Monitoring the agent for malicious downloads

[Uma Mahesh]

Hi team ,

              How to monitor the agent(kalivm) for malicious file downloads (with extension like .exe  , bat) and how to write custom code to trigger the alert on server

[Md. Nazmur Sakib]

Hi  Uma Mahesh,

If you want to detect only potentially harmful files for example executable files.

You can use the FIM capability of Wazuh to monitor if any file added to any endpoint

https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html

Configure FIM on the common download folders on the ossec.conf of the endpoint

Ex: <directories realtime="yes" check_all="yes" report_changes="yes">/etc, /tmp</directories>

FIM will trigger

Next, you can use a custom rule like this. Rewrite the rule based on your needs.

<group name="custom_rules">  

  <rule id="100554" level="10">

    <category>ossec</category>

    <decoded_as>syscheck_new_entry</decoded_as>

    <match>.(sh|bash|zsh|ksh|csh|rc|py|pl|rb|php|jsp|asp|aspx|bat|exe|dll|jar)$</match>

    <description>Alert on creation or modification of potentially harmful files</description>

  </rule>

</group>

Remember, this XML configuration should be added to your Wazuh's local_rules.xml or any custom rule file you are using.

Next, restart the Wazuh manager.
systemctl restart wazuh-manager

For more information about Wazuh ruleset please check the document:

https://documentation.wazuh.com/current/user-manual/ruleset/index.html

You can also check the virus-total-integration guide to scan malicious file hashes
https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/virus-total-integration.html

Let me know if it helps.