checking (seconds) -->
   <windows_audit_interval>300</windows_audit_interval>
 </syscheck>