Threat hunting is a proactive cybersecurity strategy aimed at identifying indicators of compromise (IOCs) or indicators of attack (IOAs) within an organization’s IT environment. To maintain a strong security posture, organizations must continuously monitor network and system activities for signs of potential threats or anomalies. These IOCs and IOAs can often be discovered within system inventory data, helping to detect suspicious activity on monitored endpoints.
With a Argus agent installed on an endpoint, the Syscollector module collects essential system inventory information. This module scans endpoints for details on hardware, operating systems, network interfaces, installed packages, open ports, and running processes. The collected data is stored in a database for analysis, enabling deeper insight into endpoint activity.
Users can generate system inventory reports through the Argus dashboard, which supports threat-hunting efforts by identifying anomalies, intrusions, unauthorized software, or incorrect process parameters. This explores how to utilize system inventory data from the Argus Syscollector module for effective threat hunting. It also highlights how to trigger alerts and leverage the Argus Query Language (WQL) to analyze inventory data for potential threats.
REQUIREMENTS
- Argus server
- Ubuntu endpoint with agent installed
On the Ubuntu endpoint, the Argus Syscollector module is enabled by default with a scan interval of 1 hour. Configure the Argus agent to minimize the syscollector scan interval and ensure inventory data is promptly synchronized with the Argus dashboard. For this, set the scan interval to 1 minute. Additionally, configure the Syscollector module’s port scan to detect all established connections.
1. Edit the syscollector block in the Argus agent configuration file /var/ossec/etc/ossec.conf to use a 1m interval and set ports all to yes
<!– System inventory –>
<wodle name=”syscollector”>
<disabled>no</disabled>
<interval>1m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all=”yes”>yes</ports>
<processes>yes</processes>
2.Restart the Argus agent
systemctl restart wazuh-agent
Detecting unknown ports
Detecting abnormal ports is crucial for proactive threat hunting through system inventory data. By analyzing network traffic gathered from Argus Syscollector scans, organizations can identify irregularities that may indicate unauthorized access attempts or malicious activity.
Carry out the following actions to hunt for potential unauthorized or malicious network activities involving ports that fall outside the list of authorized ports.
Argus server
Configure the Argus server to maintain a list of ports that should not trigger alerts by creating a CDB list. Develop rules to detect connections from unauthorized ports and IP addresses attempting to connect through these ports.
1.Create a CDB list of known common ports /var/ossec/etc/lists/common-ports
2. Add the list of common ports that we do not want to alert on:
25:
22:
53:
80:
135:
389:
443:
445:
993:
995:
1514:
1515:
3389:
5000:
5223:
8000:
8002:
8080:
8083:
8443:
9000:
3.Change the ownership and permissions of the list created
chown wazuh:wazuh /var/ossec/etc/lists/common-ports
chmod 660 /var/ossec/etc/lists/common-ports
4.Edit the Argus server configuration file /var/ossec/etc/ossec.conf and add the CDB list created within the <ruleset> block:
<ruleset>
<!– Default ruleset –>
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<list>etc/lists/common-ports</list>
<!– User-defined ruleset –>
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
5.Add the rules below to the /var/ossec/etc/rules/local_rules.xml file to generate alerts when a specific port is opened
<group name=”syscollector,”>
<!– ports –>
<rule id=”100300″ level=”2″>
<if_sid>221</if_sid>
<field name=”type”>dbsync_ports</field>
<description>Syscollector ports event.</description>
</rule>
<!– Abnormal Destination Port Detected –>
<rule id=”100370″ level=”9″>
<if_sid>100300</if_sid>
<field name=”operation_type”>INSERTED</field>
<field name=”port.process” negate=”yes”>wazuh-agentd</field>
<list field=”port.local_port” lookup=”not_match_key”>etc/lists/common-ports</list>
<description>Network connection to Uncommon Port $(port.local_port) from $(port.remote_ip)</description>
</rule>
</group>
6. Restart the Argus manager
systemctl restart wazuh-manager
Simulating the test
Simulate a test on the Ubuntu endpoint to detect unknown port 21 that was not expected and included in our CDB list.
Install the vsftpd package,
sudo apt install vsftpd
Monitoring the Alerts
- Navigate to Threat Hunting > Events
- Click on Add filter
- Filter for rule.id in the Field
- Filter for is Operator and give 100370 in the Values field
- Click on Save
Clean up commands
Execute the following commands to uninstall the package and delete all related files to the package.
Uninstall the vsftpd package
sudo apt autoremove vsftpd
sudo apt purge vsftpd
Detecting a new network interface
Maintaining visibility and control over network configurations is essential for ensuring system security and integrity. Attackers may add new network interfaces to compromised systems to gain unauthorized access, exfiltrate data, or carry out malicious activities. Prompt detection of these changes is critical to mitigating security threats and preventing further compromise.
Perform the action below to generate an alert when a new network interface is added to a monitored endpoint.
Argus Server
1.Add the rules below to the /var/ossec/etc/rules/local_rules.xml file to monitor and alert for new network interfaces detected by the Argus syscollector:
<group name=”syscollector2,”>
<!– New network interface –>
<rule id=”100371″ level=”2″>
<if_sid>221</if_sid>
<field name=”type”>dbsync_network_iface</field>
<description>Syscollector network interface event.</description>
</rule>
<rule id=”100372″ level=”9″>
<if_sid>100371</if_sid>
<field name=”operation_type”>INSERTED</field>
<description>New network interface $(netinfo.iface.name) detected.</description>
</rule>
</group>
2.Restart the Argus manager
systemctl restart wazuh-manager
Simulating the test
Simulate the test on the Ubuntu endpoint to detect a new network interface to test our rules created from the collected system inventory information.
- Create a new virtual ethernet interface eth1 and eth-peer
sudo ip link add eth1 type veth peer name eth1-peer
- Bring up the new interface eth1
sudo ip link set dev eth1 up
Monitoring the Alerts
- Navigate to Threat Hunting > Events
- Click on Add filter
- Filter for rule.id in the Field
- Filter for is Operator and give 100372 in the Values field
- Click on Save