View Categories

Monitoring Execution of Malicious Commands

3 min read

Overview #

Auditd is an auditing utility native to Linux systems. It’s used for accounting actions and changes in a Linux endpoint.

In this use case, Auditd is configured on an Ubuntu endpoint to account for all commands executed by a given user. This includes commands run by a user in sudo mode or after changing to the root user. A custom Argus rule is then configured to alert for suspicious commands.

System Setup #

Infrastructure #

Endpoint:

Ubuntu 22.04 – Auditd is configured to monitor the execution of malicious commands.

Configuration #

Ubuntu Endpoint #

Follow these steps to install Auditd and create the necessary audit rules to track all commands executed by a privileged user:

1. Install and Enable Auditd:

   sudo apt -y install auditd

   sudo systemctl start auditd

   sudo systemctl enable auditd

2. Append Audit Rules:

As the root user, execute the following commands to append audit rules to the /etc/audit/audit.rules file:

   echo “-a exit,always -F auid=1000 -F egid!=994 -F auid!=-1 -F arch=b32 -S execve -k audit-wazuh-c” >> /etc/audit/audit.rules

   echo “-a exit,always -F auid=1000 -F egid!=994 -F auid!=-1 -F arch=b64 -S execve -k audit-wazuh-c” >> /etc/audit/audit.rules

3. Reload and Verify Rules:

Reload the rules and confirm that they are in place:

   sudo auditctl -R /etc/audit/audit.rules

   sudo auditctl -l

   Output:

   -a always,exit -F arch=b32 -S execve -F auid=1000 -F egid!=994 -F auid!=-1 -F key=audit-wazuh-c

   -a always,exit -F arch=b64 -S execve -F auid=1000 -F egid!=994 -F auid!=-1 -F key=audit-wazuh-c

4. Configure the Argus Agent:

Add the following configuration to the Argus agent’s /var/ossec/etc/ossec.conf file to enable it to read Auditd logs:

   <localfile>

     <log_format>audit</log_format>

     <location>/var/log/audit/audit.log</location>

   </localfile>

5. Restart the Argus Agent:

   sudo systemctl restart wazuh-agent

Argus Server #

Perform these steps to create a CDB list of malicious programs and define rules to detect their execution:

1. Inspect the Lookup File:

Review the key-value pairs in the /var/ossec/etc/lists/audit-keys lookup file:

   audit-wazuh-w:write

   audit-wazuh-r:read

   audit-wazuh-a:attribute

   audit-wazuh-x:execute

   audit-wazuh-c:command

Note: Argus maintains flat file CDB lists, compiled into a binary format for high-performance lookups. For example, /var/ossec/etc/lists/audit-keys corresponds to the compiled file /var/ossec/etc/lists/audit-keys.cdb used in rule lookups.

2. Create a Suspicious Programs List:

Create the /var/ossec/etc/lists/suspicious-programs file and populate it with the following content:

   ncat:yellow

   nc:red

   tcpdump:orange

3. Add the List to the Configuration:

Add the list to the <ruleset> section of the Argus server’s /var/ossec/etc/ossec.conf file:

   <list>etc/lists/suspicious-programs</list>

4. Define a High-Severity Rule:

Create a high-severity rule in the /var/ossec/etc/rules/local_rules.xml file to trigger when a “red” program is executed:

   <group name=”audit”>

     <rule id=”100210″ level=”12″>

         <if_sid>80792</if_sid>

     <list field=”audit.command” lookup=”match_key_value” check_value=”red”>etc/lists/suspicious-programs</list>

       <description>Audit: Highly Suspicious Command executed: $(audit.exe)</description>

         <group>audit_command,</group>

     </rule>

   </group>

5. Restart the Argus Manager:

   sudo systemctl restart wazuh-manager

Attack Emulation #

On the Ubuntu endpoint, simulate an attack by installing and running a “red” program (e.g., Netcat):

sudo apt -y install netcat

nc -v

Allow the process to run long enough to ensure it’s captured by Auditd. (Around 30 Seconds)

Visualizing Alerts #

View the alerts in the Argus dashboard by performing the following steps:

1. Navigate to the Threat Hunting module.

2. Use the search bar to query alerts using the following filter:

   data.audit.command:nc

This will display alerts for the execution of the unauthorized Netcat program.

By following this guide, you can leverage Argus and Auditd to monitor the execution of malicious commands, enhancing the security of your endpoint.

Leave a Reply

Your email address will not be published. Required fields are marked *