Understanding IoCs using Wazuh
Abdullah Khalid
�Understanding IoCs using Wazuh
Understanding IoCs using Wazuh
Integrating VirusTotal & CDB List with Wazuh to Detect
Malware IoCs
Outline:
• What are IoCs?
• Why IoCs are important?
• How IoCs are utilized?
• Integration of VirusTotal with Wazuh
• Integration of Malware CDB List with Wazuh
• Analyzing IoCs on Wazuh
What are IoCs?
IoCs (Indicators of Compromise) are pieces of evidence or data
used to identify potential security breaches, malicious activities, or
abnormal behaviors in a network or system. They help cybersecurity
professionals detect and respond to threats by providing tangible signs
of compromise.
Examples of IoCs:
1. File Hashes: Unique identifiers of malicious files (e.g., MD5,
SHA256).
2. IP Addresses: Known malicious or suspicious IP addresses
associated with threat actors.
3. Domain Names or URLs: Suspicious or malicious domains
used for phishing or command-and-control (C2) servers.
4. Email Indicators: Phishing email headers, subject lines, or
sender addresses.
Abdullah Khalid
�Understanding IoCs using Wazuh
5. Registry Changes: Alterations to system registries indicating
malware activity.
6. Unusual Network Traffic: Unexpected spikes in data transfer
or communication with known malicious servers.
7. Processes and Services: Unexpected processes or services
running on a system.
8. Anomalous Files: Unusual file types, names, or locations.
9. Login Anomalies: Failed login attempts or logins from unusual
locations.
10. Timestamps: Unexpected activity during unusual hours.
Why IoCs are important?
Indicators of Compromise (IoCs) are crucial in cybersecurity
because they enable organizations to detect, investigate, and respond
to potential threats quickly and effectively. Their importance lies in
several key aspects:
1. Early Threat Detection: IoCs help identify malicious activities
at an early stage, often before significant damage occurs.
2. Incident Response: By providing tangible evidence of a
compromise, IoCs guide security teams in investigating and
containing threats efficiently.
3. Threat Hunting: Security analysts can proactively search for
IoCs across systems to uncover hidden or dormant threats.
4. Forensic Analysis: IoCs offer insights into the nature and scope
of a security breach, helping determine how an attack occurred
and what data or systems were affected.
5. Automation in Security Tools: IoCs are used in security tools
like SIEM (Security Information and Event Management) and
Abdullah Khalid
�Understanding IoCs using Wazuh
EDR (Endpoint Detection and Response) systems to automate
threat detection and mitigation.
6. Threat Intelligence Sharing: Sharing IoCs with other
organizations or communities enhances collective defense by
warning others of emerging threats.
7. Reducing Dwell Time: IoCs help minimize the time an attacker
remains undetected in a system, reducing potential damage.
In summary, IoCs are a foundational component of modern
cybersecurity, enabling organizations to stay ahead of adversaries and
strengthen their overall security posture.
How IoCs are utilized?
Indicators of Compromise (IoCs) are utilized in cybersecurity to
identify, analyze, and respond to potential threats in various ways.
Their applications span proactive threat hunting, real-time detection,
and post-incident analysis. Here's how they are used:
1. Threat Detection
• IoCs are integrated into monitoring systems, such as Intrusion
Detection Systems (IDS) or Security Information and Event
Management (SIEM) tools, to identify suspicious activity in
real-time.
• Examples include detecting malicious IP addresses, unusual file
hashes, or traffic to known command-and-control (C2) servers.
2. Incident Response
• Security teams use IoCs to confirm the presence of a security
breach.
• They help identify affected systems, the scope of the attack, and
how the attacker gained access.
Abdullah Khalid
�Understanding IoCs using Wazuh
3. Threat Hunting
• Analysts proactively search for IoCs across systems and
networks to uncover undetected threats.
• IoCs like suspicious process names or unauthorized registry
changes can reveal hidden malware.
4. Forensic Analysis
• IoCs are critical in post-incident investigations to understand
how an attack occurred and what data was compromised.
• Artifacts such as email headers, file metadata, or network traffic
logs provide valuable evidence.
5. Automation in Security Tools
• IoCs are used in Endpoint Detection and Response (EDR)
tools and other automated systems to flag or block threats
automatically.
• They enable real-time blocking of malicious files, domains, or
IP addresses.
6. Threat Intelligence Sharing
• Organizations share IoCs with peers, threat intelligence
platforms, and law enforcement to improve collective defense
against evolving threats.
• Examples include sharing hashes of ransomware files or C2
domain lists with the cybersecurity community.
7. Policy and Rule Creation
• IoCs help in crafting security rules and policies, such as firewall
rules, email filtering criteria, and user behavior monitoring.
8. Reducing Attack Dwell Time
Abdullah Khalid
�Understanding IoCs using Wazuh
• By continuously scanning for known IoCs, organizations can
identify and remove attackers from systems faster, minimizing
potential damage.
IoCs empower organizations to maintain an active defense posture,
enabling both proactive and reactive measures to mitigate
cybersecurity risks effectively.
Integration of VirusTotal with Wazuh
The integration of VirusTotal with Wazuh is a powerful approach to
enhancing an organization's threat detection and incident response
capabilities. This combination leverages the strengths of both
platforms to analyze, understand, and respond to Indicators of
Compromise (IoCs) more effectively. Here's why this integration is
significant:
1. Enhanced Threat Intelligence
VirusTotal provides a vast database of malware samples, file hashes,
URLs, and IP addresses enriched with analyses from multiple
antivirus engines and other security tools. By integrating this
intelligence with Wazuh, which monitors endpoints and systems for
suspicious activities, security teams can cross-reference detected IoCs
with VirusTotal's database to validate threats and gain deeper insights.
2. Improved Detection of Known Threats
When Wazuh identifies a potentially malicious file, IP address, or
URL, it can automatically query VirusTotal to check if the item has
been flagged as malicious by other sources. This helps in quickly
identifying known threats, reducing false positives, and providing a
higher level of accuracy in detection.
3. Real-Time Incident Response
Abdullah Khalid
�Understanding IoCs using Wazuh
Integration allows for real-time enrichment of alerts generated by
Wazuh. For example, when a suspicious activity is detected, Wazuh
can fetch contextual information from VirusTotal, such as the
reputation score of a file or domain. This accelerates the incident
response process, enabling security teams to prioritize critical threats
and respond swiftly.
4. Contextual Analysis of IoCs
VirusTotal provides metadata, such as when a file was first seen in the
wild, its prevalence, and detailed behavior analysis. When paired with
Wazuh’s monitoring data, this contextual information allows security
teams to assess the scope and severity of an incident more effectively,
making it easier to understand the IoCs and their potential impact.
5. Automation and Efficiency
By integrating VirusTotal into Wazuh, organizations can automate the
process of enriching security alerts with threat intelligence. This
reduces the manual effort required to analyze IoCs and frees up
security analysts to focus on more strategic tasks, improving the
overall efficiency of the Security Operations Center (SOC).
6. Holistic Threat Landscape Visibility
Wazuh monitors endpoints, applications, and network activity, while
VirusTotal provides global threat intelligence. Together, they offer a
holistic view of the threat landscape, enabling organizations to
correlate internal activity with external intelligence. This integration
helps in identifying patterns, detecting advanced threats, and
anticipating future attacks.
7. Proactive Defense
The integration supports proactive defense by enabling organizations
to use VirusTotal's intelligence to blacklist malicious domains, IPs, or
files identified in Wazuh logs. This proactive approach strengthens the
Abdullah Khalid
�Understanding IoCs using Wazuh
organization's overall security posture and reduces the risk of
successful attacks.
To understand and analyze IoCs of the Malware, we first need to
integrate Virus Total with Wazuh.
First of all, launch your Wazuh Machine. We are using Wazuh
installed on Ubuntu virtual machine.
Now, go to your assigned Wazuh IP address, here its 192.168.18.50
Now login to your Virustotal account. And copy the API Key.
Abdullah Khalid
�Understanding IoCs using Wazuh
Now go to your Wazuh Dashboard. And go to server management tab
and then settings as highlighted.
Abdullah Khalid
�Understanding IoCs using Wazuh
Then to edit configuration.
Now add these lines of code exactly where it is shown.
<!--Virus total integration -->
<integration>
<name>virustotal</name>
<api_key>Enter your API Key</api_key>
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>
Abdullah Khalid
�Understanding IoCs using Wazuh
Now, press save and then Restart manager. It will take sometime to
restart the manager and if there are no mistakes it will let you know
that the manager has restarted.
To test it we will first upload a malware to our virustotal account. We
will be using the same malware we created in our previous lab named
update.exe.
Abdullah Khalid
�Understanding IoCs using Wazuh
We will upload this malware on our Windows 10 machine which also
has Wazuh Agent installed on it.
Abdullah Khalid
�Understanding IoCs using Wazuh
We will now go to our Wazuh Dashboard and then to our active
agents.
We will click on Windows 10 pro machine named Win10_victim.
Abdullah Khalid
�Understanding IoCs using Wazuh
Then click on more tab above.
Then onto VirusTotal.
Abdullah Khalid
�Understanding IoCs using Wazuh
When we click on the malware virustotal link, it shows us the same
malware with same IoCs.
Hence, this part of integrating Wazuh with VirusTotal is complete and
detects the malware.
Abdullah Khalid
�Understanding IoCs using Wazuh
Integration of Malware CDB List with Wazuh
Integrating Constant Database (CDB) lists with Wazuh provides a
robust mechanism for enhancing security monitoring and improving
the detection and response capabilities of an organization’s Security
Information and Event Management (SIEM) solution. Here's why and
how the integration of CDB lists with Wazuh is important for
understanding and mitigating threats effectively.
1. What Are CDB Lists?
CDB lists are highly efficient, constant-time key-value databases
often used to store lists of known entities, such as:
• Malicious IP addresses
• Banned domains
• Hashes of malware samples
• Indicators of Compromise (IoCs)
These lists are lightweight, fast, and designed for quick lookups,
making them ideal for integration with real-time monitoring solutions
like Wazuh.
2. Why Integrate CDB Lists with Wazuh?
a. Fast and Efficient Threat Correlation
CDB lists enable Wazuh to perform rapid lookups against large
datasets of known threats. When an event is logged by Wazuh, it can
be cross-referenced against the CDB list in constant time, ensuring
minimal performance overhead.
b. Automated Threat Detection
Abdullah Khalid
�Understanding IoCs using Wazuh
By integrating CDB lists, Wazuh can automatically detect malicious
activity by correlating events with known malicious entities stored in
the list. For instance:
• An IP address flagged in a Wazuh alert can be instantly checked
against a blacklist of known threat actors.
• A file hash detected in endpoint monitoring can be compared
against a malware database.
c. Improved Accuracy and Context
The integration enriches Wazuh alerts with contextual information
from the CDB list. For example:
• Alerts can include metadata about why an IP or hash is
considered malicious.
• Security teams can prioritize responses based on the threat level
indicated by the list.
d. Streamlined Incident Response
Security teams can create automated rules in Wazuh to trigger specific
actions when a match is found in the CDB list, such as:
• Blocking an IP address
• Quarantining a file
• Notifying the Security Operations Center (SOC)
e. Scalability and Performance
CDB lists are designed for high-performance environments and can
handle millions of records without significant performance
degradation. This scalability makes them ideal for large organizations
with extensive threat intelligence data.
3. Use Cases of CDB Lists in Wazuh Integration
Abdullah Khalid
�Understanding IoCs using Wazuh
• IP Reputation Monitoring: Continuously monitor network
traffic and cross-reference IPs against a list of known malicious
addresses.
• Malware Detection: Match file hashes detected on endpoints
against a database of malware hashes.
• Domain Reputation: Detect access to known phishing or
malicious domains.
• Custom Threat Feeds: Use CDB lists to integrate proprietary
or third-party threat intelligence feeds into Wazuh.
4. Benefits of the Integration
a. Real-Time Security Enforcement
Wazuh can take immediate actions based on matches found in the
CDB list, enabling proactive defense.
b. Enhanced Threat Intelligence
Integrating CDB lists ensures Wazuh has access to up-to-date and
reliable threat intelligence, reducing the chances of overlooking a
critical threat.
c. Operational Efficiency
The lightweight nature of CDB lists ensures that security operations
remain efficient, even when processing large volumes of data.
d. Flexibility and Customization
Organizations can tailor CDB lists to their specific needs by including
custom threat intelligence relevant to their environment.
Abdullah Khalid
�Understanding IoCs using Wazuh
Now, we will start our integration of Malware CDB List. For that, we
have to take out the md5sum of our Malware (update.exe).
Now, we will go into our Wazuh Server machine. And we will go to
/var/ossec/etc/lists (Note that you need root privileges for this).
Create a file using nano called malware-hashes. And add the md5sum
hash in it in this format, <md5sumhash>:Malware.
Now go to our Wazuh Dashboard, and again to Server Management
and then settings.
Abdullah Khalid
�Understanding IoCs using Wazuh
Now edit the configuration and add this line in the location shown
below.
<!--Ruleset to Detect Malware Hashes-->
<list>etc/lists/malware-hashes</list>
Abdullah Khalid
�Understanding IoCs using Wazuh
Now, Save and then Restart manager. If the configuration was done
correctly then, the dashboard will show the following prompt.
Now, you have to go to Server Management again, then to rules.
Now click custom rules.
Abdullah Khalid
�Understanding IoCs using Wazuh
Now click local_rules.xml.
Now add these lines to it.
<group name="malware,">
<rule id="110002" level="13">
<if_sid>554, 550</if_sid>
<list field="md5" lookup=match_key">etc/lists/malware-hashes</list>
<description> Known Malware File Hash is Detected</description>
<mitre>
<id>T1204.002</id>
Abdullah Khalid
�Understanding IoCs using Wazuh
</mitre>
</rule>
</group>
Save it.
And Restart it.
Abdullah Khalid
�Understanding IoCs using Wazuh
Now, go to our Windows 10 Machine which has the Wazuh Agent
installed on it.
Please note that you have to run the wazuh agent in windows as
administrator.
Now go to view and then to view config.
Now add these following lines exactly where shown.
<directories check_all=”yes” realtime=”yes”> add location </directories>
Abdullah Khalid
�Understanding IoCs using Wazuh
Now, if there are no errors, when we will restart the agent, it will
show us this prompt that wazuh agent has restarted.
Abdullah Khalid
�Understanding IoCs using Wazuh
Now we will reupload the malware and remove it from windows 10
machine which we downloaded in VirusTotal Integration.
Now visit your Kali Linux IP on Windows 10. And download the
malware.
Now we will go to Wazuh and then to our agents.
Abdullah Khalid
�Understanding IoCs using Wazuh
We will click on our Win10_victim agent.
We are seeing alerts; we will click on the alerts. This window will
open.
Abdullah Khalid
�Understanding IoCs using Wazuh
We can see the alerts are from virustotal and malware.
It is telling us that a Known Malware File Hash is detected, the same
hash which we added in the CDB list. And it is giving us the same
prompt which we added in the local_rules.xml. We will click view on
it.
Abdullah Khalid
�Understanding IoCs using Wazuh
Now, click on View Single document.
Abdullah Khalid
�Understanding IoCs using Wazuh
Hence, the integration is complete, now we will move on to the next
part of analyzing the IoCs given to us by VirusTotal and CDB list on
Wazuh.
Abdullah Khalid
�Understanding IoCs using Wazuh
Analyzing IoCs on Wazuh
First we will look at VirusTotal IoCs.
These tell us the following few of the IoCs we are going to analyze.
1. Agent.IP is the IP our Agent machine, it tells us which system
has downloaded the malware by telling us its IP address.
Internal systems communicating with this IP should be
monitored for potential lateral movement.
2. Agent.Name is the name of our machine which has the malware
3. Data.virustotal.found & data.virustotal.malicious tells us that
how many files have been found in the virustotal database and
how many of them are malicious.
4. Data.virustotal.source.file indicates the infected file is in the
Downloads directory of our Windows 10 system. The .part
extension suggests the file might be an incomplete or partially
downloaded executable (likely from the web). File Name:
p56biirj.exe.part The executable's name hints at obfuscation, a
common tactic used by malware to evade detection.
5. File Hashes like sha1, sha256, md5 (Unique Identifiers of the
Malware). These hashes uniquely identify the malicious file
across antivirus systems and threat databases. These hash values
Abdullah Khalid
�Understanding IoCs using Wazuh
should be cross-referenced with: Threat Intelligence Platforms
(like VirusTotal, AlienVault, or MISP). Blocklists for IoCs in
firewalls, endpoint detection and response (EDR), and intrusion
prevention systems (IPS).
6. VirusTotal used 72 antivirus engines to evaluate the file. 58 out
of 72 antivirus engines flagged the file as malicious, indicating a
high confidence level of infection. Explicitly marks the file as
confirmed malware. Shows us the scan date & a direct link to
the detailed VirusTotal report which contains detailed
information including detection names assigned by each
antivirus engine, execution behavior, and any associated
network activity.
7. Decoder data from the Wazuh alert is parsed as JSON, which
ensures efficient and structured representation of threat
intelligence data.
8. Input Type indicates that this alert originates from Wazuh log
monitoring, likely an automated response to VirusTotal
integration.
Abdullah Khalid
�Understanding IoCs using Wazuh
9. Rule ID is the unique identifier for this detection rule within
Wazuh. This ID can be used to locate the exact rule in the
configuration.
10. Rule Level indicates the severity of this alert. A level of 12
suggests a critical threat.
11. Rule Fired times says that the rule was triggered twice,
possibly indicating repeated attempts to interact with the malicious
file.
12. MITRE ATT&CK Technique is Execution, while the
Technique is Exploitation for Client Execution. This indicates the
malware might exploit client-side vulnerabilities to execute
malicious payloads.
Now, we are going to analyze the IoCs from Wazuh related to a
potential malware detection. Below is a detailed breakdown of them.
Abdullah Khalid
�Understanding IoCs using Wazuh
1. File Information
File Path:
c:\users\win10-victim\downloads\p56biirj.exe.part
The file is located in the Downloads directory of the win10-victim
user. The .exe.part extension suggests it might be a partially
downloaded executable file, which is often used in malware delivery
campaigns to evade detection until fully downloaded.
File Size:
7,168 bytes (approximately 7 KB). While small, this file size could
represent a downloader malware that fetches larger malicious
components.
File Attributes:
The ARCHIVE attribute indicates the file is marked for storage and
backup, potentially hiding malicious intentions.
Modification Time:
Abdullah Khalid
�Understanding IoCs using Wazuh
The file was last modified on January 16, 2025, at 03:06:14.000.
Monitoring activities shortly after this timestamp could reveal other
indicators of malicious behavior.
2. File Hashes
MD5:
429dea6014053743c1a458b348871582
MD5 hash of the file. This can be used to identify the file in threat
intelligence databases or VirusTotal for known malware.
SHA1:
3b93611ad19ecccecb63fa63087d78bad1cfdc0
Another unique hash for identifying the file. SHA1 is more reliable
than MD5 for integrity verification.
SHA256:
672f217f9e5a1217afffa1932f91cf014ecd7bf25f71729dd51f19071c9f9
9
The most secure and detailed hash value. This should be cross-
referenced with malware databases.
3. Event Details
Event Type:
The syscheck.event is marked as added, indicating that this file was
newly created or downloaded. This event is critical as new file
additions in sensitive directories are often signs of malware
infections.
Mode:
Abdullah Khalid
�Understanding IoCs using Wazuh
realtime. This shows the Wazuh agent detected the file in real-time,
ensuring minimal delay in identifying the threat.
Rule Triggered:
Rule ID: 110802
Rule Level: 13 (high severity)
The rule belongs to the malware group, indicating a serious threat.
The associated MITRE ATT&CK tactic is Execution, specifically the
technique Malicious File (T1204.002).
4. Permissions and Ownership
File Permissions:
SYSTEM, Administrators, and the user win10-victim have extensive
permissions to the file, including:
DELETE: The ability to delete the file.
WRITE_DATA: The ability to modify the file's content.
EXECUTE: The ability to execute the file.
This level of permission could allow malware to execute easily or
modify system files, making it highly dangerous.
File Owner:
S-1-5-21-259422722-1467037981-1939421826-1002. This Security
Identifier (SID) belongs to the win10-victim user, who appears to be
the primary user of this system.
5. MITRE ATT&CK Context
Tactic: Execution
Abdullah Khalid
�Understanding IoCs using Wazuh
Indicates that the file is intended to execute malicious code on the
system.
Technique: Malicious File (T1204.002)
This technique refers to malicious files delivered through social
engineering, drive-by downloads, or malicious email attachments.
6. IoC Analysis
These IoCs suggest that the detected file is potentially malicious:
The .exe.part file extension aligns with downloader malware. The
hashes indicate it could already be known malware. The high
permissions and ability to execute make it a critical threat.
The IoCs indicate that a potentially dangerous file was downloaded
onto the Windows 10 machine (Win10_victim). Wazuh identified it as
malware using hash-based detection. The p56biirj.exe.part file,
although incomplete, matches the hash of a known malicious file. The
fact that the file was detected in the downloads folder suggests the
infection vector is likely through the internet, which we know was a
phishing attack as done in the previous lab.
Abdullah Khalid
