Identifying Malware with VirusTotal and Wazuh - Let's Deploy a Host Intrusion Detection System #6

  Рет қаралды 23,342

Taylor Walton

Taylor Walton

Күн бұрын

Join me as we configure Wazuh's integration with VirusTotal to help detect malware. Let's deploy a Host Intrusion Detection System and SIEM with free open source tools. Join me as we explore and learn together.
Check us out: www.opensecure.co/
Interact with our demo: www.opensecure.co/demo
Hire us: www.opensecure.co/contact-us

Пікірлер: 46
@GameAPBT
@GameAPBT 2 ай бұрын
thanks for the in-depth video Taylor. keep up the great work
@aussiejordanboy
@aussiejordanboy 2 жыл бұрын
Another master piece! thanks for the great video'
@sachinagarwal4722
@sachinagarwal4722 2 жыл бұрын
This video helped. Thanks to OpenSecure
@PRGJimmy
@PRGJimmy 6 ай бұрын
I followed the documentation on Detecting and removing malware using VirusTotal integration for windows endpoints and works flawless on win 10 and win11.
@rodrigolfrs
@rodrigolfrs 2 жыл бұрын
Thanks for this video!
@shoukatali1390
@shoukatali1390 2 жыл бұрын
Its an amazing platform regarding WAZUH, Can you please let me know how to detect Malware on windows based system.
@DanVrse
@DanVrse Жыл бұрын
Hi, I'm not sure if the syscheck would be able to understand Windows directory, since it is showing for an agent that is a Linux or Ubuntu agent.
@nieraz04
@nieraz04 2 жыл бұрын
Hi, I got few alerts from same event in Virus Total module - after downloading malware file I got four event with 87105, 87104 and two 87103 id.rule. Only event with 87105 id.rule alert malware. Any idea why is that? Same malware file as in tutorial.
@seansingh4421
@seansingh4421 7 ай бұрын
Is it possible to add custom detection for a Windows pc via integrating custom sigma rules ?
@rizkylaksamana4056
@rizkylaksamana4056 3 жыл бұрын
Hello OpenSecure. I try to download the malware sample but its not appear in the virustotal tab. but the file is succesfully added in the integrity monitoring tab. where am i possibly wrong? thank you in advance
@taylorwalton_socfortress
@taylorwalton_socfortress 3 жыл бұрын
Hey Rizky, have you made sure the virustotal configuration (where you put your api key) has been added to the ossec.conf on the wazuh manager correctly? virustotal API_KEY syscheck json You can also tail the /var/ossec/logs/integrations.log to see if the virustotal integration is being triggered correctly. Hope that helps and thanks for watching!
@abdouazizndiaye4909
@abdouazizndiaye4909 2 жыл бұрын
hello thank you very much for this tutorial to decompress the malicious what is the password you used?
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
“infected” Thanks for watching!
@anywhale7063
@anywhale7063 2 жыл бұрын
Hey, I have the same issue. I see the files being added in the FIM section but the VirusTotal tab is empty. How do I fix this? Thanks for the video!
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
Is your integration block setup correctly to send file additions to virustotal? Is virustotal authenticating your api key?
@anywhale7063
@anywhale7063 2 жыл бұрын
@@taylorwalton_socfortress The VirusTotal consumption usage says 0 but the integration logs seem to be fine i think
@marciolima174
@marciolima174 3 жыл бұрын
Hello, how can I put the logs of the hosts that are received on the antivirus server directly from the wauh panel?
@marciolima174
@marciolima174 3 жыл бұрын
it would be The Dude Mikotik.
@taylorwalton_socfortress
@taylorwalton_socfortress 3 жыл бұрын
@@marciolima174 Hey Marcio, I am not familiar with The Dude...how does it output its logs? If they are a JSON output, we could probably add the .json file to the location path so that the wazuh-agent can forward it to the wazuh-manager. However, we probably wont be able to add them to the Wazuh App plugin within Kibana, but we could create a Dashboard with Kibana that would display these logs.
@marciolima174
@marciolima174 3 жыл бұрын
@@taylorwalton_socfortress In the general context is a server that already has Wauzuh agent installed, that server receives data from symantec antivirus for each hosts. In case you can only integrate with wazuh, if you have the output of the JSON logs?
@aminesbaay2304
@aminesbaay2304 2 жыл бұрын
Great video, I don't know why, but i did the same steps in the video and it didn't detect the virus for me, maybe u had something else configured or it's because im in docker. Thank you for the video.
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
Hey there, did you make sure the real time monitoring was enabled on the directory you are downloading the file to? Below is an example of the "opt" directory: /opt
@amix2315
@amix2315 2 жыл бұрын
@@taylorwalton_socfortress thank you for the response. Is there a way to monitore the whole system? or we only can monitore 1 direcotry? Thank you!
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
@@amix2315 You can monitor the whole filesystem if you like: documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#fim-examples However, be aware that wazuh will have to consume extra resources such as CPU and memory to do so.
@aminesbaay2304
@aminesbaay2304 2 жыл бұрын
@@taylorwalton_socfortress Thank you for everything, I appreciate.
@DQ-Lifestyle
@DQ-Lifestyle 2 жыл бұрын
@@taylorwalton_socfortress i m facing the same issue, i have enabled realtime reporting in ossec.conf, but still wazuh manager is not reporting the malware detection, pls help check_all="yes" realtime="yes" report_changes="yes">/home/malware-test
@karlmaamary8181
@karlmaamary8181 3 жыл бұрын
Hello, I downloaded a malware but no API calls are being requested and nothing is appearing on wazuh. I added the virustotal configuration to the ossec.conf on the manager and I added my api key. Where might I possibly find an error?
@taylorwalton_socfortress
@taylorwalton_socfortress 3 жыл бұрын
Hey Karl, make sure that the directory that you stored the malware on is being monitored by the config. A common mistake I have seen is that the directory is not being monitored by wazuh. Another setting you can make is to have the directory to be monitored in real time, otherwise the wazuh-agent will wait to scan the directory for any new files/changes until the frequency timeframe is reached. By default the frequency is once every 12 hours. For testing, you could follow the below config example to scan a malware file that was added to the /opt/ directory in real time. /opt make sure that is within the block of the ossec.conf file. Also make sure that is added on the Wazuh Agent's ossec.conf file and not the managers. Hope that helps and thanks for watching!
@karlmaamary8181
@karlmaamary8181 3 жыл бұрын
@@taylorwalton_socfortress Thank you so much that's exactly the part I overlooked! Some directories are being monitored while other are not. Is there an efficient way to enable the monitoring on all directories of the agent Or do I need to add every directory manually? Thank you for your detailled answer I really appreciate it!
@taylorwalton_socfortress
@taylorwalton_socfortress 3 жыл бұрын
@@karlmaamary8181 hey Karl, you could add all directories with just a “/etc”, “/var”, “/bin” , etc. but take into account that it could consume cpu and memory that is needed for other software running on the server. It is also a good move to add “ignore” tags on directories that are constantly changing, such as log. I suggest slowly rolling out within your environment until you have a good baseline. Hope this helps!
@xSig10x
@xSig10x 2 жыл бұрын
Great job with the videos. I would like to limit the files sent to VT via the API by only sending EXE files using the "file added" syscheck ID of 554 rather than the group. but my rule is not working. Posted here, hint? 554 .exe$ PE file added to system
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
What results do you get if you run a "/var/ossec/bin/wazuh-logtest" and input the full log of the rule?
@xSig10x
@xSig10x 2 жыл бұрын
@@taylorwalton_socfortress I found the bin file, but don't know how to use it. Not intuitive enough. I am thinking instead, monitor for sysmon event 11 and then send the hash to VT using a home grown script via Active Response. Your last vidoe showed me how to ingest the json! Nice job. Keep it up! You have a great presentation style!
@Eduardo-hl9xz
@Eduardo-hl9xz 7 ай бұрын
Hey I am getting an Error 80004005 from Windows whenever I try unzipping the downloaded the malware. Do you know how to get around this? I've already tried disabling all antivirus and security features. Just downloading the zipped malware file doesn't trigger any alerts in my Wazuh Server. I only have agents installed on Windows endpoints. Thanks @@taylorwalton_socfortress
@thezubairrahim
@thezubairrahim 3 жыл бұрын
Create another video in which with integration of VirusTotal we auto delete the malious file when 87105 rule trigger for reference you can check out wazuh github issue 4172. I tried but i can't succeed so i am thinking where i did mistake.
@taylorwalton_socfortress
@taylorwalton_socfortress 3 жыл бұрын
Hey Zubair, I will look into that and see what I can do. Thanks for the recommendation!
@thezubairrahim
@thezubairrahim 3 жыл бұрын
@@taylorwalton_socfortress ok thanks I will be waiting for it.
@taylorwalton_socfortress
@taylorwalton_socfortress 3 жыл бұрын
Hey Zubair, check out my latest video where I cover this very topic! kzfaq.info/get/bejne/jdmUgNB_yc7Qj2g.html&ab_channel=OpenSecureOpenSecure Thanks for the recommendation!
@thezubairrahim
@thezubairrahim 3 жыл бұрын
@@taylorwalton_socfortress Thanks
@duytungnguyen4669
@duytungnguyen4669 2 жыл бұрын
Can you share with me your API VirusTotal key ? pls It does not work for me, i think my problem is api key
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
Hey there, I cannot share my API key as that is unique to me and is something that should be kept private. However you can sign up for one here: www.virustotal.com/gui/join-us
@hamzamezo7422
@hamzamezo7422 2 жыл бұрын
Does not work for me 😮‍💨 i don"t know if the syscheck does not check Eicar file
@taylorwalton_socfortress
@taylorwalton_socfortress 2 жыл бұрын
What directory did you put the eicar file in?
@sephirothfemto
@sephirothfemto 8 ай бұрын
@@taylorwalton_socfortress I have the same issue and it is placed in the location that FIM is monitoring.
New Gadgets! Bycycle 4.0 🚲 #shorts
00:14
BongBee Family
Рет қаралды 18 МЛН
小女孩把路人当成离世的妈妈,太感人了.#short #angel #clown
00:53
ТАМАЕВ vs ВЕНГАЛБИ. Самая Быстрая BMW M5 vs CLS 63
1:15:39
Асхаб Тамаев
Рет қаралды 4,3 МЛН
Quarantine Malware with Wazuh + YARA
25:41
Taylor Walton
Рет қаралды 9 М.
Wazuh and AbuseIPDB - Integrating Wazuh and AbuseIPDB API
19:02
Taylor Walton
Рет қаралды 10 М.
What happens if you Expose 14 yr old Linux to the Internet?
9:56
Detect Hackers & Malware on your Computer (literally for free)
16:38
5 НЕЛЕГАЛЬНЫХ гаджетов, за которые вас посадят
0:59
Кибер Андерсон
Рет қаралды 1,6 МЛН
Mi primera placa con dios
0:12
Eyal mewing
Рет қаралды 719 М.
🔥Идеальный чехол для iPhone! 📱 #apple #iphone
0:36
TOP-18 ФИШЕК iOS 18
17:09
Wylsacom
Рет қаралды 792 М.