TJPROJMAIN.EXE attack on datacentre

[Ray Wilson]

Team,

Recently one of our datacentre was attacked by TJPROJMAIN.EXE (mining virus), but we unable to aware of it. Does wazuh agent able to monitor the virus infection on systems? Getting e-mail alerts if any suspicious .exe was installed?

Regards

[Asunción Gómez Castro]

Hello Ray.

There are several ways you can prevent this issue using Wazuh. First of all, I would recommend you running vulnerability scans on your devices. Wazuh is able to detect vulnerabilities in the applications installed in agents using the Vulnerability Detector module. This software audit is performed through the integration of vulnerability feeds indexed by Canonical, Debian, Red Hat, and the National Vulnerability Database.

To run a vulnerability scan, follow these steps:

1. Add the following block of settings to your shared agent configuration file:
   
   <wodle name="syscollector">

     <disabled>no</disabled>

     <interval>1h</interval>

     <os>yes</os>

     <packages>yes</packages>
     <hotfixes>yes</hotfixes>
   

   </wodle>
2. Add a block like the following to your manager configuration file:
   
   <vulnerability-detector>

     <enabled>yes</enabled>

     <interval>5m</interval>

     <run_on_start>yes</run_on_start>

     <provider name="nvd">

       <enabled>yes</enabled>

       <update_from_year>2010</update_from_year>

       <update_interval>1h</update_interval>

     </provider>

   </vulnerability-detector>
3. Restart the manager to apply the changes.

This way, you will receive alerts every time a vulnerability is found. You can also check the vulnerability dashboards to have an overview of your agents’ status. You can read more about vulnerability detection in our documentation:

https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/index.html 

There's also an alert that will be triggered every time new software is installed on a Windows agent. The rule ID is 60612, and it is included on the default Wazuh's ruleset. Here's the source code, in case you're interested:

https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0585-win-application_rules.xml#L110 

If you wish to receive an e-mail notification, you can edit this rule and add the alert_by_email option:

<rule id="60612" level="3">

  <if_sid>60609</if_sid>

  <field name="win.system.eventID">^11707$|^1033$</field>

  <description>Application Installed $(win.eventdata.data)</description>

  <options>no_full_log,alert_by_email</options>

</rule>

And then activate the e-mail notifications. You can read a complete guide about how to do it here:

https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/

I hope this response was helpful! If you have any follow-up questions, please don't hesitate to ask.

Best regards,

Asun Gómez.