Detecting Malicious Files with Wazuh and VirusTotal

0
64

In this tutorial, you will learn on detecting malicious files with Wazuh and VirusTotal. Wazuh is an open source security monitoring system that supports file integrity monitoring by monitoring the file system, identifying changes in content, permissions, ownership, and attributes of files that you need to keep an eye on. In addition, it natively identifies users and applications used to create or modify files.

In order to detect malicious files on the system, Wazuh can be integrated with VirusTotal, an online system that analyzes suspicious files and URLs to detect types of malware, trojans, worms.

Sycheck daemon on the Wazuh agent running on the server monitors any file added and calculate its hash. It then submits the calculated hash value to VirusTotal via VirusTotal API. VirusTotal will analyze the hash for any known malware and sents alert back to Wazuh which then alerts on the same.

Detecting Malicious Files with Wazuh and VirusTotal

Install and Setup Wazuh Server

Before we proceed, we assume that you already have Wazuh server setup and agents connected and active.

In this demo, we use Rocky Linux 8 as the Wazuh server. You can use below tutorials to setup Wazuh server on Rocky Linux 8.

Install and setup Wazuh Server on Rocky Linux 8

Install Wazuh Agent on Rocky Linux 8

Integrate Wazuh Manager with VirusTotal

Obtain VirusTotal API Key

Next, you need to integrate Wazuh manager with VirusTotal. For this, you need to obtain a VirusTotal API key. API key can be a public or a private one. We use a public one in this setup.

So, sign up to VirusTotal Community to get an API key.

Once you have created an account and logged into VirusTotal, click on your username at the top right corner > API Key.

Detecting Malicious Files with Wazuh and VirusTotal

Integrate Wazuh Manager with VirusTotal

To integrate Wazuh manager with VirusTotal, you need to add the configuration below to /var/ossec/etc/ossec.conf file.

<integration>
  <name>virustotal</name>
  <api_key>API_KEY</api_key>
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

Replace the API_KEY with your respective VirusTotal API Key. For example, this is how my configuration is like;

  <integration>
    <name>virustotal</name>
    <api_key>94e298694ac4a58c323839dcb1ef4cfe36b48bd6beb8a5c7c3aee587117865cf</api_key>
    <group>syscheck</group>
    <alert_format>json</alert_format>
  </integration>

Thus, you need to add this configuration file to ossec.conf file.

vim /var/ossec/etc/ossec.conf

In our demo, we will insert the configs above just above the <!– Osquery integration –>. such that my configuration looks like;

  <!-- Wazuh VirusTotal Integration -->
  <integration>
    <name>virustotal</name>
    <api_key>94e298694ac4a58c323839dcb1ef4cfe36b48bd6beb8a5c7c3aee587117865cf</api_key>
    <group>syscheck</group>
    <alert_format>json</alert_format>
  </integration>

  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>

Once you have updated the configuration file, restart Wazuh manager service;

systemctl restart wazuh-manager

Enable Wazuh VirusTotal Module

Wazuh VirusTotal module is usually disabled by default. To enable the module, navigate to Kibana Web interface > Wazuh App > Wazuh Settings > Modules.

Detecting Malicious Files with Wazuh and VirusTotal

Scroll down to Threat Detection and Response section and toggle VirusTotal button to enable it.

Detecting Malicious Files with Wazuh and VirusTotal

Once you have enabled, you should now be able to access VirusTotal dashboard under Wazuh > Modules > Threat Detection and Response > VirusTotal.

For now, since we don’t already have any events, the dashboard is empty.

Demonstrating how Wazuh monitors the directories for Malicious Files

By default, Wazuh agent monitors a number of directories as defined on the Agents ossec.conf file as defined under the <!-- File integrity monitoring --> section.

To effectively demonstrate this, we are gonna place a malicious file under the /etc directory and see what kind of events we get on the Wazuh dashboard.

NOTE: This is done on an isolated temporary test system. Do not place malicious files on your systems!!!! We cannot be held responsible on what malicious files may do to your system.

So as already mentioned that we are using a test system, we have downloaded some sample malware files from InQuest/malware-samples github repository to /etc directory of the Wazuh agent;

ls -1 /etc/[0-9]*
/etc/02c51604604a7faae0b82aab08d9e3693525454be210b73e76294b4594762c78
/etc/240387329dee4f03f98a89a2feff9bf30dcba61fcf614cdac24129da54442762
/etc/240387329dee4f03f98a89a2feff9bf30dcba61fcf614cdac24129da54442762.zip

Note that we have also adjusted the Wazuh agent syscheck scan frequency from 12 hours to a min, just for demo purposes.

...    
    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>60</frequency>
...

For any changes made to ossec.conf, you need to restart the agent.

Verify Malware Detection Events on Wazuh Manager

Once the file is placed on the Wazuh agent system, you should be able to get events on the Wazuh manager dashboard.

Hence navigate Wazuh > Modules > Threat Detection and Response > VirusTotal.

Detecting Malicious Files with Wazuh and VirusTotal

You can click Events to see the related events.

Detecting Malicious Files with Wazuh and VirusTotal

You can click the VirusTotal links to learn more about the files.

Also, if you check on Security Events, you should be able to see alerts related to files added to the system.

Detecting Malicious Files with Wazuh and VirusTotal

And that is all on our guide on detecting malicious files with Wazuh and VirusTotal.

Further Reading

Wazuh – About VirusTotal

Other Tutorials

Intercept Malicious File Upload with ModSecurity and ClamAV

Install and use ClamAV on Ubuntu 20.04

LEAVE A REPLY

Please enter your comment!
Please enter your name here