Yara integration. Windows agents environment.

[Aykhan Huseynli]

Hi Team,

I've been pretty much enjoying configuring Wazuh recently, but there is one integration in which I'm particularly interested. I've searched the internet but did not find an answer to this question. Is it possible to make Yara work on Windows endpoints? If yes, could someone please share step by step guide here? Prod. environment type deployment would be really great since I have approximately 17 endpoints. 

Thanks in advance and have a great weekend!

[Anthony Faruna]

Hello Aykhan

Thank you for using Wazuh

Wazuh can be integrated with YARA, a tool used for detecting and classifying malware artifacts

To ensure this integration works, please ensure Python and Pip should are installed on the Windows endpoint. They will be used to install necessary libraries and download the needed rules. Ensure Microsoft Visual C++ 2015 Redistributable is also installed on the endpoint, as it is required for the YARA executable to run.

Perform the following actions on the windows endpoint:

1. Open PowerShell with administrator privileges and download YARA:
> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.2.2/yara-v4.2.2-2012-win64.zip -OutFile v4.2.2-2012-win64.zip

2. Extract the YARA executable:
> Expand-Archive v4.2.2-2012-win64.zip ; Remove-Item v4.2.2-2012-win64.zip

3. Create a directory called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA executable into it:
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\v4.2.2-2012-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

4. Download YARA rules:

• Install the valhallaAPI module:   > pip install valhallaAPI
• Copy the following script and save it as download_yara_rules.py:

           from valhallaAPI.valhalla import ValhallaAPI
           v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
           response = v.get_rules_text()
           

           with open('yara_rules.yar', 'w') as fh:
           fh.write(response)

• Run the following command to download the rules and place them in the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ directory: 

         > python.exe download_yara_rules.py
         > mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
         > cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

• Add the YARA rule to the downloaded C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar file

5. Alternatively, you can skip step 4 and paste your YARA rule in C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ directory. For the purpose of this instruction, my yara rule is yara_rules.yar

6.  Create the yara.bat script in the C:\Program Files (x86)\ossec-agent\active-response\bin\ directory. This is necessary for the Wazuh-Yara active response scans:

@echo off

setlocal enableDelayedExpansion

reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT

if %OS%==32BIT (

    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"

)

if %OS%==64BIT (

    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"

)

set input=

for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (

    set input=%%a

)

set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"

set syscheck_file_path=

echo %input% > %json_file_path%

for /F "tokens=* USEBACKQ" %%F in (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) do (

set syscheck_file_path=%%F

)

del /f %json_file_path%

set yara_exe_path=C:\”Program Files (x86)”\ossec-agent\active-response\bin\yara\yara64.exe

set yara_rules_path=C:\”Program Files (x86)”\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"

echo %syscheck_file_path% >> %log_file_path%

for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (

    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%

)

exit /b

7. Edit the Wazuh agent configuration file  C:\Program Files (x86)\ossec-agent\ossec.conf  and add the directory to be monitored. This should be within the <syscheck> block.  The configuration should look like this:
<directories whodata="yes">C:\Users\administrator\Downloads</directories>
Note: You can configure whichever directory you wish to monitor

8. Apply the changes by restarting the agent using this PowerShell command:
> Restart-Service -Name wazuh

Perform the following actions on the Wazuh server:

1. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file on the Wazuh server. This is to extract the information from YARA scan results:
<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

2.  Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server. The rules detect FIM events in the monitored directory, and also alert when malware is detected by the YARA integration:
Note:  Rule 100050 and 100051 was configured to monitor the C:\Users\administrator\Downloads directory. However, you can configure whichever directory you wish to monitor.
<group name= "syscheck,">

  <rule id="100050" level="7">
    <if_sid>550</if_sid>
    <field name="file">C:\\Users\\administrator\\Downloads</field>
    <description>File modified in C:\Users\administrator\Downloads directory.</description>
  </rule>

  <rule id="100051" level="7">
    <if_sid>554</if_sid>
    <field name="file">C:\\Users\\administrator\\Downloads</field>
    <description>File added to C:\Users\administrator\Downloads  directory.</description>
  </rule>

</group>

<group name="yara,">

  <rule id="100052" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

  <rule id="100053" level="12">
    <if_sid>100052</if_sid>
    <match>wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
  </rule>

</group>

3. Add the following configuration to the /var/ossec/etc/ossec.conf file within the <ossec_config> block:
<ossec_config>
    <command>
        <name>yara</name>
        <executable>yara.bat</executable>
        <timeout_allowed>no</timeout_allowed>
    </command>

    <active-response>
        <command>yara</command>
        <location>local</location>
        <rules_id>100050,100051</rules_id>
    </active-response>
</ossec_config>

4. Restart the Wazuh server to apply the configuration changes:
systemctl restart wazuh-manager

Please let me know if you need further clarifications 

Best Regards

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a6b9adf7-dc73-4bb8-b22b-94b958c5017fn%40googlegroups.com.

[Aykhan Huseynli]

Thanks for your detailed guide on how to integrate YARA! Followed all of the steps mentioned above but didn't receive any alert in the dashboard. Let me briefly explain what I did so far.

1. Installed Microsoft Visual C++ 2015 Redistributable
2. Downloaded and extracted YARA to 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\' (Screenshot of is attached)
3. Downloaded YARA rules (Screenshot of yara_rules is attached)
4. Created batch file in 'C:\Program Files (x86)\ossec-agent\active-response\bin' (copied the script you provided in .txt file -> Save As 'All Files' and added '.bat' to the end of the file)
5. Edited 'agent.conf' file. Added the following line '<directories whodata="yes">C:\Users\Test\Downloads</directories>' under '<syscheck>' block. Also tried leaving 'agent.conf' as it is and editing 'agent.conf' of default group and adding '<directories whodata="yes">C:\Users\*\Downloads</directories>' line there
6. Edited local decoder (local_decoder.xml is attached)
7. Edited local rules (local_rules.xml is attached)
8. Edited ossec.conf (screenshot attached)
9. Restarted both agent and the manager several times.
   

Could the wildcards be the reason of YARA not working properly?

Please feel free to contact me if you need any further information.

Best Regards

[Anthony Faruna]

Hello Aykhan

Thank you for your patience in waiting for a reply 

Please can you confirm if you receive alerts with rule 1d 100050 or 100051 whenever you added or modified a file in that directory?

This has to trigger before the Yara scan will take effect 

I will be expecting your response 

Best Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6164b5f0-0a68-40b8-9a9d-269b1ea31158n%40googlegroups.com.

[Aykhan Huseynli]

Hello Anthony,

I only receive rule id 554 on my dashboard. 

[Anthony Faruna]

Hello Aykhan

Please specify the full path of the directory to be monitored in the rule 1d 100050 and 100051

Let me know the outcome 

Best Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/acc27ff5-5f9c-40ce-84de-b8f9240b3d6cn%40googlegroups.com.