Detecting unauthorized processes

The Wazuh command monitoring capability runs commands on an endpoint and monitors the output of the commands.

In this use case, you use the Wazuh command monitoring capability to detect when Netcat is running on an Ubuntu endpoint. Netcat is a computer networking utility used for port scanning and port listening.

Infrastructure

Endpoint

Description

Ubuntu 22.04

You configure the Wazuh command monitoring module on this endpoint to detect a running Netcat process.

Configuration

Ubuntu endpoint

Take the following steps to configure command monitoring and query a list of all running processes on the Ubuntu endpoint.

  1. Add the following configuration block to the Wazuh agent /var/ossec/etc/ossec.conf file. This allows to periodically get a list of running processes:

    <ossec_config>
      <localfile>
        <log_format>full_command</log_format>
        <alias>process list</alias>
        <command>ps -e -o pid,uname,command</command>
        <frequency>30</frequency>
      </localfile>
    </ossec_config>
    
  2. Restart the Wazuh agent to apply the changes:

    $ sudo systemctl restart wazuh-agent
    
  3. Install Netcat and the required dependencies:

    $ sudo apt install ncat nmap -y
    

Wazuh server

You have to configure the following steps on the Wazuh server to create a rule that triggers every time the Netcat program launches.

  1. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:

    <group name="ossec,">
      <rule id="100050" level="0">
        <if_sid>530</if_sid>
        <match>^ossec: output: 'process list'</match>
        <description>List of running processes.</description>
        <group>process_monitor,</group>
      </rule>
    
      <rule id="100051" level="7" ignore="900">
        <if_sid>100050</if_sid>
        <match>nc -l</match>
        <description>netcat listening for incoming connections.</description>
        <group>process_monitor,</group>
      </rule>
    </group>
    
  2. Restart the Wazuh manager to apply the changes:

    $ sudo systemctl restart wazuh-manager
    

Attack emulation

On the monitored Ubuntu endpoint, run nc -l 8000 for 30 seconds.

Visualize the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • rule.id:(100051)