[use cases] Virustotal

[xr09]

Description

Detecting and removing malware - VirusTotal integration

Wazuh has the ability to integrate with VirusTotal API, running a query when a file change is detected. For this integration we use the ossec-integratord component that runs on the Wazuh manager.

Tasks

• [ ] Custom rules and decoders in the Wazuh manager
• [ ] Custom integration script in the Wazuh manager
• [ ] Custom active response script in the monitored endpoint
• [ ] Add documentation

[xr09]

Use case requirements

• A VirusTotal API key (https://www.virustotal.com)
• Python installed on the Wazuh manager
• Custom rules and decoders in the Wazuh manager
• Custom integration script in the Wazuh manager
• Custom active response script in the monitored endpoint

Rules and decoders

This would go into etc/decoders/0520-uses_cases.xml (/var/ossec/ruleset/decoders/0520-uses_cases.xml)

<decoder name="ar_log_fields">
    <parent>ar_log</parent>
    <regex offset="after_parent">^(\S+) Removed positive threat located in (\S+)</regex>
    <order>script_name, path</order>
</decoder>

This would go into etc/uses_cases-rules.xml (/var/ossec/etc/rules/uses_cases-rules.xml)

<group name="syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
    <rule id="100200" level="7">
    <if_sid>550</if_sid>
    <field name="file">{{ linux_virustotal_folder_path }}</field>
    <description>File modified in {{ linux_virustotal_folder_path }} directory.</description>
    <mitre>
    <id>T1492</id>
    </mitre>
    </rule>
    <rule id="100201" level="7">
    <if_sid>554</if_sid>
    <field name="file">{{ linux_virustotal_folder_path }}</field>
    <description>File added in {{ linux_virustotal_folder_path }} directory.</description>
    </rule>
    <rule id="100202" level="7">
    <if_sid>550</if_sid>
    <field name="file">{{ windows_virustotal_folder_path }}</field>
    <description>File modified in {{ windows_virustotal_folder_path }} directory.</description>
    <mitre>
    <id>T1492</id>
    </mitre>
    </rule>
    <rule id="100203" level="7">
    <if_sid>554</if_sid>
    <field name="file">{{ windows_virustotal_folder_path }}</field>
    <description>File added in {{ windows_virustotal_folder_path }} directory.</description>
    </rule>
</group>

<group name="virustotal,">
          <rule id="100092" level="12">
            <if_sid>607</if_sid>
            <match>Removed positive</match>
            <description>$(script_name) Removed positive threat located in $(path)</description>
          </rule>
</group>

Additional ossec.conf configuration

<integration>
    <name>virustotal</name>
    <api_key>{{ virustotal_api_key }}</api_key>
    <rule_id>100200,100201,100202,100203</rule_id>
    <alert_format>json</alert_format>
</integration>

<command>
    <name>remove-threat</name>
    <executable>remove-threat.sh</executable>
    <expect>filename</expect>
    <timeout_allowed>no</timeout_allowed>
</command>

<active-response>
    <disabled>no</disabled>
    <command>remove-threat</command>
    <location>local</location>
</active-response>

<integration>
    <name>custom-remove-threat</name>
    <rule_id>87105</rule_id>
    <alert_format>json</alert_format>
</integration>

Third party software/files

• integrations/custom-remove-threat
• active-response/bin/remove-threat.sh

Possible approaches and implementation

• The rules would be disabled by default on rules/use_cases.xml and the documentation will guide the user to customize the desired paths on both Windows and Linux to be scanned by Virustotal.
• The user will have to enable the relevant configs on ossec.conf

[xr09]

This format is another proposal to integrate this feature into ossec.conf without the need of external rules on etc/use_cases.xml:

<malware-detector>
    <enabled>yes</enabled>
    <backend>virustotal</backend>
    <api_key>VIRUSTOTAL_API_KEY</api_key>
    <directory remove="yes">/home/wazuh</directory>
    <directory remove="yes">C:\wazuh</directory>
    <directory remove="yes" quarantine="yes">D:\documents</directory>
</malware-detector>

• The backend section would allow implementing alternative backends different than Virustotal in the future. This could be skipped since virustotal will be the default.
• The directory section defines the paths to watch for new files or changes and send to VT, the remove parameter enables the removal of the file in case it's positive for malware. The quarantine parameter will save a copy of the file to a pre-defined location.