Malicious File Detection: CDB Lists & Active Response
Table of Contents
Introduction
Detecting malicious files is super important for keeping your computer safe. If we don’t catch these bad files, they can mess with our data and even let hackers into our systems! That’s why it’s crucial to have good malware detection.
Malware detection helps us find and get rid of these bad files before they can do any harm. It keeps our data safe and our systems running smoothly. Plus, it helps us stay one step ahead of cyber threats.
In this blog, we’ll learn about a method called CDB list with active response that helps us detect and remove malware. This method works on both Windows and Linux computers.
Here’s how it works: We keep an eye on our computer’s directories, looking for any suspicious changes. When we find a bad file, we use an active response to remove it and keep our system safe.
Exploring CDB Lists
What is CDB Lists?
CDB stand for constant databases are like special lists that help Wazuh keep our systems safe from cyber threats. They store important information like usernames, file hash, IP addresses.
When Wazuh is checking our system for any suspicious activity, it also checks these CDB lists. If it finds a match, it can trigger specific rules to keep our system safe.
For example, if Wazuh finds a file that matches a bad file hash listed in the CDB list, it knows there’s a problem and can take action to keep our system safe.
Structure and Format of CDB Lists
The structure and format of CDB lists in Wazuh are quite straightforward. A CDB list is a plain text file where each line represents a unique key-value pair, separated by a colon :
- Here’s the general structure:
- Keys: Must be unique for each entry.
- Values: Can be repeated and are optional.
- Colon :: Used as a separator between key and value.
- Example of a CDB List Entry:
- key1:value1:
Setting Up CDB Lists in Wazuh
Step 1: Create a CDB list malware-hashes of known malware hashes and save it to the /var/ossec/etc/lists directory on the Wazuh server.
vi /var/ossec/etc/lists/malware-hashesStep 2: To add the hash of malware to the CDB list, you can download the hash value from the VirusShare database. This database provides a comprehensive collection of hash values for various malware samples. You can access the hash values by visiting the VirusShare Hash Database at this link: VirusShare Hash Database.
Step 3: To address the issue of missing colons at the end of each hash value obtained from the website, a Python script is utilized to automatically append the colon to each hash. This step ensures that the hash values are formatted correctly for inclusion in the CDB list used by Wazuh for malware detection.
with open('<path_to_downloaded_hashes_list>', 'r') as istr:
with open('malwarefinal', 'w') as ostr:
for i, line in enumerate(istr):
if i > 5:
line = line.rstrip('\n')
line += ':'
print(line, file=ostr)Step 4: After creating the CDB list, we add it to the manager’s configuration file (ossec.conf) so that it can be used in rules. To do this, we specify the path to the list within the <ruleset> block in the ossec.conf file.
<rulest>
<list>etc/lists/malware-hashes</list>
</ruleset>Step 5: On the agent, we can monitor a folder for any changes in files. To do this, we add a <directories> block in the agent’s configuration file and specify the folder we want to monitor. After making this change, we need to restart the agent for the new configuration to take effect.
<ossec_config>
<syscheck>
<disabled>no</disabled>
<directories check_all="yes" realtime="yes">MONITORED_DIRECTORY_PATH</directories>
</syscheck>
</ossec_config>Then restart the Agent
linux: systemctl restart wazuh-agent
windows: net stop wazuh-agent && net start wazuh-agent
Step 6: Next, we create a custom rule in the file /var/ossec/etc/rules/local_rules.xml. This rule will trigger an alert whenever the hash of a downloaded file matches any hash in the malware blacklist.
<group name="local,malware,">
<rule id="100002" level="5">
<if_sid>554</if_sid>
<list field="md5" lookup="match_key">etc/lists/malware-hashes</list>
<description>A file - $(file) - in the malware blacklist was added to the system.</description>
</rule>
<rule id="100003" level="5">
<if_sid>100002</if_sid>
<field name="file" type="pcre2">(?i)[c-z]:</field>
<description>A file - $(file) - in the malware blacklist was added to the system.</description>
</rule>
</group>
Note : After creating the rule. restart the wazuh manager
systemctl restart wazuh-managerStep 7: To make sure our detection rule is working, we download a test file called eicar.com (you can find it here) into the folder that our system is keeping an eye on. When we do this, we get an alert telling us that the file we downloaded is on the malware blacklist. This shows us that our system is working and keeping us safe from harmful files.
Setting Up Active Response in Wazuh
1.What is Active Response?
Active Response in Wazuh is like having a security guard for your computer. When Wazuh detects something bad, Active Response steps in and takes action right away to stop it.
For example, if Wazuh finds a harmful file on your computer, Active Response can automatically delete it to keep your system safe. It’s like having a superhero that protects your computer from attacker!
Windows EndPoint
Step 1: The remove.py Python script is responsible for removing malware when Active Response is triggered. To ensure it works properly, we need to add the remove.py file to the following directory:
C:\Program Files (x86)\ossec-agent\active-response\
Step 2: Add the following code into the remove.py
#!/usr/bin/python3
import os
import sys
import json
import datetime
if os.name == 'nt':
LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
else:
LOG_FILE = "/var/ossec/logs/active-responses.log"
ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3
OS_SUCCESS = 0
OS_INVALID = -1
class message:
def __init__(self):
self.alert = ""
self.command = 0
def write_debug_file(ar_name, msg):
with open(LOG_FILE, mode="a") as log_file:
log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")
def setup_and_check_message(argv):
# get alert from stdin
input_str = ""
for line in sys.stdin:
input_str = line
break
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
message.command = OS_INVALID
return message
message.alert = data
command = data.get("command")
if command == "add":
message.command = ADD_COMMAND
elif command == "delete":
message.command = DELETE_COMMAND
else:
message.command = OS_INVALID
write_debug_file(argv[0], 'Not valid command: ' + command)
return message
def send_keys_and_check_message(argv, keys):
# build and send message with keys
keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
write_debug_file(argv[0], keys_msg)
print(keys_msg)
sys.stdout.flush()
# read the response of previous message
input_str = ""
while True:
line = sys.stdin.readline()
if line:
input_str = line
break
# write_debug_file(argv[0], input_str)
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
return message
action = data.get("command")
if "continue" == action:
ret = CONTINUE_COMMAND
elif "abort" == action:
ret = ABORT_COMMAND
else:
ret = OS_INVALID
write_debug_file(argv[0], "Invalid value of 'command'")
return ret
def main(argv):
write_debug_file(argv[0], "Started")
# validate json and get command
msg = setup_and_check_message(argv)
if msg.command < 0:
sys.exit(OS_INVALID)
if msg.command == ADD_COMMAND:
alert = msg.alert["parameters"]["alert"]
keys = [alert["rule"]["id"]]
action = send_keys_and_check_message(argv, keys)
# if necessary, abort execution
if action != CONTINUE_COMMAND:
if action == ABORT_COMMAND:
write_debug_file(argv[0], "Aborted")
sys.exit(OS_SUCCESS)
else:
write_debug_file(argv[0], "Invalid command")
sys.exit(OS_INVALID)
try:
os.remove(msg.alert["parameters"]["alert"]["syscheck"]["path"])
write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
except OSError as error:
write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
else:
write_debug_file(argv[0], "Invalid command")
write_debug_file(argv[0], "Ended")
sys.exit(OS_SUCCESS)
if __name__ == "__main__":
main(sys.argv)
Step 3: To make sure the Python script can run on all Windows agents, even if they don’t have Python installed, we need to create an executable file from the script. We can do this by using a tool called pyinstaller, which converts the script into an executable file.
pyinstaller -F remove-threat.pyStep 4: We copy the built executable to
C:\Program Files (x86)\ossec-agent\active-response\bin
Linux Endpoint
Step1:The remove-threat Python script is responsible for removing malware when Active Response is triggered. To ensure it works properly, we need to add the remove-threat file to the following directory:
/var/ossec/active-response/bin/Step 2: Copy the python code from the Above and append into the remove-threat.
Step 3: Change the file owner and group to root:wazuh, then give the script execution permissions.
chmod 750 /var/ossec/active-response/bin/remove-threat
chown root:wazuh /var/ossec/active-response/bin/remove-threat
Configure in the Wazuh Manager
Now that we’ve placed the active response executable in the bin folder on the agent, we configure the manager to trigger an active response when the malware blacklist detection rule is triggered. In the manager configuration file, we add the following block inside the <ossec_config> block:
<!—Windows -->
<command>
<name>remove-threat-windows</name>
<executable>remove-threat.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>remove-threat-windows</command>
<location>local</location>
<rules_id>100003</rules_id>
</active-response>
<!-- Linux -->
<command>
<name>remove-threat-Linux</name>
<executable>remove-threat</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>remove-threat-Linux</command>
<location>local</location>
<rules_id>100002</rules_id>
</active-response>
Create a rule for the Active response log
We can set up rules to alert us when the active response file removal is successful or fails. To do this, we add the following rule to the /var/ossec/etc/rules/local_rules.xml file on the manager and then restart it.
<rule id="100004" level="7">
<if_sid>657</if_sid>
<match>Successfully removed threat</match>
<description>$(parameters.program): Successfully removed threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>
</rule>
<rule id="100005" level="7">
<if_sid>657</if_sid>
<match>Error removing threat</match>
<description>$(parameters.program): Error removing threat $(parameters.alert.syscheck.path) whose MD5 hash appears in a malware blacklist.</description>
</rule>
Conclusion
In this blog, we’ve learned about the importance of malware detection and how it helps us keep our systems safe from cyber threats. By using CDB lists in Wazuh, we can proactively detect and remove malware by monitoring our system for any suspicious changes. We’ve also explored Active Response, which automatically takes action to stop security threats as soon as they are detected. By setting up Active Response to remove malware when it is detected, we can ensure that our systems stay safe from cyber threats.
