YARA Integration with WAZUH

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"

This post is about YARA Integration with WAZUH

Introduction

Wazuh can integrate with YARA in different ways. YARA is a versatile Open Source pattern-matching tool aimed to detect malware samples based on rule descriptions, although it is not limited to that use case alone.

This use case focuses on automatically executing YARA scans by using the active response module when a Wazuh FIM alert is triggered. This is an interesting way of using YARA as it concentrates the scans on new or recently modified files in your environment, thus optimizing resource consumption on the monitored endpoints.

The next diagram illustrates the flow of events between the different components:

YARA Integration
YARA Integration

YARA Integration with WAZUH

The following section assumes Wazuh Manager is already installed . If you need to install it, you can do it following the WAZUH The Open Source Security Platform guide

First, configure the manager the action that you want to execute and under which circumstances you want it to be triggered. For that, edit the configuration file located at /var/ossec/etc/ossec.conf and add the following:

<ossec_config>
  <command>
    <name>yara</name>
    <executable>yara.sh</executable>
    <extra_args>-yara_path /path/to/yara -yara_rules /path/to/rules</extra_args>
    <timeout_allowed>no</timeout_allowed>
  </command>
  <active-response>
    <command>yara</command>
    <location>local</location>
    <rules_id>550,554</rules_id>
  </active-response>
</ossec_config>

Command

It contains information about the action to be executed on the agent, including its parameters:

  • The name setting uniquely identifies the command, yara.
  • The script in the executable setting, yara.sh.
  • The extra_args setting needed to specify where the YARA binary and rules are located.
  • The timeout_allowed setting set to no. This represents a stateless active response.

Active response

It defines the criteria used to execute a specific command:

  • The command to execute. It references the yara command created above.
  • The location setting as local. It means that the active response is executed on the agent that generates the alert.
  • You can write a list of rule IDs that will trigger the active response in the rules_id setting. This example uses the following rule IDs.
    • Rule 550: file modified in the system
    • Rule 554: new file added to the system

Rules and decoders

Define a set of rules and decoders to trigger alerts from the events generated by the YARA active response.

Create a decoder file, for example, /var/ossec/etc/decoders/yara_decoders.xml, and add the following:

<!--
 - YARA decoders
 - Created by Wazuh, Inc.
 - Copyright (C) 2015-2022, Wazuh Inc.
 - This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->

<decoder name="yara">
  <prematch>wazuh-yara: </prematch>
</decoder>

<decoder name="yara">
  <parent>yara</parent>
  <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
  <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara">
  <parent>yara</parent>
  <regex>wazuh-yara: (\S+) - Yara active response error. (\.+)</regex>
  <order>log_type, error_message</order>
</decoder>

Similarly create a rule file, /var/ossec/etc/rules/yara_rules.xml, with the following content:

<!--
 - YARA rules
 - Created by Wazuh, Inc.
 - Copyright (C) 2015-2022, Wazuh Inc.
 - This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->

 <group name="yara,">
    <rule id="100100" level="0">
        <decoded_as>yara</decoded_as>
        <description>YARA rules grouped.</description>
    </rule>

    <rule id="100101" level="5">
        <if_sid>100100</if_sid>
        <field name="error_message">\.+</field>
        <description>YARA error detected.</description>
    </rule>

    <rule id="100102" level="10">
        <if_sid>100100</if_sid>
        <field name="yara_rule">\.+</field>
        <description>YARA $(yara_rule) detected.</description>
    </rule>
</group>

Restart the Wazuh manager for the changes to take effect.

Wazuh agent configuration

The following section assumes YARA is already installed on the monitored endpoint. If you need to install it, you can do it following the official YARA installation guide.

The script configured to run as part of the active response settings defined on the Wazuh manager, yara.sh, needs to be placed under /var/ossec/active-response/bin on the Wazuh agent side. Add the following content to it:

#!/bin/bash
# Wazuh - Yara active response
# Copyright (C) 2015-2022, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
#------------------------- Gather parameters -------------------------#

# Static active response parameters
LOCAL=`dirname $0`

# Extra arguments
read -r INPUT_JSON
YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1])
YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3])
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path)
COMMAND=$(echo $INPUT_JSON | jq -r .command)

# Move to the active response folder
cd $LOCAL
cd ../

# Set LOG_FILE path
PWD=`pwd`
LOG_FILE="${PWD}/../logs/active-responses.log"

#----------------------- Analyze parameters -----------------------#

if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]]
then
  echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE}
  exit
fi

#------------------------ Analyze command -------------------------#
if [ ${COMMAND} = "add" ]
then
  # Send control message to execd
  printf '{"version":1,"origin":{"name":"yara","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n'

  read RESPONSE
  COMMAND2=$(echo $RESPONSE | jq -r .command)
  if [ ${COMMAND2} != "continue" ]
  then
    echo "wazuh-yara: INFO - Yara active response aborted." >> ${LOG_FILE}
    exit 1;
  fi
fi

#------------------------- Main workflow --------------------------#

# Execute Yara scan on the specified filename
yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")"

if [[ $yara_output != "" ]]
then
  # Iterate every detected rule and append it to the LOG_FILE
  while read -r line; do
  echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE}
  done <<< "$yara_output"
fi

exit 1;

The script receives these paths:

  • The file path contained in the alert that triggered the active response in the parameters.alert.syscheck.path object.
  • -yara_path. Path to the folder where the Yara executable is located; by default this is usually /usr/local/bin.
  • -yara_rules. File path to the Yara rules file used for the scan.

The script uses the parameters above to perform a YARA scan:

# Execute YARA scan on the specified filename
yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")"

Then it analyzes the output to determine if the scan triggered any YARA rule:

# Iterate every detected rule and append it to the LOG_FILE
while read -r line; do
echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE}
done <<< "$yara_output"

For every line in the output, the script appends an event to the active response log, /var/ossec/logs/active-responses.log, with the following format:

wazuh-yara: INFO - Scan result: yara_rule file_path

Malware detection

Malware detection

HiddenWasp is a sophisticated malware that infects Linux systems, used for targeted remote control. Its authors took advantage of various publicly available Open Source malware, such as Mirai and Azazel rootkit.

It has three different components:

  • Deployment script. Initial attack vector.
  • Rootkit. Artifact hiding mechanisms and TCP connection hiding.
  • Trojan. C&C requests.

Deployment script

It is typically a bash script that tries to download the malware itself by connecting to an SFTP server. This script even updates the malware if the host was already compromised.

The main IoCs to look for in this component are the IP addresses and files that it copies to the system:

rule HiddenWasp_Deployment
{
    strings:
        $a = "http://103.206.123.13:8080/configUpdate.tar.gz"
        $b = "http://103.206.123.13:8080/configUpdate-32.tar.gz"
        $c = "http://103.206.123.13:8080/system.tar.gz"
        $d = "103.206.123.13"
    condition:
        any of them
}

Rootkit

User-space-based rootkit enforced via the LD_PRELOAD Linux mechanism and delivered as an ET_DYN stripped ELF binary. It tries to hide the trojan part of the malware by cloaking artifacts and TCP connections.

The following YARA rule detects its signature by using hexadecimal strings:

rule HiddenWasp_Rootkit
{
        strings:
                $a1 = { FF D? 89 ?? ?? 83 ?? ?? ?? 0F 84 [0-128] BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? FF D? 48 ?? ?? ?? 48 ?? ?? ?? ?? 74 [0-128] C6 ?? ?? ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? BE ?? ?? ?? ?? }
                $a2 = { 0F 84 [0-128] BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? FF D? }
                $a3 = { 0F B6 ?? 83 ?? ?? 88 ?? 83 [0-128] 8B ?? ?? 3B ?? ?? 0F 82 [0-128] 48 ?? ?? ?? 48 }
                $a4 = { 74 [0-128] C6 ?? ?? ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? BE ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? BF ?? ?? ?? ?? B8 ?? ?? ?? ?? FF D? 89 ?? ?? 83 ?? ?? ?? 0F 84 [0-128] BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? FF D? }
                $b0 = { E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 [0-128] C6 ?? ?? ?? ?? ?? ?? FF 7? ?? 83 ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 6A ?? FF D? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 [0-128] 83 ?? ?? 83 ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF D? 83}
                $b1 = { 83 ?? ?? 83 ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 8D ?? ?? 5? FF 7? ?? 6A ?? FF D? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 [0-128] 83 ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? FF 7? ?? 83 ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 8D ?? ?? 5? }
                $b2 = { 8B ?? ?? 8B ?? ?? 29 ?? 89 ?? 8B ?? ?? F7 ?? 21 ?? 23 ?? ?? 85 ?? 74 [0-128] 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 80 3? ?? 75 [0-128] 8B ?? ?? 8B ?? ?? 29}
                $b3 = { 8B ?? ?? 29 ?? 89 ?? 8B ?? ?? F7 ?? 21 ?? 23 ?? ?? 85 ?? 74 [0-128] 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 80 3? ?? 75 [0-128] 8B}
                $b4 = { 83 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 [0-128] 8B ?? ?? 89 ?? 8D ?? ?? FF 0? 8A ?? 88 ?? ?? 8B ?? ?? 89 ?? 8D ?? ?? FF 0? 8A ?? 88 ?? ?? 80 7? ?? ?? 75 [0-128] 8A ?? ??}
        condition:
                all of ($a*) or all of ($b*)
}

Wazuh alerts

The YARA rules above generate these alerts when executed through the Wazuh active response

{
        "timestamp": "2020-06-09T08:15:07.187+0000",
        "rule": {
                "level": 10,
                "description": "YARA HiddenWasp_Deployment detected.",
                "id": "100102",
                "firedtimes": 1,
                "mail": false,
                "groups": ["yara"]
        },
        "agent": {
                "id": "001",
                "name": "yara-agent",
                "ip": "10.0.2.x"
        },
        "manager": {
                "name": "wazuh-manager"
        },
        "id": "1591690507.38027",
        "full_log": "wazuh-yara: info: HiddenWasp_Deployment /home/user/script.sh",
        "decoder": {
                "name": "yara"
        },
        "data": {
                "yara_rule": "HiddenWasp_Deployment",
                "file_path": "/home/user/script.sh"
        },
        "location": "/var/ossec/logs/active-responses.log"
}
{
      "timestamp": "2020-06-09T08:18:47.901+0000",
      "rule": {
              "level": 10,
              "description": "YARA HiddenWasp_Rootkit detected.",
              "id": "100102",
              "firedtimes": 1,
              "mail": false,
              "groups": ["yara"]
      },
      "agent": {
              "id": "001",
              "name": "yara-agent",
              "ip": "10.0.2.x"
      },
      "manager": {
              "name": "wazuh-manager"
      },
      "id": "1591690407.33120",
      "full_log": "wazuh-yara: info: HiddenWasp_Rootkit /home/user/binary",
      "decoder": {
              "name": "yara"
      },
      "data": {
              "yara_rule": "HiddenWasp_Rootkit",
              "file_path": "/home/user/binary"
      },
      "location": "/var/ossec/logs/active-responses.log"
}

You can also create custom dashboards in Kibana for this integration:

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook