Showing posts with label windows. Show all posts
Showing posts with label windows. Show all posts

Friday, August 7, 2015

How to monitor running processes with OSSEC

In this post I am going to explain what are the steps to use OSSEC agents to monitor system processes, and alert when an important one is not running. This method should work both for Windows and Unix like Operating Systems. In my lab I've deployed the agent on a Windows Server 2012.

1.-Accepting remote commands

First step is to configure the agent logcollector option to accept remote commands from the manager. That can be done editing "internal_options.conf" file (usually located at "C:\Program Files(x86)\ossec-agent\internal_options.conf") and setting the variable logcollector.remote_commands to 1.
# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=1
Once we have save this change, we just need to restart the agent for it to be applied.

2.- Specifying the command to list running processes

This is a configuration that can be done both at the agent or at the manager (using the shared directory). It only depends on how many agents you want this command to be used. In my case I decided to edit "/var/ossec/etc/shared/agent.conf" configuration file, and have these settings pushed to my windows agents. 
<agent_config os="windows">
    <localfile>
        <log_format>full_command</log_format>
        <command>tasklist</command>
        <frequency>60</frequency>
    </localfile>
</agent_config>
The command I used to list processes in Windows like Operating Systems is "tasklist". There are other options like using wmic, but this one looked good enough to me. For Unix systems you might want to use "ps".
On the other hand, notice that under log_format I choiced "full_command". This is because I want my OSSEC rules to be able to parse the whole command output, instead of parsing the output one line at a time.
At last, the frequency defines how often, in seconds, will this command be run. Feel free to adjust this setting to whatever makes more sense in your environment, keeping in mind the added load that can be generated in the system by running commands too often.

3.- Creating local rules

In this step we edit our "/var/ossec/rules/local_rules.xml" file to add rules that will trigger an alert if our critical process is not running. For the purpose of this example I will use "wordpad.exe" but, of course, it could be any other name. 
<rule id="100050" level="7">
  <if_sid>530</if_sid>
  <match>^ossec: output: 'tasklist'</match>
  <description>Critical process not found.</description>
  <group>process_monitor,</group>
</rule>
<rule id="100051" level="0">
  <if_sid>100050</if_sid>
  <match>wordpad.exe</match>
  <description>Processes running as expected</description>
  <group>process_monitor,</group>
</rule>
The first rule (id "100050") will trigger a level "7" alert every time tasklist command is executed, unless (as defined in rule "100051") the output matches the string "wordpad.exe". If this is the case the alert level is set to "0", meaning that that no alert would be triggered.
Now we just need to save these changes and restart the manager for them to be applied. We can do that running "ossec-control restart" command.

4.- Testing our configuration

In order to test the configuration it is good to enable OSSEC "logall" option, so we can see the output of tasklist in archives.log everytime it is executed. See below an example (I cut some lines for brevity). 
2015 Aug 07 18:38:03 (vpc-agent-windows) 10.0.0.124->tasklist ossec: output: 'tasklist':
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0          4 K
System                           4 Services                   0        284 K
smss.exe                       328 Services                   0      1,060 K
csrss.exe                      484 Services                   0      3,584 K
...
...
...
notepad.exe                   1596 RDP-Tcp#37                 2     14,500 K
win32ui.exe                    828 RDP-Tcp#37                 2      6,088 K
ossec-agent.exe               3060 Services                   0      5,576 K
notepad.exe                   2276 RDP-Tcp#37                 2     12,076 K
wordpad.exe                    368 RDP-Tcp#37                 2     27,780 K
cmd.exe                        780 Services                   0      2,692 K
conhost.exe                   1304 Services                   0      3,044 K
tasklist.exe                  1692 Services                   0      5,668 K
And, once wordpad.exe process is stopped. An alert like this is triggered as expected. We can see it in "/var/ossec/logs/alerts/alerts.log" file. 
** Alert 1438997816.32112781: mail  - local,syslog,process_monitor,
2015 Aug 07 18:36:56 (vpc-agent-windows) 10.0.0.124->tasklist
Rule: 100050 (level 7) -> 'Critical process not found.'
ossec: output: 'tasklist':
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0          4 K
System                           4 Services                   0        284 K
smss.exe                       328 Services                   0      1,060 K
csrss.exe                      484 Services                   0      3,584 K
...
...
Of course, using email alert option and the above configuration, you can automatically be notified if one of your critical processes stopped running.
And that is all. I hope you enjoyed the tutorial and found it useful.
Posted by at 42 comments:
Labels: ,

Sunday, January 27, 2013

Installing Cuckoo Sandbox on VirtualBox Ubuntu Server LTS

Quoting their website Cuckoo sandbox is an Open Source automated malware analysis system. To do so it uses custom components that monitor the behavior of the malicious processes while running in an isolated environment (typically a Windows operating system).

It can retrieve the following type of results:
  • Traces of win32 API calls performed by all processes spawned by the malware.
  • Files being created, deleted and downloaded by the malware during its execution.
  • Memory dumps of the malware processes.
  • Network traffic trace in PCAP format.
  • Screenshots of Windows desktop taking during the execution of the malware.
  • Full memory dumps of the machines.
In our case I decided to use a combination of Ubuntu LTS server and VirtualBox to setup the platform where we are going to run Cuckoo. For further details on how to install these systems you can see my previous posts:
Cuckoo (version 0.5) has been developed in Python and integrated with MongoDB, Yara, SSDEEP, Tcpdump for different purposes. That is why my recommendation is to install all these packages including Cuckoo Python dependencies. Here are the necessary steps to do it:

1.- Installing Python and dependencies

 $ apt-get install python # installed by default  
 $ apt-get install python-magic # for identifying file formats  
 $ apt-get install python-dpkt # for extracting info from pcaps  
 $ apt-get install python-mako # for rendering html reports and web gui  
 $ apt-get install python-sqlalchemy  
 $ apt-get install python-jinja2 # necessary for web.py utility  
 $ apt-get install python-bottle # necessary for web.py utility

2.- Installing SSDEEP for calculating fuzzy hashes

 $ apt-get install ssdeep  
 $ apt-get install python-pyrex # required for pyssdeep installation  
 $ apt-get install subversion  
 $ apt-get install libfuzzy-dev   
 $ svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep  
 $ cd pyssdeep  
 $ python setup.py build  
 $ python setup.py install # run as root user

3.- Installing MongoDB and Python support

 $ apt-get install python-pymongo # for mongodb support  
 $ apt-get install mongodb # includes server and clients

4.- Installing Yara and Python support

 $ apt-get install g++  
 $ apt-get install libpcre3 libpcre3-dev  
 $ wget http://yara-project.googlecode.com/files/yara-1.6.tar.gz  
 $ tar -xvzf yara-1.6.tar.gz  
 $ cd yara-1.6  
 $ ./configure  
 $ make  
 $ make check  
 $ make install # finished yara installation  
 $ wget http://yara-project.googlecode.com/files/yara-python-1.6.tar.gz  
 $ tar -xvzf yara-python-1.6.tar.gz  
 $ cd yara-python-1.6  
 $ python setup.py build  
 $ python setup.py install # finished python support installation

5.- Modifying Tcpdump running privileges

This is necessary so Cuckoo can run Tcpdump as non-root user. 
 $ apt-get install libcap2-bin  
 $ setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump  
 $ getcap /usr/sbin/tcpdump # to check changes have been applied

6.- Installing Cuckoo Sandbox

 $ sudo useradd cuckoo  
 $ usermod -a -G vboxusers cuckoo # add cuckoo to vboxusers group  
 $ id cuckoo # checks cuckoo user details  
 $ apt-get install git   
 $ git clone git://github.com/cuckoobox/cuckoo.git

7.- Configuring Windows Guest virtual machine

At this point we need to install Cuckoo python agent in the virtual machine that we want to use to run the malware. I am going to continue the work described in my previous post and use WindowsXPVM1 for this purpose.

First steps to prepare the Windows Guest system:
Next we copy the Python agent to our Windows shared folder:
 $ cp /home/santiago/cuckoo/cuckoo/agent/agent.py /home/santiago/cuckoo/shares/WindowsXPVM1/
I also renamed it to agent.pyw to prevent the command prompt from showing. We can run it manually or configure it to run at Windows startup following these steps:
  • Copy to C:\Python27\agent.pyw
  • Add it to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: Name:'Agent' Type:'REG_SZ' Data:"C:\Python27\agent.pyw"
After executing the Python script on the virtual machine a new socket should be listening on 0.0.0.0:8000



Our virtual machine is now ready to run malware so it's time to save the system state creating a VirtualBox snapshot.
 $ vboxmanage snapshot "WindowsXPVM1" take "WindowsXPVM1Snap01" --pause
And these are the commands we can use to restore the snapshot.
 $ vboxmanage controlvm "WindowsXPVM1" poweroff  
 $ vboxmanage snapshot "WindowsXPVM1" restorecurrent  
 $ vboxheadless --startvm "WindowsXPVM1"

8.- Starting Cuckoo sandbox

Before starting Cuckoo for the first time, we need to configure Cuckoo VirtualBox settings to specify the virtual machine the system will use to analyze a malware sample. To do it we edit cuckoo/conf/virtualbox.conf file and set the following variables.
  [virtualbox]  
  # Specify which VirtualBox mode you want to run your machines on.  
  # Can be "gui", "sdl" or "headless". Refer to VirtualBox's official  
  # documentation to understand the differences.  
  mode = headless  
  # Path to the local installation of the VBoxManage utility.  
  path = /usr/bin/VBoxManage  
  # Specify a comma-separated list of available machines to be used. For each  
  # specified ID you have to define a dedicated section containing the details  
  # on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)  
  machines = WindowsXPVM1  
  [WindowsXPVM1]  
  # Specify the label name of the current machine as specified in your  
  # VirtualBox configuration.  
  label = WindowsXPVM1  
  # Specify the operating system platform used by current machine  
  # [windows/darwin/linux].  
  platform = windows  
  # Specify the IP address of the current machine. Make sure that the IP address  
  # is valid and that the host machine is able to reach it. If not, the analysis  
  # will fail.  
  ip = 192.168.56.101
Finally we can start our freshly installed Cuckoo sandbox.
  root@donkey:/home/santiago/cuckoo/cuckoo# python cuckoo.py
 
                                 _|                            
     _|_|_|  _|    _|    _|_|_|  _|  _|      _|_|      _|_|    
   _|        _|    _|  _|        _|_|      _|    _|  _|    _|  
   _|        _|    _|  _|        _|  _|    _|    _|  _|    _|  
     _|_|_|    _|_|_|    _|_|_|  _|    _|    _|_|      _|_|

  Cuckoo Sandbox 0.5  
  www.cuckoosandbox.org  
  Copyright (c) 2010-2012  
  Checking for updates...  
  Good! You have the latest version available.  
 2013-01-26 23:25:33,216 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager  
 2013-01-26 23:25:33,290 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s  
 2013-01-26 23:25:33,290 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks...

9.- Analyzing a malware sample

I decided to analyze the following malware sample: efeb717fdbb98d8043eb4c51254d9b74 You can find virustotal description here. We can use submit.py util for it. 
 root@donkey:/home/santiago/cuckoo/cuckoo/utils# python submit.py /home/santiago/binaries/efeb717fdbb98d8043eb4c51254d9b74  
 Success: File "/home/santiago/binaries/efeb717fdbb98d8043eb4c51254d9b74" added as task with ID 4
And these are Cuckoo logs while performing the malware analysis. 
 2013-01-26 23:34:00,275 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "/home/santiago/binaries/efeb717fdbb98d8043eb4c51254d9b74" (task=4)  
 2013-01-26 23:34:00,286 [lib.cuckoo.core.scheduler] INFO: File already exists at "/home/santiago/cuckoo/cuckoo/storage/binaries/8dafb21e7d106a6c98f745f30c2577ee7b0984ec7ba2c4107f7ddcd0d127baf6"  
 2013-01-26 23:34:00,304 [lib.cuckoo.core.scheduler] INFO: Task #4: acquired machine WindowsXPVM1 (label=WindowsXPVM1)  
 2013-01-26 23:34:00,312 [lib.cuckoo.core.sniffer] INFO: Started sniffer (interface=vboxnet0, host=192.168.56.101, dump path=/home/santiago/cuckoo/cuckoo/storage/analyses/4/dump.pcap)  
 2013-01-26 23:34:02,063 [lib.cuckoo.core.scheduler] INFO: Task #4: analysis procedure completed
Then we can web.py Cuckoo tool to view the output of the analysis. 
 root@donkey:/home/santiago/cuckoo/cuckoo/utils# python web.py   
 Bottle server starting up (using WSGIRefServer())...  
 Listening on http://0.0.0.0:8080/  
 Hit Ctrl-C to quit.
And at this point we can connect to our host through the web http://192.168.0.200:8080 and see our analysis report.


References

http://www.cuckoosandbox.org/
http://www.virtualbox.org/
http://www.virustotal.com/
http://blog.michaelboman.org/
Posted by at 51 comments:
Labels: , , , , , , , , ,

Saturday, January 26, 2013

Setting up a Windows Guest on VirtualBox

I recently installed VirtualBox on Ubuntu LTS as described in my previous post. Now I am going to install a Windows XP Guest on it, so it can later be used as a platform to run malware for automatic analysis with Cuckoo sandbox.

In this case, instead of using Phpvirtualbox web interface, I will choose to use the command line so it will be easier in the future to automate the virtual machine creation process by using a bash script.

These are the specs I am going to use for the Windows XP:
  • 1GB RAM memory
  • 20GB of Hard Disk space
  • VDI format for the virtual disk
  • Dynamically allocated storage

1.- Creating the virtual machine

The command vboxmanage can be used to create the virtual machine, using settings above, and to attach a DVD drive with the ISO image of the Windows XP. In my case I decided to name it WindowsXPVM1.
 $ vboxmanage createvm --name "WindowsXPVM1" --ostype WindowsXP --register  
 $ vboxmanage modifyvm "WindowsXPVM1" --memory 1000 --acpi on --boot1 dvd --nic1 nat  
 $ vboxmanage createhd --filename "WinXP.vdi" --size 20000  
 $ vboxmanage storagectl "WindowsXPVM1" --name "IDE Controller" --add ide --controller PIIX4  
 $ vboxmanage storageattach "WindowsXPVM1" --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium "WinXP.vdi"  
 $ vboxmanage storageattach "WindowsXPVM1" --storagectl "IDE Controller" --port 0 --device 1 --type dvddrive --medium /pathtoyouriso/windowsxp.iso
At this point we can start the virtual machine to start the Windows installation procedure.
 $ VBoxHeadless --startvm "WindowsXPVM1"
In order to connect to the system we can both use Phpvirtualbox console or directly connect through Remote Desktop Protocol (RDP) to the host.

2.- Installing guest additions in our virtual machine

 $ wget http://dlc.sun.com.edgesuite.net/virtualbox/4.1.12/VBoxGuestAdditions_4.1.12.iso
Once downloaded we need to mount the ISO file at the Windows XP and follow the installation wizard.

3.- Adding a shared folder and recording the network traffic

 $ vboxmanage controlvm "WindowsXPVM1" poweroff  
 $ mkdir -p /home/santiago/cuckoo/shares/WindowsXPVM1  
 $ vboxmanage sharedfolder add "WindowsXPVM1" --name "WindowsXPVM1" --hostpath /home/santiago/cuckoo/shares/WindowsXPVM1 --automount  
 $ vboxmanage sharedfolder add "WindowsXPVM1" --name setup --hostpath /home/santiago/cuckoo/shares/setup --automount --readonly  
 $ vboxmanage modifyvm "WindowsXPVM1" --nictrace1 on --nictracefile1 /home/santiago/cuckoo/shares/WindowsXPVM1/dump.pcap  
 $ vboxheadless --startvm "WindowsXPVM1"

4.- Configuring virtual machine to use a host-only adapter

 $ lsmod | grep vboxnetadp # module needed to add a new host-only interface at the host  
 $ vboxmanage list hostonlyifs # checks host-only interfaces at the host  
 $ vboxmanage hostonlyif create # leaving default IP 192.168.56.1/24  
 $ vboxmanage list dhcpservers # checks dhcp servers  
 $ vboxmanage list vms # checks virtual machines  
 $ vboxmanage showvminfo "WindowsXPVM1" # checks NICs information  
 $ vboxmanage controlvm "WindowsXPVM1" poweroff   
 $ vboxmanage modifyvm "WindowsXPVM1" --nic1 hostonly  
 $ vboxmanage modifyvm "WindowsXPVM1" --hostonlyadapter1 vboxnet0  
 $ vboxheadless --startvm WindowsXPVM1
The gateway (192.168.56.1) and DNS Server (in this case I will use Google's 8.8.8.8) need to be configured manually at the Guest using Windows settings.

5.- Configuring the Host IP forwarding and firewall filters

 $ iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT  
 $ iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT  
 $ iptables -A POSTROUTING -t nat -j MASQUERADE  
 $ sysctl -w net.ipv4.ip_forward=1
We can add these commands to our /etc/rc.local file if we want those to be executed every time the server wakes up or restarts.

6.- Starting and stopping the virtual machine

To start VirtualBox web service and the virtual machine we need to run the following commands:
 $ vboxwebsrv -b  
 $ vboxmanage list vms # Optional to list virtual machines  
 $ vboxheadless --startvm "WindowsXPVM1"
And this is how we can stop it:
 $ vboxmanage controlvm "WindowsXPVM1" poweroff
And we are done. We should now be able to use our fresh installation of our virtual Windows XP.

References

http://www.virtualbox.org/manual/
http://blog.michaelboman.org/
Posted by at 17 comments:
Labels: , , , ,

Sunday, September 16, 2012

OSSIM hands-on 5: Installing OSSEC agent in a Windows server

Welcome to another OSSIM hands-on practical exercise. In this case we are going to collect Windows events using OSSEC HIDS agent.

1.- Download OSSEC agent into the windows system:

a) Open a browser and connect to the IP of OSSIM server (10.0.0.30)
b) Go to Configuration -> Collection -> Downloads
c) Download OSSEC agent for Windows

2.- Run the downloaded executable and install the agent following the wizard

a) For the server use the OSSIM server IP address

3.- Create a new OSSEC key for the agent

a) At GUI go to Analysis -> Detection -> HIDS
b) Go to agents (top right corner)
c) Add a new agent
d) Copy the key and use it at the agent

4.- Restart agent at the Windows server

 a) A new Windows service can be found named ossim-agent
 b) Restart the service

5.- Check that the agent is working

a) Logout and Login in the Windows system
b) See in the GUI that the events have been collected and processed


6.- Troubleshooting 

a) Check ossec agent logs at C:\Program Files (x86)\ossec-agent\ossec.log
b) Check ossec configuration file at C:\Program Files (x86)\ossec-agent\ossec.conf
Posted by at 32 comments:
Labels: , , ,