search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
10.35k stars 1.59k forks source link

Integration with yara not working #24379

Open yjchew opened 2 months ago

yjchew commented 2 months ago
Wazuh version Component Install type Install method Platform
4.8.0 active response agent Packages/Sources windows 7 x64 vm

Followed the documentation: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html to set up yara. But there was no alert when i tested it. I tried manually running yara.exe on command prompt and it worked

image

I then checked the active-responses.log and found that there was nothing related to yara, which i assume should not be the case if it was working properly. This lead me to believe that the yara.bat on my agent is not working properly as the line i added in ossec.conf to monitor "C:\Users\user\Downloads" is working properly (I was able to see files being added to that path). Is there anything i did wrong?

yara.bat

@echo off

setlocal enableDelayedExpansion

reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT

if %OS%==32BIT (
    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)

if %OS%==64BIT (
    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)

set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)

set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%

for /F "tokens=* USEBACKQ" %%F in (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) do (
set syscheck_file_path=%%F
)

del /f %json_file_path%
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
echo %syscheck_file_path% >> %log_file_path%
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
)

exit /b

ossec.conf 

<!--
  Wazuh - Agent - Default configuration for Windows
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>

  <client>
    <server>
      <address>192.168.239.138</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
    <config-profile>windows, windows7</config-profile>
    <crypto_method>aes</crypto_method>
    <notify_time>10</notify_time>
    <time-reconnect>60</time-reconnect>
    <auto_restart>yes</auto_restart>
  </client>

  <!-- Agent buffer options -->
  <client_buffer>
    <disabled>no</disabled>
    <queue_size>5000</queue_size>
    <events_per_second>500</events_per_second>
  </client_buffer>

  <!-- Log analysis -->
  <localfile>
    <location>Application</location>
    <log_format>eventchannel</log_format>
  </localfile>

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>
  </localfile>

  <localfile>
    <location>System</location>
    <log_format>eventchannel</log_format>
  </localfile>

  <localfile>
    <location>active-response\active-responses.log</location>
    <log_format>syslog</log_format>
  </localfile>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
  </rootcheck>

  <!-- Security Configuration Assessment -->
  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

  <!-- File integrity monitoring -->
  <syscheck>

    <directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\user\Desktop</directories>

    <directories check_all="yes" realtime="yes">C:\Users\user\Downloads</directories>

    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <!-- Default files to be monitored. -->
    <directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>

    <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
    <directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
    <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
    <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
    <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>

    <!-- 32-bit programs. -->
    <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>
    <directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>
    <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>
    <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>
    <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>

    <directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>

    <ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>

    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

    <!-- Windows registry entries to monitor. -->
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>

    <!-- Windows registry entries to ignore. -->
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
    <registry_ignore type="sregex">\Enum$</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>

    <!-- Frequency for ACL checking (seconds) -->
    <windows_audit_interval>60</windows_audit_interval>

    <!-- Nice value for Syscheck module -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>50</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

  <!-- CIS policies evaluation -->
  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>

    <java_path>\\server\jre\bin\java.exe</java_path>
    <ciscat_path>C:\cis-cat</ciscat_path>
  </wodle>

  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <bin_path>C:\Program Files\osquery\osqueryd</bin_path>
    <log_path>C:\Program Files\osquery\log\osqueryd.results.log</log_path>
    <config_path>C:\Program Files\osquery\osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>

  <!-- Active response -->
  <active-response>
    <disabled>no</disabled>
    <ca_store>wpk_root.pem</ca_store>
    <ca_verification>yes</ca_verification>
  </active-response>

  <!-- Choose between plain or json format (or both) for internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>

</ossec_config>

<!-- END of Default Configuration. -->
RyanInsolencee commented 1 month ago

Are you still having this issue? if not how did you fix it? i have the same issue i guess when rule 554 is triggered syscheck rules doesnt trigger which make the yara not trigger as well. been waiting for support to get back to me as well

yjchew commented 1 month ago

Are you still having this issue? if not how did you fix it? i have the same issue i guess when rule 554 is triggered syscheck rules doesnt trigger which make the yara not trigger as well. been waiting for support to get back to me as well

Nope, it is still not working and i gave up on implementing it. Best of luck to u :)

PeZzZzZz commented 1 month ago

Hi there, agent on windows is new for me, im facing the same issue. I can trigger 100303, 100304 but they didnt trigger the yara rule image

The only log file that i find are gzipped

PeZzZzZz commented 1 month ago

When i run yara64.exe manually i get this result

& "C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe" -D -r "C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar" C:\Users\admin\Downloads\eicar.txt

math
        MEAN_BYTES = 127.500000
pe
        number_of_signatures = YR_UNDEFINED
        signatures
        pdb_path = YR_UNDEFINED
        number_of_resources = YR_UNDEFINED
        resources
        resource_version
                minor = YR_UNDEFINED
                major = YR_UNDEFINED
        resource_timestamp = YR_UNDEFINED
        delay_import_details
        import_details
        export_details
        export_timestamp = YR_UNDEFINED
        dll_name = YR_UNDEFINED
        number_of_exports = YR_UNDEFINED
        number_of_delayed_imported_functions = YR_UNDEFINED
        number_of_delayed_imports = YR_UNDEFINED
        number_of_imported_functions = YR_UNDEFINED
        number_of_imports = YR_UNDEFINED
        IMPORT_ANY = -1
        IMPORT_STANDARD = 1
        IMPORT_DELAYED = 2
        rich_signature
                clear_data = YR_UNDEFINED
                raw_data = YR_UNDEFINED
                key = YR_UNDEFINED
                length = YR_UNDEFINED
                offset = YR_UNDEFINED
        overlay
                size = YR_UNDEFINED
                offset = YR_UNDEFINED
        sections
        data_directories
        loader_flags = YR_UNDEFINED
        size_of_heap_commit = YR_UNDEFINED
        size_of_heap_reserve = YR_UNDEFINED
        size_of_stack_commit = YR_UNDEFINED
        size_of_stack_reserve = YR_UNDEFINED
        dll_characteristics = YR_UNDEFINED
        subsystem = YR_UNDEFINED
        checksum = YR_UNDEFINED
        size_of_headers = YR_UNDEFINED
        size_of_image = YR_UNDEFINED
        win32_version_value = YR_UNDEFINED
        subsystem_version
                minor = YR_UNDEFINED
                major = YR_UNDEFINED
        image_version
                minor = YR_UNDEFINED
                major = YR_UNDEFINED
        os_version
                minor = YR_UNDEFINED
                major = YR_UNDEFINED
        linker_version
                minor = YR_UNDEFINED
                major = YR_UNDEFINED
        file_alignment = YR_UNDEFINED
        section_alignment = YR_UNDEFINED
        base_of_data = YR_UNDEFINED
        base_of_code = YR_UNDEFINED
        size_of_uninitialized_data = YR_UNDEFINED
        size_of_initialized_data = YR_UNDEFINED
        size_of_code = YR_UNDEFINED
        opthdr_magic = YR_UNDEFINED
        version_info_list
        version_info
        number_of_version_infos = YR_UNDEFINED
        number_of_rva_and_sizes = YR_UNDEFINED
        image_base = YR_UNDEFINED
        entry_point_raw = YR_UNDEFINED
        entry_point = YR_UNDEFINED
        characteristics = YR_UNDEFINED
        size_of_optional_header = YR_UNDEFINED
        number_of_symbols = YR_UNDEFINED
        pointer_to_symbol_table = YR_UNDEFINED
        timestamp = YR_UNDEFINED
        number_of_sections = YR_UNDEFINED
        machine = YR_UNDEFINED
        is_pe = 0
        IMAGE_DEBUG_TYPE_REPRO = 16
        IMAGE_DEBUG_TYPE_MPX = 15
        IMAGE_DEBUG_TYPE_ILTCG = 14
        IMAGE_DEBUG_TYPE_POGO = 13
        IMAGE_DEBUG_TYPE_VC_FEATURE = 12
        IMAGE_DEBUG_TYPE_CLSID = 11
        IMAGE_DEBUG_TYPE_RESERVED10 = 10
        IMAGE_DEBUG_TYPE_BORLAND = 9
        IMAGE_DEBUG_TYPE_OMAP_FROM_SRC = 8
        IMAGE_DEBUG_TYPE_OMAP_TO_SRC = 7
        IMAGE_DEBUG_TYPE_FIXUP = 6
        IMAGE_DEBUG_TYPE_EXCEPTION = 5
        IMAGE_DEBUG_TYPE_MISC = 4
        IMAGE_DEBUG_TYPE_FPO = 3
        IMAGE_DEBUG_TYPE_CODEVIEW = 2
        IMAGE_DEBUG_TYPE_COFF = 1
        IMAGE_DEBUG_TYPE_UNKNOWN = 0
        RESOURCE_TYPE_MANIFEST = 24
        RESOURCE_TYPE_HTML = 23
        RESOURCE_TYPE_ANIICON = 22
        RESOURCE_TYPE_ANICURSOR = 21
        RESOURCE_TYPE_VXD = 20
        RESOURCE_TYPE_PLUGPLAY = 19
        RESOURCE_TYPE_DLGINCLUDE = 17
        RESOURCE_TYPE_VERSION = 16
        RESOURCE_TYPE_GROUP_ICON = 14
        RESOURCE_TYPE_GROUP_CURSOR = 12
        RESOURCE_TYPE_MESSAGETABLE = 11
        RESOURCE_TYPE_RCDATA = 10
        RESOURCE_TYPE_ACCELERATOR = 9
        RESOURCE_TYPE_FONT = 8
        RESOURCE_TYPE_FONTDIR = 7
        RESOURCE_TYPE_STRING = 6
        RESOURCE_TYPE_DIALOG = 5
        RESOURCE_TYPE_MENU = 4
        RESOURCE_TYPE_ICON = 3
        RESOURCE_TYPE_BITMAP = 2
        RESOURCE_TYPE_CURSOR = 1
        SECTION_SCALE_INDEX = 1
        SECTION_MEM_WRITE = 2147483648
        SECTION_MEM_READ = 1073741824
        SECTION_MEM_EXECUTE = 536870912
        SECTION_MEM_SHARED = 268435456
        SECTION_MEM_NOT_PAGED = 134217728
        SECTION_MEM_NOT_CACHED = 67108864
        SECTION_MEM_DISCARDABLE = 33554432
        SECTION_LNK_NRELOC_OVFL = 16777216
        SECTION_ALIGN_MASK = 15728640
        SECTION_ALIGN_8192BYTES = 14680064
        SECTION_ALIGN_4096BYTES = 13631488
        SECTION_ALIGN_2048BYTES = 12582912
        SECTION_ALIGN_1024BYTES = 11534336
        SECTION_ALIGN_512BYTES = 10485760
        SECTION_ALIGN_256BYTES = 9437184
        SECTION_ALIGN_128BYTES = 8388608
        SECTION_ALIGN_64BYTES = 7340032
        SECTION_ALIGN_32BYTES = 6291456
        SECTION_ALIGN_16BYTES = 5242880
        SECTION_ALIGN_8BYTES = 4194304
        SECTION_ALIGN_4BYTES = 3145728
        SECTION_ALIGN_2BYTES = 2097152
        SECTION_ALIGN_1BYTES = 1048576
        SECTION_MEM_PRELOAD = 524288
        SECTION_MEM_LOCKED = 262144
        SECTION_MEM_16BIT = 131072
        SECTION_MEM_PURGEABLE = 131072
        SECTION_MEM_FARDATA = 32768
        SECTION_GPREL = 32768
        SECTION_NO_DEFER_SPEC_EXC = 16384
        SECTION_LNK_COMDAT = 4096
        SECTION_LNK_REMOVE = 2048
        SECTION_LNK_INFO = 512
        SECTION_LNK_OTHER = 256
        SECTION_CNT_UNINITIALIZED_DATA = 128
        SECTION_CNT_INITIALIZED_DATA = 64
        SECTION_CNT_CODE = 32
        SECTION_NO_PAD = 8
        IMAGE_ROM_OPTIONAL_HDR_MAGIC = 263
        IMAGE_NT_OPTIONAL_HDR64_MAGIC = 523
        IMAGE_NT_OPTIONAL_HDR32_MAGIC = 267
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT = 13
        IMAGE_DIRECTORY_ENTRY_IAT = 12
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT = 11
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10
        IMAGE_DIRECTORY_ENTRY_TLS = 9
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR = 8
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT = 7
        IMAGE_DIRECTORY_ENTRY_ARCHITECTURE = 7
        IMAGE_DIRECTORY_ENTRY_DEBUG = 6
        IMAGE_DIRECTORY_ENTRY_BASERELOC = 5
        IMAGE_DIRECTORY_ENTRY_SECURITY = 4
        IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3
        IMAGE_DIRECTORY_ENTRY_RESOURCE = 2
        IMAGE_DIRECTORY_ENTRY_IMPORT = 1
        IMAGE_DIRECTORY_ENTRY_EXPORT = 0
        BYTES_REVERSED_HI = 32768
        UP_SYSTEM_ONLY = 16384
        DLL = 8192
        SYSTEM = 4096
        NET_RUN_FROM_SWAP = 2048
        REMOVABLE_RUN_FROM_SWAP = 1024
        DEBUG_STRIPPED = 512
        MACHINE_32BIT = 256
        BYTES_REVERSED_LO = 128
        LARGE_ADDRESS_AWARE = 32
        AGGRESIVE_WS_TRIM = 16
        LOCAL_SYMS_STRIPPED = 8
        LINE_NUMS_STRIPPED = 4
        EXECUTABLE_IMAGE = 2
        RELOCS_STRIPPED = 1
        TERMINAL_SERVER_AWARE = 32768
        GUARD_CF = 16384
        WDM_DRIVER = 8192
        APPCONTAINER = 4096
        NO_BIND = 2048
        NO_SEH = 1024
        NO_ISOLATION = 512
        NX_COMPAT = 256
        FORCE_INTEGRITY = 128
        DYNAMIC_BASE = 64
        HIGH_ENTROPY_VA = 32
        SUBSYSTEM_WINDOWS_BOOT_APPLICATION = 16
        SUBSYSTEM_XBOX = 14
        SUBSYSTEM_EFI_ROM_IMAGE = 13
        SUBSYSTEM_EFI_RUNTIME_DRIVER = 12
        SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11
        SUBSYSTEM_EFI_APPLICATION = 10
        SUBSYSTEM_WINDOWS_CE_GUI = 9
        SUBSYSTEM_NATIVE_WINDOWS = 8
        SUBSYSTEM_POSIX_CUI = 7
        SUBSYSTEM_OS2_CUI = 5
        SUBSYSTEM_WINDOWS_CUI = 3
        SUBSYSTEM_WINDOWS_GUI = 2
        SUBSYSTEM_NATIVE = 1
        SUBSYSTEM_UNKNOWN = 0
        MACHINE_CEE = 49390
        MACHINE_CEF = 3311
        MACHINE_TRICORE = 1312
        MACHINE_AXP64 = 644
        MACHINE_ALPHA64 = 644
        MACHINE_SH3E = 420
        MACHINE_ALPHA = 388
        MACHINE_R10000 = 360
        MACHINE_R3000 = 354
        MACHINE_TARGET_HOST = 1
        MACHINE_WCEMIPSV2 = 361
        MACHINE_THUMB = 450
        MACHINE_SH5 = 424
        MACHINE_SH4 = 422
        MACHINE_SH3DSP = 419
        MACHINE_SH3 = 418
        MACHINE_R4000 = 358
        MACHINE_POWERPCFP = 497
        MACHINE_POWERPC = 496
        MACHINE_MIPSFPU16 = 1126
        MACHINE_MIPSFPU = 870
        MACHINE_MIPS16 = 614
        MACHINE_M32R = 36929
        MACHINE_IA64 = 512
        MACHINE_I386 = 332
        MACHINE_EBC = 3772
        MACHINE_ARM64 = 43620
        MACHINE_ARMNT = 452
        MACHINE_ARM = 448
        MACHINE_AMD64 = 34404
        MACHINE_AM33 = 467
        MACHINE_UNKNOWN = 0

Content of the eicar.txt file

X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Same result with the eicar.zip test file from the wazuh doc I checked the yara_rules.yar file, the eicar is well declared.

Any idea about why there is not detection (YR_UNDEFINED) ?

PeZzZzZz commented 1 month ago

Finally it works with sample like xbash (from the wazuh yara linux doc) image

(the 554 is a debug file created by yara.bat)

Fahad-alkamli commented 4 weeks ago

I am also having this issue I don not get any alerts even thought my active response is running and in my windows machine I checked active-responses.log and found the result for the scan as shown below:

wazuh-yara: INFO - Scan result: SUSP_Just_EICAR_RID2C24 c:\users\pc-fahad\downloads\eicar.com I am following the windows client part of the tutorial from this link:https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html /var/ossec/etc/ossec.conf content:

<ossec_config>
  <command>
    <name>yara_windows</name>
    <executable>yara.bat</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <command>yara_windows</command>
    <location>local</location>
    <rules_id>100304</rules_id>
  </active-response>
</ossec_config>

The local_decoder:

<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

local_rules:

<group name="syscheck,">
  <rule id="100303" level="7">
    <if_sid>550</if_sid>
    <field name="file">C:\\Users\\pc-fahad\\Downloads</field>
    <description>File modified in C:\Users\pc-fahad\Downloads directory. Yara-</description>
  </rule>
  <rule id="100304" level="7">
    <if_sid>554</if_sid>
    <field name="file">C:\\Users\\pc-fahad\\Downloads</field>
    <description>File added to C:\Users\pc-fahad\Downloads  directory -Yara.</description>
  </rule>
</group>

<group name="yara,">
  <rule id="108000" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

  <rule id="108001" level="12">
    <if_sid>108000</if_sid>
    <match>wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
  </rule>
</group>

I have been going on on this issue for the past two days ! everything works fine except I don't get any alerts on the Threat Hunting dashboard! I can see the file is being added and detected by Yara in File Integrity Monitoring dashboard and the script actually works fine I have added a line to delete the file if the yara result is positive on the client machine. yara.bat :


@echo off

setlocal enableDelayedExpansion

reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT

if %OS%==32BIT (
    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)

if %OS%==64BIT (
    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)

set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)

set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%

for /F "tokens=* USEBACKQ" %%F in (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) do (
set syscheck_file_path=%%F
)

del /f %json_file_path%
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"

for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
    del %syscheck_file_path%

)

exit /b

any help is appreciated.

PeZzZzZz commented 4 weeks ago

Yes the yara file from the doc is just an exemple of yara fil and should not be used for production. For more usefull yara rules -> yara forge

Eicar will be detected and other malwares families.

Fahad-alkamli commented 4 weeks ago

Yes the yara file from the doc is just an exemple of yara fil and should not be used for production. For more usefull yara rules -> yara forge

Eicar will be detected and other malwares families.

Yeah but the issue is not the rules it's not getting anything on the dashboard, but thanks.

PeZzZzZz commented 4 weeks ago

my 2cts, i didnt read well.

Do you see your rule id triggered in the dashboard 100304 or at least the 554 ?

Fahad-alkamli commented 4 weeks ago

my 2cts, i didnt read well.

Do you see your rule id triggered in the dashboard 100304 or at least the 554 ?

I only get 100304 triggered in File Integrity Monitoring dashboard and the script is being executed fine by the active response I can confirm that by the test virus getting deleted and the active-responses.log file on my windows machine. But nothing on the Threat Hunting dashboard.