Rootkits detection

The Wazuh agent periodically scans the monitored system to detect rootkits both at the kernel and the user space level. This kind of malware usually replaces or changes the components of the existing operating system, in order to alter the system behavior. Rootkits can hide other processes, files, and network connections.

Wazuh uses different detection mechanisms to search for system anomalies or well-known intrusions. The Rootcheck component does this periodically:

Action	Detection mechanism	Binary	System call
Detection of hidden processes	Comparing output of system binaries and system calls	ps	setsid
			getpgid
			kill
Detection of hidden files	Comparing output of system binaries and system calls	ls	stat
			opendir
			readdir
	Scanning /dev	ls	opendir
Detection of hidden ports	Comparing output of system binaries and system calls	netstat	bind
Detection of hidden ports	Comparing output of system binaries and system calls	netstat	bind
Detection of known rootkits	Using a malicious file database	-	stat
			fopen
			opendir
	Inspecting files content using signatures	-	fopen
	Inspecting files content using signatures	-	fopen
	Detecting file permission and ownership anomalies	-	stat
	Detecting file permission and ownership anomalies	-	stat

Below is an example of an alert generated when a hidden process is found. In this case, the affected system is running a Linux kernel-level rootkit (named Diamorphine):

{
  "agent": {
      "id": "1030",
      "ip": "10.0.0.59",
      "name": "diamorphine-POC"
  },
  "decoder": {
      "name": "rootcheck"
  },
  "full_log": "Process '562' hidden from /proc. Possible kernel level rootkit.",
  "rule": {
      "description": "Host-based anomaly detection event (rootcheck).",
      "id": "510",
      "level": 7
  },
  "timestamp": "2020-07-12T18:07:00-0800"
}

More information on how Wazuh detects rootkits can be found at the user manual.