Overview #
Argus’s command monitoring capability runs specific commands on an endpoint and monitors their output. This guide explains how to use the command monitoring capability to detect unauthorized processes, such as when the Netcat networking utility is running on an Ubuntu endpoint.
System Setup #
Infrastructure #
Endpoint:
Ubuntu 22.04 – The Argus command monitoring module is configured to detect unauthorized processes.
Configuration #
Configuring the Ubuntu Endpoint #
Follow these steps to set up command monitoring and query running processes:
1. Add Command Monitoring Configuration:
Edit the Argus agent’s /var/ossec/etc/ossec.conf file and include the following configuration block to periodically fetch a list of running processes:
<ossec_config>
<localfile>
<log_format>full_command</log_format>
<alias>process list</alias>
<command>ps -e -o pid,uname,command</command>
<frequency>30</frequency>
</localfile>
</ossec_config>
2. Restart the Argus Agent:
Apply the changes by restarting the Argus agent:
sudo systemctl restart wazuh-agent
3. Install Netcat and Dependencies:
Use the following command to install Netcat and its required dependencies:
sudo apt install ncat nmap -y
Configuring the Argus Server #
Follow these steps to create a rule that triggers when the Netcat program launches:
1. Add Rules to Local Rules File:
Edit the /var/ossec/etc/rules/local_rules.xml file and add the following rules:
<group name=”ossec,”>
<rule id=”100050″ level=”0″>
<if_sid>530</if_sid>
<match>^ossec: output: ‘process list'</match>
<description>List of running processes.</description>
<group>process_monitor,</group>
</rule>
<rule id=”100051″ level=”7″ ignore=”900″>
<if_sid>100050</if_sid>
<match>nc -l</match>
<description>netcat listening for incoming connections.</description>
<group>process_monitor,</group>
</rule>
</group>
2. Restart the Argus Manager:
Apply the rule changes by restarting the Argus manager:
sudo systemctl restart wazuh-manager
Attack Emulation #
To test the configuration, simulate an attack by running the following command on the monitored Ubuntu endpoint:
nc -l 8000
Let the process run for 30 seconds to ensure it is captured by the Argus monitoring module.
Viewing Alerts #
You can visualize the generated alerts in the Argus dashboard:
1. Navigate to the Threat Hunting module.
2. Use the following filter in the search bar to query the alerts:
rule.id:(100051)
This will display alerts for the unauthorized Netcat process detected by Argus.
By following this guide, you can leverage Argus’s command monitoring capability to detect and respond to unauthorized processes, enhancing endpoint security.