{"id":149,"date":"2024-03-18T20:09:19","date_gmt":"2024-03-18T20:09:19","guid":{"rendered":"https:\/\/shaynepatelcybersecurityportfolio.online\/?p=149"},"modified":"2024-03-18T20:09:19","modified_gmt":"2024-03-18T20:09:19","slug":"malware-detection-using-virustotal-and-wazuh","status":"publish","type":"post","link":"https:\/\/shaynepatelcybersecurityportfolio.online\/?p=149","title":{"rendered":"Malware Detection using VirusTotal and Wazuh"},"content":{"rendered":"\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">In this lab, I will build off the agent from the previous lab and add VirusTotal to detect malware in real-time. Detecting and eliminating malware is crucial to maintaining system functionality and preventing illegal access, data breaches, and monetary losses. VirusTotal helps scan any suspicious file against hundreds of Antivirus engines.  Wazuh has the capability to integrate VirusTotal for real-time malware detection.<\/mark><\/p>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">My first step was learning how to integrate external APIs into Wazuh through reading documentation. Wazuh uses an integrator daemon allowing it to connect to alerting tools like VirusTotal and others. The steps went as follows:<\/mark><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Get my API key from my VirusTotal account page<\/mark><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"232\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/api-virus-total-1024x232.png\" alt=\"\" class=\"wp-image-150\" style=\"width:736px;height:auto\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/api-virus-total-1024x232.png 1024w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/api-virus-total-300x68.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/api-virus-total-768x174.png 768w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/api-virus-total-1536x348.png 1536w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/api-virus-total.png 1821w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Edit the ossec.conf file in the Wazuh server and add the integration configuration block seen below, using the API key<\/mark><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"462\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/virus-total-config-1024x462.png\" alt=\"\" class=\"wp-image-151\" style=\"width:740px;height:auto\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/virus-total-config-1024x462.png 1024w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/virus-total-config-300x135.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/virus-total-config-768x347.png 768w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/virus-total-config.png 1312w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Restart the Wazuh Manager to apply changes<\/mark><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Enable the File Integrity module to monitor directory changes by adding an entry to within the &lt;syscheck> block. For this lab, I will move a malware sample into the &#8216;Documents&#8217; folder<\/mark><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"326\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/temp-folder-1-1024x326.png\" alt=\"\" class=\"wp-image-153\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/temp-folder-1-1024x326.png 1024w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/temp-folder-1-300x96.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/temp-folder-1-768x245.png 768w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/temp-folder-1.png 1120w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Restart the Wazuh agent on Windows<\/mark><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Use Case<\/h3>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">In this use case, I am testing a suspicious file using VirusTotal. I used an &#8216;eicar&#8217; file from their website <a href=\"https:\/\/www.eicar.org\/download-anti-malware-testfile\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.eicar.org\/download-anti-malware-testfile\/<\/a>. <\/mark><\/p>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Next, was move the file into the &#8216;Documents&#8217; folder I set to track. After that, I headed to the Wazuh manager to see if the alerts were generated.<\/mark><\/p>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">First alert says a new file has been added.<\/mark><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"484\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/file-alert-1-1024x484.png\" alt=\"\" class=\"wp-image-154\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/file-alert-1-1024x484.png 1024w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/file-alert-1-300x142.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/file-alert-1-768x363.png 768w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/file-alert-1-1536x725.png 1536w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/file-alert-1.png 1897w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Second alert shows the VirusTotal engine detection.<\/mark><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"424\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/virus-total-alert-1-1024x424.png\" alt=\"\" class=\"wp-image-156\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/virus-total-alert-1-1024x424.png 1024w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/virus-total-alert-1-300x124.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/virus-total-alert-1-768x318.png 768w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/virus-total-alert-1-1536x637.png 1536w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/virus-total-alert-1.png 1887w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">This lab showed that you can use VirusTotal and Wazuh together for live malware detection. Integrating VirusTotal with the Wazuh platform was very simple.<\/mark><\/p>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Thanks for following along.<\/mark><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this lab, I will build off the agent from the previous lab and add VirusTotal to detect malware in real-time. Detecting and eliminating malware is crucial to maintaining system functionality and preventing illegal access, data breaches, and monetary losses. VirusTotal helps scan any suspicious file against hundreds of Antivirus engines. Wazuh has the capability [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-149","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts\/149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=149"}],"version-history":[{"count":2,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts\/149\/revisions"}],"predecessor-version":[{"id":190,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts\/149\/revisions\/190"}],"wp:attachment":[{"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}