Yara with Windows

[Jonathan G.]

Hello,

I want to integrate YARA with Wazuh, but it doesn't work and I can't understand why.

I followed this documentation: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/wazuh-with-yara.html

It does not work. Then I saw a post where a person also explains the integration of YARA for windows env, here is the link: https://groups.google.com/g/wazuh/c/JlYrdjXl8m0/m/pCSh2auiBAAJ

I took the yara.bat script from this post.

But it still does not work, moreover, I have an error when starting wazuh-manager indicating that the file yara_decoder.xml is not good.

Error:

wazuh-analysisd[644489] analysisd.c:588 at main(): CRITICAL: (1202): Configuration error at 'etc/decoders/yara_decoder.xml'.

I put the decoder in yara_decoder.xml and the rules in yara_rules.xml,
now wazuh-manager is OK.
 
In the ossec.log file on the agent side, I find this line:

2022/10/05 12:05:17 wazuh-agent: ERROR: (1311): Invalid command name 'yara0' provided.

Here the configuration in /var/ossec/etc/ossec.conf

  <command>
    <name>yara</name>
    <executable>yara.bat</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>
  <active-response>
    <disabled>no</disabled>
    <command>yara</command>
    <location>local</location>
    <rules_id>550,554</rules_id>
  </active-response>

yara.bat file is in C:\Program Files (x86)\ossec-agent\active-response\bin

Wazuh version is 4.3.8 running on Ubuntu 22.04.

Thanks for your help.

Best regards!

[Julian Bustamante Narvaez]

Hi , I am reviewing this issue, "yara0" in the message catches my attention. I will try to replicate the problem.

Regards.

[Julian Bustamante Narvaez]

I was analyzing your anomaly, I'm interested in executing .bat files and according to the documentation I don't see the supports, they should be .cmd, .exe or .py.
I tested and saw an error in the agent ossec.log file if the .bat file was corrupted.

Here are some possible solutions:

1. Create a .bat file that prints something to a file to see if it is running correctly and re-validate ossec.log.

2. Create a broker (.exe, .cmd, or .py) that runs the .bat file.
I leave you an example.
  //broker.c

#include <stdio.h>

#include <windows.h>

int main(){

    system("cmd /c yara.bat");

    return 0;

}

//yara.bat

@echo off

echo yara.bat is executing from .exe file!

3. convert that .bat file to python and generate an .exe file; see example here (Custom active response Windows example )

I hope this has helped you.

[Jonathan G.]

Hello, thanks for your reply.

1. I created a yara.cmd file like this: echo "Test OK" > log.txt
Wazuh does not execute the script, and I still have yara0 in the agent side log.

2. Already created a .cmd file, but doesnt work. The file has never been executed

3. I create a .exe who create a file, but i still have yara0 in agent log and no new file...

Look like the error came from the manager side, it provide error without executing the script.

[Julian Bustamante Narvaez]

Hi,

you can share with me all settings both agent and manager including decoder and rules.
How are you trigger the active response?

[Jonathan G.]

hi,

active response is triggered with the rules 550 and 554 and i use this configuration in agent.conf to check the download directory. :

<directories check_all="yes" whodata="yes" realtime="yes">C:\Users\*\Downloads</directories>

Here the yara ruleset and decoder

yara_rules.xml:

<group name="yara,">

    <rule id="100100" level="0">
        <decoded_as>yara_decoder</decoded_as>
        <description>Yara grouping rule</description>
    </rule>

    <rule id="100101" level="12">
        <if_sid>100100</if_sid>
        <match>wazuh-yara: INFO - Scan result: </match>
        <description>File "$(yara_scanned_file)" is a malware. Yara rule: $(yara_rule)</description>
    </rule>

    <rule id="100102" level="12">
        <if_sid>100100</if_sid>
        <match>wazuh-yara: INFO - Successfully removed threat: </match>
        <description>Successfully removed malware "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
    </rule>
</group>

yara_decoder.xml:

<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Successfully removed threat: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

i attached the agent.conf and ossec.conf.

[Julian Bustamante Narvaez]

Hi, I'm still working on it, I'm doing some tests where I create a file in the downloads folder, it triggers an active response and the alert is generated by rule 554, although the yara0 error does not appear in the agent log , the yara.exe file has not been executed yet

I'll keep checking it out.

[Jonathan G.]

Hey Julian, hope you doing well

I did some tests as several different type of script (.py, .bat, .cmd, .exe) they are never executed. I redid the configuration completely following the documentation, I still have the error yara0...

[Julian Bustamante Narvaez]

Hi Jonatan , you could execute in manager  cat /var/ossec/etc/shared/ar.conf

what does it return?

[Jonathan G.]

Hi Julian,

it return this:

restart-ossec0 - restart-ossec.sh - 0
restart-ossec0 - restart-ossec.cmd - 0
restart-wazuh0 - restart-ossec.sh - 0
restart-wazuh0 - restart-ossec.cmd - 0
restart-wazuh0 - restart-wazuh - 0
restart-wazuh0 - restart-wazuh.exe - 0
remove-threat0 - remove-threat.exe - 0
firewall-drop1800 - firewall-drop - 1800
yara0 - yara.cmd - 0

All command have "0" at the end, this is normal ?

[Julian Bustamante Narvaez]

Hi, zero is the timeout that you have set in the timeout configuration in the command block <allowed timeout>yes</allowed timeouts> and <timeout>60</timeout> is the configuration in active response block

If it were configured like this it would be yara60.

[Jonathan G.]

Ok, thanks !

I don't know what happens then. I think I followed the documentation well... If you have any other ideas I'm interested !

[Julian Bustamante Narvaez]

Hi, Jonathan.

Enable debug=2, at the end of the internal options file, which is in /var/ossec/etc/ you can see the debug config = 0 in the manager and in the agent C:\Program Files (x86)\ossec-agent \internal_options # Windows debugging (used by the Windows agent) windows.debug=2. No error is displayed, but it is seen that the manager sends the command to the agent. ( see screenshot).

After parsing and replicating again as follows, I could see that the agent runs the intermediario.exe and it writes the .txt file to C:\Program Files (x86)\ossec-agent and not to C:\Program Files (x86)\ossec-agent\active-response\bin which is where the .exe is.


The settings are as follows.

manager:

<active-response>
    <command>yara1</command>
    <location>local</location>
    <rules_id>5716</rules_id>
</active-response>
 
<command>
     <name>yara1</name>
     <executable>intermediario.exe</executable>
     <timeout_allowed>no</timeout_allowed>
 </command>
 
 agente:
 
   <localfile>
      <location>C:\Users\vagrant\Documents\test.txt</location>
     <log_format>syslog</log_format>
   </localfile>

  

To trigger the active-response you must write the following in the C:\Users\vagrant\Documents\test.txt

Dec 10 01:02:02 host sshd[1234]: none failed for root from 192.168.56.81 port 1066 ssh2

This must be written twice and leave an enter, then save and be able to observe in the manager -> tail -f /var/ossec/logs/alerts/alerts.json | grep 5716
You will see that something like this comes out:

{"timestamp":"2022-10-11T10:04:06.177-0500","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":3,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"015","name":"DESKTOP-xxxx","ip":"FE80:0000:0000:0000:44D6:6AA2:2014:D817"},"manager":{"name":"xxxx"},"id":"1665500646.1362921","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.66 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.81","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\Documents\\test.txt"}

and then you can see in C:\Program Files (x86)\ossec-agent\file.txt

"Tue Oct 11 14:49:55 2022
"Tuesday 11 Oct 15:15:32 2022

The program writes the timestamp each time the active response is triggered by rule 5716.

With this you can rule out problems in the active response, the yara0 must be something misconfigured but first try this.

Regards

[Jonathan G.]

Hello,

I did the test with rule 5716, but the alerts.json file has no activity concerning this rule nor ossec.log, I don't see the script execution.

When I look on the dashboard, this rule is never activated.

I changed the rule by the rule 554 for the test, we can see that it is activated normally as you can see:

But it does not work when I put windows.debug=2...

Here is what I find in ossec.log, i find many times this line :

wazuh-agent[14108] create_db.c:720 at fim_configuration_directory(): DEBUG: (6319): No configuration found for (file):'c:\program files (x86)\ossec-agent\ossec.log'

and with windows.debug=0

wazuh-agent: ERROR: (1311): Invalid command name 'yara10' provided.

[Julian Bustamante Narvaez]

Hi Jonatan,  could you take a screenshot of the contents of the active-response/bin folder ?

[Jonathan G.]

Hi Julian.

Yes ofc,

Here the screenshot

[Julian Bustamante Narvaez]

Hi,

1. Could you send me the last configuration of the manager (the complete file) with which you did the last test.

I think it may be a problem with the names of the executable.

2. You can try again with an .exe file that writes to a log, sent me the error again and also the manager ossec.conf file (the entire file).

Already with the screenshot of active-response/bin we can compare the names of the files.

3. How are you creating the .exe? , can you send me the code?

If you run yara64.exe manually, do you see it create and write to the text file in C:\Program Files (x86)\ossec-agent?

[Jonathan G.]

Hey,

Sorry for the late reply, i have somes medical concerns.

Manager config file joined to this post.

yara64.exe is YARA binaries. You can found it here : https://github.com/VirusTotal/yara/releases

Here the code of the .exe (yara.exe) for test, this is C++ compiled with Visual Studio:

int main() {
    std::string const file("C:/Program Files (x86)/ossec-agent/active-response/bin/log.txt");
    std::ofstream flux(file.c_str());

    if (flux) {
        flux << "File OK" << std::endl;
    }
    else {
        std::cout << "Can't open the file" << std::endl;
    }
    return 0;
}

[Julian Bustamante Narvaez]

Hi Jonathan, I hope you are well.
I tried with your code and rule 5716. That works fine.

I leave a video that I made for you.

Video

when this works for you, we can see yara64.

Regards.

[Jonathan G.]

Hi Julian,

I followed your video and see i dont have my configuration in ossec.conf. (However, in agent.conf, I put this folder on watch)

I added this in ossec.conf (on agent side) for the test :

  <localfile>
    <location>C:\Test</location>
    <log_format>syslog</log_format>
  </localfile>

it return this error :

wazuh-agent: ERROR: (1103): Could not open file 'C:\Test due to [(5)-(Accès refusé.)].

(Accès refusé = Acces denied)

So, i have 2 questions.

1) How i can give required right to Wazuh-agent to work properly ?

2) How can I make the configuration on the manager so that it comes down correctly in ossec.conf

Thanks for your help.

[Julian Bustamante Narvaez]

Hi, this error is because you are monitoring a folder instead of a file, if you want to monitor a file, you must put the full path of the file and you must have a rule for that match when parsing each line in the file. if you don't have a rule, you won't see anything in alert.json.

  <localfile>
    <location>C:\Users\vagrant\Documents\filelogs.txt</location>
    <log_format>syslog</log_format>

  </localfile>

if you want to monitor the integrity of the folder, you can use syscheck, for any change, modification, creation in the folder or in any file in the folder it will generate an alert in alert.json

 <syscheck>
    <directories check_all="yes" realtime="yes">C:\Test</directories>

</syscheck>

output in alert.json:

{"timestamp":"2022-10-31T11:25:14.155-0500","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":4,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"015","name":"DESKTOP-QCL0GB6","ip":"FE80:0000:0000:0000:XXXX:XXXX:XXXX:XXXX"},"manager":{"name":"thejbte-ASUS-TUF-A15"},"id":"1667233514.728335","full_log":"File 'c:\\test\\new text document (3).txt' added\nMode: realtime\n","syscheck":{"path":"c:\\test\\new text document (3).txt","mode":"realtime","size_after":"0","win_perm_after":[{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]},{"name":"Authenticated Users","allowed":["DELETE","READ_CONTROL","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_after":"d41d8cd98f00b204e9800998ecf8427e","sha1_after":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256_after":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_after":"2022-10-31T11:25:14","event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}

I don't understand the second question, can you explain me?

Regards

[Jonathan G.]

Hey,

Sorry, English is not my first language.

My question is: How can I configure only the manager side and have the configuration go down to all the agents? Because I can't afford to go to each workstation to reconfigure the agent.
I put the monitoring of the folder in the agent.conf file on the manager.
Is the agent.conf file present in C:\Program Files (x86)\ossec-agent\shared also used as ossec.conf present in C:\Program Files (x86)\ossec-agent ?

Ok, i see i have the directory monitoring on agent.conf present in shared folder:

<directories check_all="yes" whodata="yes" realtime="yes">C:\Users\*\Downloads</directories>

I put new file on downloads folder and still have yara0 error...

Here my local_rules.xml

Here my local_decoder.xmd

Here my ossec.conf (manager side)

Here my ossef.log (endpoint side)

If you found any error, please tell me, i really dont know why my YARA doesnt work....

Thanks.

[Julian Bustamante Narvaez]

Hi,

you can configure in the manager agent.conf file and set your configuration to the default group, which by default all agents are there.
You can also create new groups.

The agent.conf file is very similar to ossec.conf but agent.conf is used to centrally distribute configuration information to agents. See more here.

Local configuration here

I will try to replicate the error in yara's question and as soon as I have an answer I will write to you.

Regards

[Jonathan G.]

Hi,

Ok, I have the right method to configure the agents.

I also working on YARA, i update this post if i have some new !

Thanks for your help

[Julian Bustamante Narvaez]

Hi, sorry for the late reply.

you still need me to help you with the integration of yara?

[Jonathan G.]

Hi,

Yes because YARA is still not working =(

[Julian Bustamante Narvaez]

Hi Jonathan, I hope you are well.

Install Yara on Windows and follow the step by step that we have already seen at the beginning of this thread. https://groups.google.com/g/wazuh/c/JlYrdjXl8m0/m/pCSh2auiBAAJ
Additionally, you can also be guided by this https://wazuh.com/blog/detecting-lockbit-3-0-ransomware-with-wazuh/ since it is very similar, however, the first one is enough.

So you can install Yara https://yara.readthedocs.io/en/stable/gettingstarted.html#compiling-and-installing-yara

So you can install python https://www.python.org/downloads/
So you can install pip https://www.geeksforgeeks.org/how-to-install-pip-on-windows/ to install valhallaAPI

I attach screenshots of the tests I did
I remain attentive, if you have any questions, do not hesitate to contact me.

[Jonathan G.]

Hi Julian,

I will reconfigure following the screenshots and I will come back here with the result.

Thank you for staying to help me

[Jonathan G.]

Hey Julian,

I do the same configuration but still have yara0 error provided...

Did the rules accept the "*" like this :

  <rule id="100050" level="7">
    <if_sid>550</if_sid>
    <field name="file">C:\\*\\administrator\\Downloads</field>
    <description>File modified in Downloads directory.</description>
  </rule>

This is the only thing I have different.

[Julian Bustamante Narvaez]

Hi, I tried your rule and it didn't work with \\*\\ in the path. The alert is generated on id 550 and 554 only (parent rules), if the rule has \\Users\\ in the path, 100050 and 100051 are made effective in the alert json.

in the attached images, you can see the configuration and the output alert with the \\*\\ and with \\Users.

You can attach an image of your VM (ova), you can import it from oracle Vbox and send it to me so I can replicate the error with your environment. If it is not in a VM, I suggest you install one with vagrant and configure everything from the start, if it keeps showing you the error, send it to me and I'll try it, since it works fine for me with the same configurations

https://app.vagrantup.com/gusztavvargadr/boxes/windows-10

If you have any doubts do not hesitate to consult me.

Regards

[Jonathan G.]

Hi,

I will soon migrate Wazuh to its final architecture. I will test again at that time. I'll make a message on this post once everything is done to keep you informed.
I have to watch the Download folder of each user, I will leave the rules 550 and 554 for the activation of the active response of YARA.

Thanks