Detecting unauthorized processes

The ThreatLockDown command monitoring capability runs commands on an endpoint and monitors the output of the commands.

In this use case, you use the ThreatLockDown command monitoring capability to detect when Netcat is running on an Ubuntu endpoint. Netcat is a computer networking utility used for port scanning and port listening.

Infrastructure

Endpoint

Description

Ubuntu 22.04

You configure the ThreatLockDown command monitoring module on this endpoint to detect a running Netcat process.

Configuration

Ubuntu endpoint

Take the following steps to configure command monitoring and query a list of all running processes on the Ubuntu endpoint.

  1. Add the following configuration block to the ThreatLockDown agent /var/ossec/etc/ossec.conf file. This allows to periodically get a list of running processes:

    <ossec_config>
      <localfile>
        <log_format>full_command</log_format>
        <alias>process list</alias>
        <command>ps -e -o pid,uname,command</command>
        <frequency>30</frequency>
      </localfile>
    </ossec_config>
    
  2. Restart the ThreatLockDown agent to apply the changes:

    $ sudo systemctl restart wazuh-agent
    
  3. Install Netcat and the required dependencies:

    $ sudo apt install ncat nmap -y
    

ThreatLockDown server

You have to configure the following steps on the ThreatLockDown server to create a rule that triggers every time the Netcat program launches.

  1. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the ThreatLockDown server:

    <group name="ossec,">
      <rule id="100050" level="0">
        <if_sid>530</if_sid>
        <match>^ossec: output: 'process list'</match>
        <description>List of running processes.</description>
        <group>process_monitor,</group>
      </rule>
    
      <rule id="100051" level="7" ignore="900">
        <if_sid>100050</if_sid>
        <match>nc -l</match>
        <description>netcat listening for incoming connections.</description>
        <group>process_monitor,</group>
      </rule>
    </group>
    
  2. Restart the ThreatLockDown manager to apply the changes:

    $ sudo systemctl restart wazuh-manager
    

Attack emulation

On the monitored Ubuntu endpoint, run nc -l 8000 for 30 seconds.

Visualize the alerts

You can visualize the alert data in the ThreatLockDown dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

  • rule.id:(100051)