ROOTCHECK for windows does not work on files
410 views
Skip to first unread message
E0wl
Sep 23, 2021, 1:26:07 AM9/23/21
to Wazuh mailing list
|Wazuh 4.2|ROOTCHECK
Hello All,
I tried to do a test to validate the work of ROOTCHECK for windows. This only works when a folder is specified in the path and does not work when a file is specified in the path.
f:%WINDIR%\Sysnative\wsnpoem; <-- works
f:%WINDIR%\Sysnative\ntos.exe; <-- doesn't work
What can I do to make it work? Thank you in advance.
<rootcheck>
<disabled>no</disabled>
<frequency>60</frequency>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
victor....@wazuh.com
Sep 23, 2021, 7:25:29 AM9/23/21
to Wazuh mailing list
Hello E0wl,
I have not achieved replicate your error in my environment, in order to troubleshoot this issue we need more information.
windows.debug=2
Then, restart Wazuh Windows agent.
This will help us to know if Wazuh is using specified files in your ./shared/win_malware_rcl.txt. In my environment, I get the following debug message:
2021/09/23 07:54:41 rootcheck[5472] common_rcl.c:390 at rkcl_get_entry(): DEBUG: Checking file: 'C:\Windows\System32\ntos.exe'.
I have not achieved replicate your error in my environment, in order to troubleshoot this issue we need more information.
Wazuh can be configured to increase the verbose. Go to your local_internal_options.conf in your Wazuh installation folder and add this line:
Then, restart Wazuh Windows agent.
This will help us to know if Wazuh is using specified files in your ./shared/win_malware_rcl.txt. In my environment, I get the following debug message:
2021/09/23 07:54:41 rootcheck[5472] common_rcl.c:390 at rkcl_get_entry(): DEBUG: Checking file: 'C:\Windows\System32\ntos.exe'.
It seems it is working correctly.
Please use this configuration in order to know if rootcheck is gathering correctly that file. Also, share with us more information about your use case:
- Do you get any kind of ERROR/WARNING message at your ossec.log?
- What kind of alerts/messages do you get using the folder instead?
E0wl
Sep 24, 2021, 2:39:55 PM9/24/21
to Wazuh mailing list
Hi Victor!
Thanks for the answer.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:323 at rkcl_get_entry(): DEBUG: Checking entry: 'Gpcoder Trojan {PCI_DSS: 11.4}'.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:390 at rkcl_get_entry(): DEBUG: Checking file: 'C:\Windows\System32\ntos.exe'.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:505 at rkcl_get_entry(): DEBUG: Condition ANY.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:390 at rkcl_get_entry(): DEBUG: Checking file: 'C:\Windows\Sysnative\ntos.exe'.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:505 at rkcl_get_entry(): DEBUG: Condition ANY.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:390 at rkcl_get_entry(): DEBUG: Checking file: 'C:\Windows\System32\wsnpoem'.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:505 at rkcl_get_entry(): DEBUG: Condition ANY.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:390 at rkcl_get_entry(): DEBUG: Checking file: 'C:\Windows\Sysnative\wsnpoem'.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:392 at rkcl_get_entry(): DEBUG: Found file.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:505 at rkcl_get_entry(): DEBUG: Condition ANY.
WARNING:
2021/09/24 20:55:52 wazuh-agent[3764] rootcheck.c:189 at rootcheck_init(): WARNING: The check_winaudit option is deprecated in favor of the SCA module.
I use following query:
location:rootcheck
Alert in JSON:
{
"cluster": {
"node": "manager",
"name": "wazuh"
},
"agent": {
"ip": "172.31.2.173",
"name": "MS-ELC01",
"id": "004"
},
"data": {
"file": "C:\\Windows\\Sysnative\\wsnpoem",
"title": "Windows Malware: Gpcoder Trojan"
},
"rule": {
"firedtimes": 2,
"mail": false,
"level": 9,
"pci_dss": [
"11.4"
],
"description": "Windows malware detected.",
"groups": [
"ossec",
"rootcheck"
],
"id": "513",
"gpg13": [
"4.2"
],
"gdpr": [
"IV_35.7.d"
]
},
"full_log": "Windows Malware: Gpcoder Trojan {PCI_DSS: 11.4}. File: C:\\Windows\\Sysnative\\wsnpoem. Reference: http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99 .",
"id": "1632506488.27963151",
"timestamp": "2021-09-24T18:01:28.445+0000",
"manager": {
"name": "wazuh-master"
},
"decoder": {
"name": "rootcheck"
},
"input": {
"type": "log"
},
"@timestamp": "2021-09-24T18:01:28.445Z",
"location": "rootcheck",
"_id": "1c_4GHwBT_jhKGNvSg2R"
}
The following trigger is also present in the logs, but it is not present in the alerts (there is also no triggering on the file inside the folder "g2svc.exe", even in the debug):
2021/09/24 20:58:16 rootcheck[3764] common_rcl.c:323 at rkcl_get_entry(): DEBUG: Checking entry: 'Remote Access - GoToMyPC {PCI_DSS: 10.6.1}'.
2021/09/24 20:58:16 rootcheck[3764] common_rcl.c:390 at rkcl_get_entry(): DEBUG: Checking file: 'C:\Program Files\Citrix\GoToMyPC'.
2021/09/24 20:58:16 rootcheck[3764] common_rcl.c:392 at rkcl_get_entry(): DEBUG: Found file.
2021/09/24 20:58:16 rootcheck[3764] common_rcl.c:505 at rkcl_get_entry(): DEBUG: Condition ANY.
victor....@wazuh.com
Sep 28, 2021, 5:24:21 AM9/28/21
to Wazuh mailing list
Hello E0wl, sorry for the late reply.
It has detected a bug that affects rootcheck for Windows agents. It seems that for your use case it never trigger alerts if only f-directives are used.
For example
[Testing_example_regex] [any] []
f:%WINDIR%\example.txt -> r:^testing;
[Testing_example_no_regex] [any] []
f:%WINDIR%\example.txt;
Only triggers the following alerts, ignoring the Testing_example_no_regex case.
** Alert 1632742109.505224: - ossec,rootcheck,gpg13_4.2,gdpr_IV_35.7.d,
2021 Sep 27 11:28:29 (WIN-O5QL0KVC3UC) any->rootcheck
Rule: 513 (level 9) -> 'Windows malware detected.'
Windows Malware: Testing_example_regex. File: C:\Windows\example.txt.
title: Windows Malware: Testing_example_regex.
file: C:\Windows\example.txt
You can get more information on this issue https://github.com/wazuh/wazuh/issues/10329.
In order to fix temporally this issue, you can use regex to trigger alerts. For example:
[Testing_example_regex_generic] [any] []
f:%WINDIR%\<file-name>-> r:^\.;
Using this, rootcheck should generate an alert for any file not empty. The resulting alerts should be similar to this:
** Alert 1632764513.557190: - ossec,rootcheck,gpg13_4.2,gdpr_IV_35.7.d,
2021 Sep 27 17:41:53 (WIN-O5QL0KVC3UC) any->rootcheck
Rule: 513 (level 9) -> 'Windows malware detected.'
Windows Malware: Testing_example_regex_generic. File: C:\Windows\generic.txt.
title: Windows Malware: Testing_example_regex_generic.
file: C:\Windows\generic.txt
If you have any doubt do not hesitate to ask.
It has detected a bug that affects rootcheck for Windows agents. It seems that for your use case it never trigger alerts if only f-directives are used.
For example
[Testing_example_regex] [any] []
f:%WINDIR%\example.txt -> r:^testing;
[Testing_example_no_regex] [any] []
f:%WINDIR%\example.txt;
Only triggers the following alerts, ignoring the Testing_example_no_regex case.
** Alert 1632742109.505224: - ossec,rootcheck,gpg13_4.2,gdpr_IV_35.7.d,
2021 Sep 27 11:28:29 (WIN-O5QL0KVC3UC) any->rootcheck
Rule: 513 (level 9) -> 'Windows malware detected.'
Windows Malware: Testing_example_regex. File: C:\Windows\example.txt.
title: Windows Malware: Testing_example_regex.
file: C:\Windows\example.txt
You can get more information on this issue https://github.com/wazuh/wazuh/issues/10329.
In order to fix temporally this issue, you can use regex to trigger alerts. For example:
[Testing_example_regex_generic] [any] []
f:%WINDIR%\<file-name>-> r:^\.;
Using this, rootcheck should generate an alert for any file not empty. The resulting alerts should be similar to this:
** Alert 1632764513.557190: - ossec,rootcheck,gpg13_4.2,gdpr_IV_35.7.d,
2021 Sep 27 17:41:53 (WIN-O5QL0KVC3UC) any->rootcheck
Rule: 513 (level 9) -> 'Windows malware detected.'
Windows Malware: Testing_example_regex_generic. File: C:\Windows\generic.txt.
title: Windows Malware: Testing_example_regex_generic.
file: C:\Windows\generic.txt
If you have any doubt do not hesitate to ask.
Reply all
Reply to author
Forward
0 new messages