Add detection for php's eval(base64decode)

[J Stein]

Hi all,

I'm trying to add some forms of webshell and command detection to wazuh, specifically for "common" methods of exploiting those vulns.

Some of what i've been flirting with doing involves the methods of webshell detection documented here, but i haven't gotten around to implementing much of it yet (if you know of this being done before, or can point to any resources, I'd appreciate it).

One of the first things I'd like to do is detect php command injection, starting with eval(base64decode). I'm not entirely sure where to get started with this - I initially tried adding it in the same was as I was handling sh command detection, which in retrospect was a pretty dumb idea. I'd like to get around to active response type stuff as well, where the RCE attempt is denied and an alert is generated - but first is just the detection bit.

If any of you have any guidance or can refer to me on a resource specifically for webshell detection in wazuh, I'd really appreciate it.

Thanks!

Jason

[Fabricio Brunetti]

Hi Jason, 

Hope you are doing well.
We have some guides on Yara integration that may be helpful for what you are doing:
https://wazuh.com/blog/how-to-integrate-yara-with-wazuh/

https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html

https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/wazuh-with-yara.html

If you want I can help you writing the detection rules but I will need some guidance on how are you planning to get the php injection logs, and where on the Webshell mitigation documentation the php injection base64decode methodology is described/detected.

Regards,

Fabricio

[J Stein]

Hi Fabricio,

Apologies for my late reply, things have been very busy lately.

I should probably clarify a bit, since I have a goal in mind but haven't figured out a solution to said goal yet.

What I'm trying to do is find a way to detect webshells and exploits against webservers with wazuh. Due to my use case, I'm more focused on detecting indicators of webshells than trying to detect specific webshells dropped onto the machine (ie, by file hash).

The reason I'm somewhat averse to something like yara is because of the extremely non-standard environment I'll be using wazuh in. It's a competition network that nearly always involves novel forms of malware showing up, so something that only checks file hashes against a list of known malware hashes isn't going to be super helpful to my use case.

That NSA repo was something I found that looked applicable, but wasn't sure of the best way to implement. I also tried implementing the wazuh blogpost on using teler with wazuh, but ran into issues with teler itself and am concurrently trying to resolve those as well - as such, in the meantime I'm looking for another solution. 

If you know of a good way to implement webshell and web attack detection, I'd be very interested in hearing about it.

Thanks,

Jason

------- Original Message -------

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/838fb442-13a3-44c4-8178-d128a4853afen%40googlegroups.com.

[Fabricio Brunetti]

Hi Jason,

Oh, the detection you mentioned on the subject was very specific. If you can use something a little more generic I created a couple of rules based on MITRE web shell mitigations and the content of the NSA repo, one is for windows the other for linux. Both are based on process execution, as in a web server won't normally execute certain processes unless it's compromised

Windows: This requires Sysmon, I guess that using Olaf Hartong's Sysmon modular configuration will be enough, (check this guide on configuring Wazuh+Sysmon)

<rule id="102004" level="10">
    <if_group>sysmon_event1</if_group>
    <field name="win.eventdata. parentImage" type="pcre2">\\ w3wp\.exe</field>
    <field name="win.eventdata.originalFileName" type="pcre2">(?i)(arp|at|bitsadmin|CertUtil|cmd|dsget|dsquery|find|findstr|fsutil|hostname|ipconfig|nbstat|net|net1|netdom|netsh|netstat|nltest|nslookup|ntdsutil|pathping|ping|powershell|qprocess|query|qwinsta|reg|rundll32|sc|schtasks|systeminfo|tasklist|tacert|ver|vssadmin|wevutil|whoami|wmic|wusa)\.exe</field>

    <description>Web server spawned suspicious process. Possible Web shell activity</description>
    <mitre>
        <id>T1505.003</id>
    </mitre>
</rule>

Linux: This will require configuring auditd, follow NSA instructions

1. Determine the web server uid: After installing auditd (i.e., using "apt -y install auditd"), determine the uid of the web server using: apachectl -S This will return apache details including the user id in a line such as: User: name="www-data" id=33 Here the uid is "33"

2. Add the following auditd rules (/etc/audit/rules.d/audit.rules) replacing "XX" with the uid identified above: -a always,exit -F arch=b32 -F uid=XX -S execve -k apacheexecve -a always,exit -F arch=b64 -F uid=XX -S execve -k apacheexecve

3. Restart auditd: service auditd restart
   

The rules:
<rule id="102005 " level="0">
     <if_group>audit</if_group>
     <field name="audit.key" type="pcre2"> apacheexecve </field>
     <description>Application launched by Apache web server</description>

</rule>

<rule id="102006 " level="10">
     <if_group>audit</if_group>
     <field name="audit.exe" type="pcre2">cat|crontab|hostname|ifconfig|ip|iptables|ls|netstat|pwd|route|uname|whoami</field>
     <description>Suspicious application launched by Apache web server. Possible Web shell activity.</description>
    <mitre>
        <id>T1505.003</id>
    </mitre>
</rule>

I haven't tested them-

Hope these rules are helpful!

Regards,

Fabricio