Wazuh Custom Rule

[Maxim Parpaley]

Hi guys,

I have a question, may be somebody already met such challenge.

As you know most malware today comes over e-mail (some mailspam campaign). Usual there is or link to malware download or some macros inside Office document 

The question is/are: 

- Can wazuh/ossec control e-mail attachments (for example rule something like - new e-mail with attachment/s)?

- Can wazuh/ossec control/detect that some image/pdf/office ... file/s  was/were downloaded (dropped) to system (over common protocols e.h. HTTP/s, SMTP/s, POP/3s so on) ?

- Can wazuh/ossec control/detect/inform that installation process started by some process

Guys if you have any thoughts please share :)

Best Regards

Max   

 

 

[Jesus Linares]

Hi Maxim,

very interesting questions.

Can wazuh/ossec control e-mail attachments (for example rule something like - new e-mail with attachment/s)?

By default, it is not possible. But you can use a third-party tool that reads that information from the mail server? (maybe a script or google tools), then send the logs to OSSEC and crate the proper rules/decoders.

Can wazuh/ossec control/detect that some image/pdf/office ... file/s  was/were downloaded (dropped) to system (over common protocols e.h. HTTP/s, SMTP/s, POP/3s so on) ?

You can use Sysmon (Windows). There are several events like File created, and you can filter by extension (.pdf) and/or directory (Downloads). Also you can use the built-in Windows Audit capabilities to detect the creation of files in some directories.

Can wazuh/ossec control/detect/inform that installation process started by some process

Also, you can use Sysmon to detect process creation. But I think a log will be generated by default when an app is installed on Windows (or maybe there is a special audit policy for that).

When I have time, I will publish some useful information regarding to Sysmon and its capabilities with Wazuh.

Thanks.

Regards.

[Maxim Parpaley]

Hi Jesus

I agree with you that Sysinternals is a great tool suite.  But I render services to my Customers and unfortunately I don't have the opportunity to install additional tools for analysis and usually i have no chance to do investigation on local PC. It means I need as simple solution as possible. 

For example I ask my customers to enable Windows Audit process taking, they agreed because it is not difficult to understand why they need this. Now ossec agent sends me all info relate to process start\exit and  i am able to correlate on my SIEM these events.

And I am interested the same simple solution to control file activities (at least download for now)

I did a test. I did full system snapshot and after I downloaded an image file  xxxx.EXE

After download I did one more snapshot and compare it with  first one. I see dropped file in difference section  between these snapshots. My question is - when file downloaded to the system should be any registry changes? May be we can control this activity by ossec integrity check functionality? Is it possible or it is no make sense because we will have many noise/false positives ?

      

пятница, 31 марта 2017 г., 12:58:21 UTC+3 пользователь Maxim Parpaley написал:

[Jesus Linares]

Hi Maxim,

in that case, I think you have 2 options:

1) Use syscheck

Fire alerts if a new file is created (you can use rules to ignore no-executable files). This is the easiest solution.

2) Use Windows audit

First, we need to turn on Object Access Auditing, so it is necessary to alter the local security policy. This can be done centrally via a group policy object or it can be done on the local machine. 

To turn on object access audit using the local security policy, following this process:

1. Open up Administrative Tools -> Local Security Policy, or run secpol.msc
   
2. Open Advanced Audit Policy Configuration -> System Audit Policies - Local Group Policy Object -> Object Access
   
3. Rigth-click on "Audit File System" and select Properties
   
4. Ensure "Success" and "Failure" are both checked
   
5. Click on OK, then close the Local Security Policy window.

The next step is to turn on auditing for a specific folder (and all its sub-folders and files). Click on a folder, properties > Security > Advanced > Audit.

In this way, you will have detailed information about what is happening in a directory, but also it will be very noisy.

I recommend you to try it with syscheck and if it is not possible to achieve what you want (detect .exe files in Downloads directory) try with Windows auditing.

I hope it helps.

Regards.

[Maxim Parpaley]

Jesus thank you!

Good ideas, I will try, looks like this is what I am interested for!

пятница, 31 марта 2017 г., 12:58:21 UTC+3 пользователь Maxim Parpaley написал:

Hi guys,