Detecting illegitimate crypto miners
108 views
Skip to first unread message
Dhairya Shah
Oct 14, 2022, 1:52:59 AM10/14/22
to Wazuh mailing list
I have started working to implement crypto miner on my Wazuh. I just wanted some advice, if there is something to lookout for that is not mentioned in the documentation. I am also sharing the link of the document I am using for the same.
Thank You
Message has been deleted
Luis Daniel Avendaño Larios
Oct 14, 2022, 4:33:56 PM10/14/22
to Wazuh mailing list
Hello,
thanks for using wazuh!
The guide of our documentation is quite objective with the process to be carried out, but there are points to take into account where you could delve into the topic, such as the custom rules that are created, in this section you could create more child rules to be able to generate personalized alerts according to your requirements. You can read more about creating custom rules in the following documentation:
Custom rules and decoders
It is also important to note the use of Suricata, Suricata is a NIDS solution, which is open source and can be quickly deployed on existing Unix-like hosts to monitor just their own network traffic. You can follow our linked documentation to be able to configure Suricata as NIDS:
Suricata
I hope this is helpful, let me know if you need anything else.
Regards,
Luis Avendaño
thanks for using wazuh!
The guide of our documentation is quite objective with the process to be carried out, but there are points to take into account where you could delve into the topic, such as the custom rules that are created, in this section you could create more child rules to be able to generate personalized alerts according to your requirements. You can read more about creating custom rules in the following documentation:
Custom rules and decoders
It is also important to note the use of Suricata, Suricata is a NIDS solution, which is open source and can be quickly deployed on existing Unix-like hosts to monitor just their own network traffic. You can follow our linked documentation to be able to configure Suricata as NIDS:
Suricata
I hope this is helpful, let me know if you need anything else.
Regards,
Luis Avendaño
Dhairya Shah
Oct 15, 2022, 3:05:00 AM10/15/22
to Wazuh mailing list
Hello Sir,
Thank you for your support but my local rule is not working; please help me out.
This my local rule :-
<group name="cryptominer,">
<rule id="100010" level="10">
<if_sid>554</if_sid>
<field name="file" type="pcre2">~/.ssh/authorized_keys$</field>
<regex type="pcre2">added</regex>
<description>SSH authorized_keys file "$(file)" has been added.</description>
<mitre>
<id>T1098.004</id>
</mitre>
</rule>
<rule id="100011" level="10">
<if_sid>550</if_sid>
<field name="file" type="pcre2">~/.ssh/authorized_keys$</field>
<regex type="pcre2">modified</regex>
<description>SSH authorized_keys file "$(file)" has been modified.</description>
<mitre>
<id>T1098.004</id>
</mitre>
</rule>
</group>
<rule id="100010" level="10">
<if_sid>554</if_sid>
<field name="file" type="pcre2">~/.ssh/authorized_keys$</field>
<regex type="pcre2">added</regex>
<description>SSH authorized_keys file "$(file)" has been added.</description>
<mitre>
<id>T1098.004</id>
</mitre>
</rule>
<rule id="100011" level="10">
<if_sid>550</if_sid>
<field name="file" type="pcre2">~/.ssh/authorized_keys$</field>
<regex type="pcre2">modified</regex>
<description>SSH authorized_keys file "$(file)" has been modified.</description>
<mitre>
<id>T1098.004</id>
</mitre>
</rule>
</group>
Juan Carlos Tello
Oct 27, 2022, 5:10:51 PM10/27/22
to Dhairya Shah, Wazuh mailing list
Hi Dhairya,
Your custom rule is looking for changes on files whose path matches ~/.ssh/authorized_keys$ but the tilde (~) is a command line expansion often interpreted by software like bash to reflect the system variable $PWD.
Since Wazuh is interpreting the logs independently of the user it will not expand this variable to match the path of home folders.
You do not need to provide the full path for this rule to match which is why the blog post uses the following expressions instead:
Your custom rule is looking for changes on files whose path matches ~/.ssh/authorized_keys$ but the tilde (~) is a command line expansion often interpreted by software like bash to reflect the system variable $PWD.
Since Wazuh is interpreting the logs independently of the user it will not expand this variable to match the path of home folders.
You do not need to provide the full path for this rule to match which is why the blog post uses the following expressions instead:
<group name="cryptominer,">
<rule id="100010" level="10">
<if_sid>554</if_sid>
<rule id="100010" level="10">
<if_sid>554</if_sid>
<field name="file" type="pcre2">\/authorized_keys$</field>
<regex type="pcre2">added</regex>
<description>SSH authorized_keys file "$(file)" has been added.</description>
<mitre>
<id>T1098.004</id>
</mitre>
</rule>
<rule id="100011" level="10">
<if_sid>550</if_sid>
<field name="file" type="pcre2">\/authorized_keys$</field>
<regex type="pcre2">modified</regex>
<description>SSH authorized_keys file "$(file)" has been modified.</description>
<mitre>
<id>T1098.004</id>
</mitre>
</rule>
</group>
If you wish you may restrict it further to only match the /home/*/.ssh/authorized_keys path (and add a similar rule for special home folders like /root/ and /var/lib/):
<group name="cryptominer,">
<rule id="100010" level="10">
<rule id="100010" level="10">
<if_group>syscheck</if_group>
<field name="file">/home/\.*/.ssh/authorized_keys$</field>
<field name="file">/home/\.*/.ssh/authorized_keys$</field>
<description>SSH authorized_keys file "$(file)" has been modified.</description>
<mitre>
<id>T1098.004</id>
</mitre>
</rule>
<rule id="100011" level="11">
<if_group>syscheck</if_group>
<field name="file">/var/lib/\.*/.ssh/authorized_keys$</field>
<description>SSH authorized_keys file "$(file)" has been modified under /var/lib.</description>
<if_group>syscheck</if_group>
<field name="file">/var/lib/\.*/.ssh/authorized_keys$</field>
<description>SSH authorized_keys file "$(file)" has been modified under /var/lib.</description>
<mitre>
<id>T1098.004</id>
</mitre>
</rule>
<rule id="100012" level="12">
<if_group>syscheck</if_group>
<field name="file">/root/.ssh/authorized_keys$</field>
<description>ROOT SSH authorized_keys file "$(file)" has been modified.</description>
<if_group>syscheck</if_group>
<field name="file">/root/.ssh/authorized_keys$</field>
<description>ROOT SSH authorized_keys file "$(file)" has been modified.</description>
<mitre>
<id>T1098.004</id>
</mitre>
</rule>
</group>
I hope this helps you, please let us know if you have any more questions we can help with.
Best Regards,
Juan C. Tello
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4f14c927-8042-42f7-bbd9-011632cd577en%40googlegroups.com.
Carlos Lopez
Oct 31, 2022, 4:14:17 AM10/31/22
to Juan Carlos Tello, Dhairya Shah, wa...@googlegroups.com
Good morning,
Any news on this?
Best regards,
C. L. Martinez
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CA%2BiDGk4oxME_1MG3KmTJY8yhReq%3D1%2BdY2TRyUaaBXzNioXQvsg%40mail.gmail.com.
Carlos Lopez
Oct 31, 2022, 4:14:56 AM10/31/22
to Juan Carlos Tello, Dhairya Shah, wa...@googlegroups.com
Sorry … Forget this email …
Best regards,
C. L. Martinez
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0AEB7B11-D465-46F0-B6CD-6083C063A17C%40outlook.com.
Dhairya Shah
Nov 1, 2022, 12:39:07 AM11/1/22
to Wazuh mailing list
Thank you for your help, I have successfully integrated Cryptominer with my Wazuh.
Reply all
Reply to author
Forward
0 new messages