Malware is short for malicious software, and it is installed on a computer without the user’s permission. Attackers can use malware to encrypt, steal computer data, or spy on system activity. Malware detection is a process of monitoring and analyzing computer systems and networks for the presence of malicious software and files. Security products detect malware by matching the signature of known malware samples and also by monitoring anomalous behavior. However, some malware can evade detection using multiple techniques once it enters the system. Wazuh utilizes a wide range of approaches to address and counter those techniques to detect malicious files and suspicious activities. In this chapter, we will learn about different Wazuh modules to detect malicious files and integrate some third-party tools to enhance its detection capabilities.

In this chapter, we’ll cover the following topics:

• Types of malware
• Wazuh’s capabilities...

Malware can take many forms, each with its own distinct capabilities and objectives. Some common types of malware include the following:

• Viruses: Malware that attaches itself to legitimate files and programs and spreads by infecting other files. Viruses can cause damage by corrupting or destroying data. Examples include ILOVEYOU, Mydoom, and Anna Kournikova.
• Worms: Malware that copies itself and spreads through networks by taking advantage of security holes to infect other connected systems. Examples include Blaster, Mydoom, and Slammer.
• Trojans: Malicious software that looks like legitimate files or programs. Once installed, Trojans can let cybercriminals in without permission, which can lead to data theft, espionage, or more damage. Examples are Zeus (designed to steal financial information such as credit or debit cards), SpyEye (targets online banking information), and Poison Ivy (controls the victim machine remotely).
• Ransomware: Malware that...

Wazuh offers several capabilities that contribute to its effectiveness in detecting malware. This is accomplished through the use of a combination of log analysis, intrusion detection, and threat intelligence. It also provides real-time alerting, event correlation, and the ability to execute custom scripts for automated reaction activities, making it a powerful tool for effectively identifying and responding to malware attacks. The following are some of Wazuh’s methods for malware detection:

• Threat detection rules and FIM: In this method, Wazuh utilizes its built-in capability to detect any critical file modification. Some of the capabilities are:
  • Wazuh employs a set of predefined, continuously monitored threat detection principles. The purpose of these principles is to identify suspicious activities, events, and patterns that may indicate malware infections or security breaches.
  • Wazuh’s malware detection relies heavily on...

When a system gets compromised by malware, it may create new files or modify existing files, such as the following file types:

• Executable files (.exe, .dll, .bat, and .vbs)
• Configuration files (.cfg and .ini)
• Temporary files (.tmp)
• Registry entries
• Log files (.log)
• Payload files
• Hidden files and directories
• Batch scripts (.bat)
• PowerShell (.ps1)
• Specially crafted documents with a malicious payload (.doc, .xls, and .pdf)

Using this information, we can create an FIM rule in Wazuh to detect any file changes. However, we will get a high number of false positive alerts, too. To solve this problem, we can focus on a specific directory or folder. We will learn more in this section.

In this section, we’ll learn how to create Wazuh rules to detect some of the common malware patterns.

We’ll cover the following use cases:

• Configuring and testing FIM on an Ubuntu machine
• Detecting suspicious...

The CDB list in Wazuh serves as a repository for distinct hashes or checksums of malicious and benign files. The Wazuh security platform can precisely compare the files’ cryptographic representations on a system and those kept in the CDB. The CDB list consists of lists of users, file hashes, IP addresses, domain names, and so on. In this section, we will cover the following topics:

• The workings of the CDB list
• Setting up the Wazuh server
• Configuring Windows endpoints
• Testing
• Visualizing the alerts

The workings of the CDB list

You can save a list of users, file hashes, IP addresses, and domain names in a text file called a CDB list. A CDB list can have entries added in a key:value pair or a key:only format. Lists on CDBs can function as allow or deny lists. Wazuh processes the CDB list in the process mentioned here:

1. Hash generation: CDB lists consist of hashes of both good and bad content such as IP addresses, malware hashes...

VirusTotal is a free online service that analyzes files and URLs to detect malware and other malicious content. It uses over 70 types of antivirus software and URL blocklisting engineers to provide detailed information about the submitted file, URL, or IP address. VirusTotal allows users to contribute their own findings and submit comments on files and URLs. These contributions can help improve the service’s accuracy and provide valuable insights to other users. VirusTotal provides an API with multiple paid plans. However, it also has a free plan where you can request four lookups per minute with a daily quote of 500 lookups.

In this use case of malware detection, we will use a FIM module to monitor the changes and then trigger VirusTotal to scan the files in that directory. We will cover the following points:

• Set up a VirusTotal account
• Integrate VirusTotal with the Wazuh manager
• Create a Wazuh rule on the Wazuh manager
• Set up a...

Windows Defender is an antivirus software module of Microsoft Windows. As per the 2023 Antivirus Market Report, Windows Defender is the most common free antivirus product for PC users, with around 40% of the market share of free antivirus software. For more information on this, you can check the following link: https://www.security.org/antivirus/antivirus-consumer-report-annual/. Additionally, Microsoft also offers endpoint security solutions for enterprises called Windows Defender for Endpoint. This makes us put more attention on integrating Windows Defender with Wazuh. By default, Wazuh cannot read the Windows Defender logs. Hence, it is important for us to put extra effort into making it possible.

In this section, we’ll learn to push Windows Defender logs to the Wazuh manager. You will learn about the following:

• How to get started with Windows Defender logs
• Setting up the Wazuh agent to collect Windows Defender logs
• Testing...

Malicious code that operates directly within a computer’s memory rather than the hard drive is known as fileless malware. It is “fileless” in the sense that no files are downloaded to your hard drive when your machine is infected. This makes it more difficult to detect using traditional antivirus or anti-malware tools, which primarily scan disk files.

Sysmon is a device driver and Windows system service that provides advanced monitoring and logging capabilities. It was created by Microsoft’s Sysinternals team to monitor various aspects of system activity, such as processes, network connections, and file changes. While Sysmon does not specifically focus on detecting fileless malware, its comprehensive monitoring capabilities can undoubtedly assist in identifying and mitigating the impact of fileless malware attacks. We can enhance Wazuh’s malware detection capabilities by installing Sysmon on each Windows...

This chapter introduced us to the synergy between Wazuh and malware detection, covering its capabilities in FIM and using VirusTotal for enhanced threat intelligence and the CDB list to build a list of known malware hashes. The integration of Windows Defender logs with Wazuh provided us with a unified look at security events on a Windows machine. In the end, we talked about the integration of Sysmon with a Windows machine to detect fileless malware on the Windows machine.

In the next chapter, we will learn how to enhance Wazuh’s threat intelligence capabilities by integrating the Malware Information Sharing Platform (MISP). To build a scalable system, we will also integrate TheHive and Cortex with the MISP platform.