Malicious File Detection: CDB Lists & Active Response

Mulayam Yadav

Apr 26, 2024

8 Min

TABLE OF CONTENTS

  1. Introduction
  2. Exploring CDB Lists
  3. Setting Up CDB Lists in Wazuh
  4. Setting Up Active Response in Wazuh
  5. Windows Endpoint
  6. Linux Endpoint
  7. Configure in the Wazuh Manager
  8. Create a rule for the Active response log
  9. Conclusion

Introduction

Detecting malicious files is super important for keeping your computer safe. If we don’t catch these bad files, they can mess with our data and even let hackers into our systems! That’s why it’s crucial to have good malware detection.

Malware detection helps us find and get rid of these bad files before they can do any harm. It keeps our data safe and our systems running smoothly. Plus, it helps us stay one step ahead of cyber threats.

In this blog, we’ll learn about a method called CDB list with active response that helps us detect and remove malware. This method works on both Windows and Linux computers.

Here’s how it works: We keep an eye on our computer’s directories, looking for any suspicious changes. When we find a bad file, we use an active response to remove it and keep our system safe.

Exploring CDB Lists

What is CDB Lists?

CDB stand for constant databases are like special lists that help Wazuh keep our systems safe from cyber threats. They store important information like usernames, file hash, IP addresses.

When Wazuh is checking our system for any suspicious activity, it also checks these CDB  lists. If it finds a match, it can trigger specific rules to keep our system safe.

For example, if Wazuh finds a file that matches a bad file hash listed in the CDB list, it knows there’s a problem and can take action to keep our system safe.

Structure and Format of CDB Lists

The structure and format of CDB lists in Wazuh are quite straightforward. A CDB list is a plain text file where each line represents a unique key-value pair, separated by a colon :

  • Here’s the general structure:
  • Keys: Must be unique for each entry.
  • Values: Can be repeated and are optional.
  • Colon :: Used as a separator between key and value.
  • Example of a CDB List Entry:
  • key1: value1

Setting Up CDB Lists in Wazuh

Step 1: Create a CDB list malware-hashes of known malware hashes and save it to the /var/ossec/etc/lists directory on the Wazuh server.

vi /var/ossec/etc/lists/malware-hashes

Step 2: To add the hash of malware to the CDB list, you can download the hash value from the VirusShare database. This database provides a comprehensive collection of hash values for various malware samples. You can access the hash values by visiting the VirusShare Hash Database at this link: VirusShare Hash Database.

Step 3: To address the issue of missing colons at the end of each hash value obtained from the website, a Python script is utilized to automatically append the colon to each hash. This step ensures that the hash values are formatted correctly for inclusion in the CDB list used by Wazuh for malware detection.

with open('<path_to_downloaded_hashes_list>', 'r') as istr:
    with open('malwarefinal', 'w') as ostr:
        for i, line in enumerate(istr):
            if i > 5:
                line = line.rstrip('\n')
                line += ':'
                print(line, file=ostr)

Step 4: After creating the CDB list, we add it to the manager’s configuration file (ossec.conf) so that it can be used in rules. To do this, we specify the path to the list within the <ruleset> block in the ossec.conf file.

<rulest>
<list>etc/lists/malware-hashes</list>
</ruleset>

Step 5: On the agent, we can monitor a folder for any changes in files. To do this, we add a <directories> block in the agent’s configuration file and specify the folder we want to monitor. After making this change, we need to restart the agent for the new configuration to take effect.

<ossec_config>
<syscheck>
<disabled>no</disabled>
<directories check_all="yes" realtime="yes">MONITORED_DIRECTORY_PATH</directories>
</syscheck>
</ossec_config>Then restart the Agent 
linux: systemctl restart wazuh-agent
windows: net stop wazuh-agent && net start wazuh-agent

Step 6: Next, we create a custom rule in the file /var/ossec/etc/rules/local_rules.xml. This rule will trigger an alert whenever the hash of a downloaded file matches any hash in the malware blacklist.

<group name="local,malware,">
<rule id="100002" level="5">
<if_sid>554</if_sid>
<list field="md5" lookup="match_key">etc/lists/malware-hashes</list>
<description>A file - $(file) - in the malware blacklist was added to the system.</description>
</rule>
<rule id="100003" level="5">
<if_sid>100002</if_sid>
<field name="file" type="pcre2">(?i)[c-z]:</field>
<description>A file - $(file) - in the malware blacklist was added to the system.</description>
</rule>
</group>
Note : After creating the rule. restart the wazuh manager 
systemctl restart wazuh-manager

Step 7: To make sure our detection rule is working, we download a test file called eicar.com (you can find it here) into the folder that our system is keeping an eye on. When we do this, we get an alert telling us that the file we downloaded is on the malware blacklist. This shows us that our system is working and keeping us safe from harmful files.

2 (1).jpg

Setting Up Active Response in Wazuh

1. What is Active Response?

Active Response in Wazuh is like having a security guard for your computer. When Wazuh detects something bad, Active Response steps in and takes action right away to stop it.

For example, if Wazuh finds a harmful file on your computer, Active Response can automatically delete it to keep your system safe. It’s like having a superhero that protects your computer from attacker!

Windows Endpoint

Step 1: The remove.py Python script is responsible for removing malware when Active Response is triggered. To ensure it works properly, we need to add the remove.py file to the following directory:

C:\Program Files (x86)\ossec-agent\active-response\

Step 2: Add the following code into the remove.py

#!/usr/bin/python3
 
import os
import sys
import json
import datetime
if os.name == 'nt':
    LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
else:
    LOG_FILE = "/var/ossec/logs/active-responses.log"
ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3 
OS_SUCCESS = 0
OS_INVALID = -1
class message:
    def __init__(self):
        self.alert = ""
        self.command = 0
def write_debug_file(ar_name, msg):
    with open(LOG_FILE, mode="a") as log_file:
        log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")
def setup_and_check_message(argv):
    # get alert from stdin
    input_str = ""
    for line in sys.stdin:
        input_str = line
        break
    try:
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        message.command = OS_INVALID
        return message
    message.alert = data
    command = data.get("command")
    if command == "add":
        message.command = ADD_COMMAND
    elif command == "delete":
        message.command = DELETE_COMMAND
    else:
        message.command = OS_INVALID
        write_debug_file(argv[0], 'Not valid command: ' + command)
    return message
def send_keys_and_check_message(argv, keys):
    # build and send message with keys
    keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
    write_debug_file(argv[0], keys_msg)
    print(keys_msg)
    sys.stdout.flush()
    # read the response of previous message
    input_str = ""
    while True:
        line = sys.stdin.readline()
        if line:
            input_str = line
            break
    # write_debug_file(argv[0], input_str)
    try:
        data = json.loads(input_str)
    except ValueError:
        write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
        return message
    action = data.get("command")
    if "continue" == action:
        ret = CONTINUE_COMMAND
    elif "abort" == action:
        ret = ABORT_COMMAND
    else:
        ret = OS_INVALID
        write_debug_file(argv[0], "Invalid value of 'command'")
    return ret
def main(argv):
    write_debug_file(argv[0], "Started")
    # validate json and get command
    msg = setup_and_check_message(argv)
    if msg.command < 0:
        sys.exit(OS_INVALID)
    if msg.command == ADD_COMMAND:
        alert = msg.alert["parameters"]["alert"]
        keys = [alert["rule"]["id"]]
        action = send_keys_and_check_message(argv, keys)
        # if necessary, abort execution
        if action != CONTINUE_COMMAND:
            if action == ABORT_COMMAND:
                write_debug_file(argv[0], "Aborted")
                sys.exit(OS_SUCCESS)
            else:
                write_debug_file(argv[0], "Invalid command")
                sys.exit(OS_INVALID)
        try:
            os.remove(msg.alert["parameters"]["alert"]["syscheck"]["path"])
            write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
        except OSError as error:
            write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
    else:
        write_debug_file(argv[0], "Invalid command")
    write_debug_file(argv[0], "Ended")
    sys.exit(OS_SUCCESS)
if __name__ == "__main__":
    main(sys.argv)

Step 3: To make sure the Python script can run on all Windows agents, even if they don’t have Python installed, we need to create an executable file from the script. We can do this by using a tool called pyinstaller, which converts the script into an executable file.

pyinstaller -F remove-threat.py

Step 4: We copy the built executable to

C:\Program Files (x86)\ossec-agent\active-response\bin

Linux Endpoint

Step1:The remove-threat Python script is responsible for removing malware when Active Response is triggered. To ensure it works properly, we need to add the remove-threat file to the following directory:

/var/ossec/active-response/bin/

Step 2: Copy the python code from the Above and append into the remove-threat.

Step 3: Change the file owner and group to root:wazuh, then give the script execution permissions.

chmod 750 /var/ossec/active-response/bin/remove-threat

chown root:wazuh /var/ossec/active-response/bin/remove-threat

Configure in the Wazuh Manager

Now that we’ve placed the active response executable in the bin folder on the agent, we configure the manager to trigger an active response when the malware blacklist detection rule is triggered. In the manager configuration file, we add the following block inside the <ossec_config> block:

<!—Windows  -->
<command>
   <name>remove-threat-windows</name>
   <executable>remove-threat.exe</executable>
   <timeout_allowed>no</timeout_allowed>
</command>
<active-response>
   <disabled>no</disabled>
   <command>remove-threat-windows</command>
   <location>local</location>
   <rules_id>100003</rules_id>
</active-response>
<!-- Linux -->
<command>
   <name>remove-threat-Linux</name>
   <executable>remove-threat</executable>
   <timeout_allowed>no</timeout_allowed>
</command>
<active-response>
   <disabled>no</disabled>
   <command>remove-threat-Linux</command>
   <location>local</location>
   <rules_id>100002</rules_id>
</active-response>

3 (1).jpg4 (1).jpg

Create a rule for the Active response log

We can set up rules to alert us when the active response file removal is successful or fails. To do this, we add the following rule to the /var/ossec/etc/rules/local_rules.xml file on the manager and then restart it.

<rule id="100004" level="7">
<if_sid>657</if_sid>
<match>Successfully removed threat</match>
<description>$(parameters.program): Successfully removed threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>
</rule>
<rule id="100005" level="7">
<if_sid>657</if_sid>
<match>Error removing threat</match>
<description>$(parameters.program): Error removing threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>
</rule>

4 (1).jpg

Conclusion

In this blog, we’ve learned about the importance of malware detection and how it helps us keep our systems safe from cyber threats. By using CDB lists in Wazuh, we can proactively detect and remove malware by monitoring our system for any suspicious changes. We’ve also explored Active Response, which automatically takes action to stop security threats as soon as they are detected. By setting up Active Response to remove malware when it is detected, we can ensure that our systems stay safe from cyber threats.

Mulayam Yadav
Mulayam YadavSOC Analyst
linkedin

SOC Analyst with expertise in incident monitoring, Configuration wazuh-server. Holds a Bachelor’s degree in Computer Science from Dr. A. P. J. Abdul Kalam Technical University (AKTU).

Share

Take complete control of your cybersecurity

Get free guidance from certified experts or build tailored strategies with our team now.