CDB lists and threat intelligence

ThreatLockDown detects malicious files by checking the presence of their signatures in a CDB list. This CDB list must contain known malware threat intelligence indicators. A CDB list is a text file you can use to save a list of users, file hashes, IP addresses, and domain names. You can add entries to a CDB list in key:value pairs or key: only. CDB lists can act as either allow or deny lists. You can learn more about CDB lists in the documentation.

How it works

ThreatLockDown checks if field values, such as IP address, file hashes, and others, extracted from security events during decoding are in a CDB list to hunt and detect malware. To detect malware, you can use CDB lists with the file integrity monitoring (FIM) module. We describe how it works below:

  1. The ThreatLockDown FIM module scans monitored directories on endpoints to detect changes such as file creation and modifications. The FIM module stores the checksums and attributes of the monitored files.

  2. When the FIM module generates an alert, the ThreatLockDown analysis engine compares the file attributes, for example, the file hash, to the keys in a predefined CDB list.

  3. If the ThreatLockDown analysis engine finds a match, it generates or suppresses an alert based on how you configure your rule.

Use case: Detecting malware using file hashes in a CDB list

In this use case, we show how you can detect malware using file hashes that you have added to a CDB list. You can use this use case to detect malicious files on a Linux endpoint on which you have installed a ThreatLockDown agent.

ThreatLockDown server

  1. Create a CDB list malware-hashes of known malware hashes and save it to the /var/ossec/etc/lists directory on the ThreatLockDown server.

    # vi /var/ossec/etc/lists/malware-hashes
    
  2. Add the known malware hashes to the file as key:value pairs. In this case, you can use the known MD5 hashes of the Mirai and Xbash malware as shown below.

    e0ec2cd43f71c80d42cd7b0f17802c73:mirai
    55142f1d393c5ba7405239f232a6c059:Xbash
    
  3. Add a reference to the CDB list in the ThreatLockDown manager configuration file /var/ossec/etc/ossec.conf. You can do this by specifying the path to the list within the <ruleset> block:

    ...
      <ruleset>
        <!-- Default ruleset -->
        <decoder_dir>ruleset/decoders</decoder_dir>
        <rule_dir>ruleset/rules</rule_dir>
        <rule_exclude>0215-policy_rules.xml</rule_exclude>
        <list>etc/lists/audit-keys</list>
        <list>etc/lists/amazon/aws-eventnames</list>
        <list>etc/lists/security-eventchannel</list>
        <list>etc/lists/malware-hashes</list>
      <ruleset>
    ...
    
  4. Create a custom rule in the /var/ossec/etc/rules/local_rules.xml file on the ThreatLockDown server. The rule generates alerts when the ThreatLockDown analysis engine matches the MD5 hash of a new or modified file to a hash in the CDB list. Rules 554 and 550 must previously match indicating a recently created or modified file.

    <group name="malware,">
      <rule id="110002" level="13">
        <!-- The if_sid tag references the built-in FIM rules -->
        <if_sid>554, 550</if_sid>
        <list field="md5" lookup="match_key">etc/lists/malware-hashes</list>
        <description>File with known malware hash detected: $(file)</description>
        <mitre>
          <id>T1204.002</id>
        </mitre>
      </rule>
    </group>
    
  5. Restart the ThreatLockDown manager to apply changes.

    # systemctl restart wazuh-manager
    

Linux endpoint

  1. Configure directory monitoring by adding the <directories> block specifying the folders you want to monitor in the agent configuration file or using the centralized configuration option.

    <ossec_config>
      <syscheck>
        <disabled>no</disabled>
        <directories check_all="yes" realtime="yes">/PATH/TO/MONITORED/DIRECTORY</directories>
      </syscheck>
    </ossec_config>
    

    Note

    The check_all option ensures ThreatLockDown checks all file attributes including the file size, permissions, owner, last modification date, inode, and the hash sums.

  2. Restart the ThreatLockDown agent to apply the changes:

    # systemctl restart wazuh-agent
    

Test the configuration

To test that everything works correctly, download the Mirai and Xbash malware samples to the directory the FIM module is monitoring.

Warning

These malicious files are dangerous, so use them for testing purposes only. Do not install them in production environments.

  1. Download the malware samples. Replace /PATH/TO/MONITORED/DIRECTORY with the path of the monitored directory.

    $ sudo curl https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai --output /PATH/TO/MONITORED/DIRECTORY/mirai
    $ sudo curl https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash --output /PATH/TO/MONITORED/DIRECTORY/Xbash
    

Visualize the alerts

You can see these alerts on the ThreatLockDown dashboard. To do this, go to the Threat Hunting module of the ThreatLockDown dashboard to view the alerts.