{"id":9609,"date":"2021-07-11T21:35:44","date_gmt":"2021-07-11T18:35:44","guid":{"rendered":"https:\/\/kifarunix.com\/?p=9609"},"modified":"2024-03-18T19:39:45","modified_gmt":"2024-03-18T16:39:45","slug":"detecting-malicious-files-with-wazuh-and-virustotal","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/detecting-malicious-files-with-wazuh-and-virustotal\/","title":{"rendered":"Detecting Malicious Files with Wazuh and VirusTotal"},"content":{"rendered":"\n

In this tutorial, you will learn on detecting malicious files with Wazuh and VirusTotal. Wazuh<\/a> is an open source security monitoring system that supports file integrity monitoring by monitoring the file system, identifying changes in content, permissions, ownership, and attributes of files that you need to keep an eye on. In addition, it natively identifies users and applications used to create or modify files.<\/p>\n\n\n\n

In order to detect malicious files on the system, Wazuh can be integrated with VirusTotal, an online system that analyzes suspicious files and URLs to detect types of malware, trojans, worms.<\/p>\n\n\n\n

Sycheck daemon on the Wazuh agent running on the server monitors any file added and calculate its hash. It then submits the calculated hash value to VirusTotal via VirusTotal API. VirusTotal will analyze the hash for any known malware and sents alert back to Wazuh which then alerts on the same.<\/p>\n\n\n\n

Using Wazuh and VirusTotal to Detecting Malicious Files<\/h2>\n\n\n\n

Install and Setup Wazuh Server<\/h3>\n\n\n\n

Before we proceed, we assume that you already have Wazuh server setup and agents connected and active.<\/p>\n\n\n\n

In this demo, we use Rocky Linux 8 as the Wazuh server. You can use below tutorials to setup Wazuh server on Rocky Linux 8.<\/p>\n\n\n\n

Install and setup Wazuh Server on Rocky Linux 8<\/a><\/p>\n\n\n\n

Install Wazuh Agent on Rocky Linux 8<\/a><\/p>\n\n\n\n

Integrate Wazuh Manager with VirusTotal<\/h3>\n\n\n\n

Obtain VirusTotal API Key<\/h4>\n\n\n\n

Next, you need to integrate Wazuh manager with VirusTotal. For this, you need to obtain a VirusTotal API key. API key can be a public or a private one<\/a>. We use a public one in this setup.<\/p>\n\n\n\n

So, sign up to VirusTotal Community<\/a> to get an API key.<\/p>\n\n\n\n

Once you have created an account and logged into VirusTotal, click on your username at the top right corner > API Key.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Integrate Wazuh Manager with VirusTotal<\/h4>\n\n\n\n

To integrate Wazuh manager with VirusTotal, you need to add the configuration below to \/var\/ossec\/etc\/ossec.conf<\/code> file.<\/p>\n\n\n\n

<integration>\n  <name>virustotal<\/name>\n  <api_key>API_KEY<\/api_key>\n  <group>syscheck<\/group>\n  <alert_format>json<\/alert_format>\n<\/integration><\/code><\/pre>\n\n\n\n
Replace the API_KEY with your respective VirusTotal API Key. For example, this is how my configuration is like;<\/p>\n\n\n\n
\n  <integration>\n    <name>virustotal<\/name>\n    <api_key>94e298694ac4a58c323839dcb1ef4cfe36b48bd6beb8a5c7c3aee587117865cf<\/strong><\/api_key>\n    <group>syscheck<\/group>\n    <alert_format>json<\/alert_format>\n  <\/integration><\/strong>\n<\/code><\/pre>\n\n\n\n
Thus, you need to add this configuration file to ossec.conf<\/code> file.<\/p>\n\n\n\n
vim \/var\/ossec\/etc\/ossec.conf<\/code><\/pre>\n\n\n\n
In our demo, we will insert the configs above just above the <!– Osquery integration –><\/strong>. such that my configuration looks like;<\/p>\n\n\n\n
  <!-- Wazuh VirusTotal Integration -->\n  <integration>\n    <name>virustotal<\/name>\n    <api_key>94e298694ac4a58c323839dcb1ef4cfe36b48bd6beb8a5c7c3aee587117865cf<\/api_key>\n    <group>syscheck<\/group>\n    <alert_format>json<\/alert_format>\n  <\/integration><\/strong>\n\n  <!-- Osquery integration -->\n  <wodle name=\"osquery\">\n    <disabled>yes<\/disabled>\n    <run_daemon>yes<\/run_daemon>\n    <log_path>\/var\/log\/osquery\/osqueryd.results.log<\/log_path>\n    <config_path>\/etc\/osquery\/osquery.conf<\/config_path>\n    <add_labels>yes<\/add_labels>\n  <\/wodle>\n<\/code><\/pre>\n\n\n\n
Once you have updated the configuration file, restart Wazuh manager service;<\/p>\n\n\n\n
systemctl restart wazuh-manager<\/code><\/pre>\n\n\n\n
Enable Wazuh VirusTotal Module<\/h4>\n\n\n\n
Wazuh VirusTotal module is usually disabled by default. To enable the module, navigate to Kibana Web interface > Wazuh App > Wazuh Settings > Modules<\/strong>.<\/p>\n\n\n\n
\"\"<\/figure><\/a><\/div>\n\n\n\n
Scroll down to Threat Detection and Response<\/strong> section and toggle VirusTotal button to enable it.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Once you have enabled, you should now be able to access VirusTotal dashboard under Wazuh > Modules > Threat Detection and Response<\/strong> > VirusTotal<\/strong>.<\/p>\n\n\n\n
For now, since we don’t already have any events, the dashboard is empty.<\/p>\n\n\n\n
Demonstrating how Wazuh monitors the directories for Malicious Files<\/h4>\n\n\n\n
By default, Wazuh agent monitors a number of directories as defined on the Agents ossec.conf<\/strong> file as defined under the <!-- File integrity monitoring --><\/code><\/strong> section.<\/p>\n\n\n\n
To effectively demonstrate this, we are gonna place a malicious file under the \/etc<\/strong> directory and see what kind of events we get on the Wazuh dashboard.<\/p>\n\n\n\n
NOTE: This is done on an isolated temporary test system. Do not place malicious files on your systems!!!!<\/strong> We cannot be held responsible on what malicious files may do to your system.<\/p>\n\n\n\n
So as already mentioned that we are using a test system, we have downloaded some sample malware files from InQuest\/malware-samples<\/a> github repository to \/etc directory of the Wazuh agent;<\/p>\n\n\n\n
ls -1 \/etc\/[0-9]*<\/code><\/pre>\n\n\n\n
\/etc\/02c51604604a7faae0b82aab08d9e3693525454be210b73e76294b4594762c78\n\/etc\/240387329dee4f03f98a89a2feff9bf30dcba61fcf614cdac24129da54442762\n\/etc\/240387329dee4f03f98a89a2feff9bf30dcba61fcf614cdac24129da54442762.zip<\/code><\/pre>\n\n\n\n
Note that we have also adjusted the Wazuh agent syscheck scan frequency from 12 hours to a min, just for demo purposes.<\/p>\n\n\n\n
...    \n    <!-- Frequency that syscheck is executed default every 12 hours -->\n    <frequency>60<\/frequency><\/strong>\n...<\/code><\/pre>\n\n\n\n
For any changes made to ossec.conf, you need to restart the agent.<\/strong><\/p>\n\n\n\n
Verify Malware Detection Events on Wazuh Manager<\/h4>\n\n\n\n
Once the file is placed on the Wazuh agent system, you should be able to get events on the Wazuh manager dashboard.<\/p>\n\n\n\n
Hence navigate Wazuh > Modules > Threat Detection and Response<\/strong> > VirusTotal<\/strong>.<\/p>\n\n\n\n
\"\"<\/figure><\/a><\/div>\n\n\n\n
You can click Events<\/strong> to see the related events.<\/p>\n\n\n\n
\"\"<\/figure><\/a><\/div>\n\n\n\n
You can click the VirusTotal links to learn more about the files.<\/p>\n\n\n\n
Also, if you check on Security Events, you should be able to see alerts related to files added to the system.<\/p>\n\n\n\n
\"\"<\/figure><\/a><\/div>\n\n\n\n
And that is all on our guide on how to integrate Wazuh with VirusTotal for detecting malicious files.<\/p>\n\n\n\n
Further Reading<\/h3>\n\n\n\n
Wazuh – About VirusTotal<\/a><\/p>\n\n\n\n
Other Tutorials<\/h3>\n\n\n\n
Intercept Malicious File Upload with ModSecurity and ClamAV<\/a><\/p>\n\n\n\n
Install and use ClamAV on Ubuntu 20.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this tutorial, you will learn on detecting malicious files with Wazuh and VirusTotal. Wazuh is an open source security monitoring system that supports file<\/p>\n","protected":false},"author":3,"featured_media":9623,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,72],"tags":[3827,1920,3828,3830,3831,3829],"class_list":["post-9609","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-monitoring","tag-detect-malicious-files-using-wazuh","tag-file-integrity-monitoring","tag-integrate-wazuh-with-virus-total","tag-malware-detection-with-wazuh","tag-threat-detection-with-wazuh","tag-virus-total","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9609"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=9609"}],"version-history":[{"count":14,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9609\/revisions"}],"predecessor-version":[{"id":21734,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9609\/revisions\/21734"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9623"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=9609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=9609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=9609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}