Detecting suspicious binaries
Wazuh provides you with powerful anomaly and malware detection capabilities to detect suspicious binaries. In this PoC, you detect trojaned system binaries by using signatures in the /var/ossec/etc/shared/rootkit_trojans.txt
file.
Configuration
Configure your environment as follows to test the PoC.
No additional configuration is required since trojan detection is configured out-of-the-box. Check your configuration in the /var/ossec/etc/ossec.conf
file at the Ubuntu 20 monitored endpoint.
<rootcheck> <disabled>no</disabled> <check_files>yes</check_files> <!-- Line for trojans detection --> <check_trojans>yes</check_trojans> <check_dev>yes</check_dev> <check_sys>yes</check_sys> <check_pids>yes</check_pids> <check_ports>yes</check_ports> <check_if>yes</check_if> <!-- Frequency that rootcheck is executed - every 12 hours --> <frequency>43200</frequency> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <skip_nfs>yes</skip_nfs> </rootcheck>
Restart the Wazuh agent to apply the configuration changes if needed.
# systemctl restart wazuh-agent
Steps to generate the alerts
Create a copy of the original system binary.
# cp -p /usr/bin/w /usr/bin/w.copy
Replace the original system binary
/usr/bin/w
with the following shell script.#!/bin/bash echo "`date` this is evil" > /tmp/trojan_created_file echo 'test for /usr/bin/w trojaned file' >> /tmp/trojan_created_file #Now running original binary /usr/bin/w.copy
The rootcheck scan will run every 12h by default, force the scan restarting the agent to see the alert.
# systemctl restart wazuh-agent