Skip to content

AdityaBhatt3010/Malware-Execution-Detection-using-Wazuh-and-Auditd

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 

Repository files navigation

Malware Execution Detection using Wazuh and Auditd

Overview

One of the key objectives of a Security Operations Center (SOC) is monitoring process execution, especially when privileged users execute commands that could indicate privilege escalation, persistence mechanisms, malware activity, or unauthorized administrative actions.

In this Proof of Concept (PoC), we configure Auditd on a Wazuh Agent to monitor command execution performed by the root user. These events are then forwarded to Wazuh, where they can be investigated through the Threat Hunting module.


Objective

The goal of this lab is to:

  • Install and configure Auditd on the Wazuh Agent.
  • Forward Auditd logs to Wazuh.
  • Create audit rules to monitor command execution by privileged users.
  • Generate activity on the endpoint.
  • Visualize the resulting alerts and events in the Wazuh Dashboard.

Step 1: Install Auditd

Auditd is the Linux Audit Daemon responsible for recording security-relevant system events such as:

  • Process execution
  • File access
  • User activity
  • Privilege escalation attempts
  • System calls

Update the system and install Auditd:

sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get install auditd

By default, Auditd stores logs in:

/var/log/audit/audit.log

Verify that the log file exists and contains events:

cd /var/log/audit/
cat /var/log/audit/audit.log

The following screenshot shows the Auditd log file being accessed.

1

For day-to-day analysis, viewing the entire log file is often unnecessary. Instead, it is more practical to display only the most recent events.

tail -n50 audit.log

This command displays the last 50 entries generated by Auditd.

2


Step 2: Configure Wazuh to Ingest Auditd Logs

Although Auditd is now collecting events locally, Wazuh does not automatically process these logs. We must explicitly tell the Wazuh Agent where the Auditd log file is located.

Open the Wazuh Agent configuration file:

nano /var/ossec/etc/ossec.conf

Before the closing </ossec_config> tag, add the following configuration:

<localfile>
   <log_format>audit</log_format>
   <location>/var/log/audit/audit.log</location>
</localfile>

What does this configuration do?

  • log_format tells Wazuh that the source is Auditd.
  • location specifies the Auditd log file.
  • Wazuh Agent will continuously monitor this file and forward events to the Wazuh Manager.

3

After saving the configuration, restart the Wazuh Agent:

systemctl restart wazuh-agent.service

Step 3: Create Audit Rules for Privileged Command Execution

For this PoC, we want to monitor commands executed by the root user.

Open the Auditd rules file:

nano /etc/audit/audit.rules

Add the following rules:

-a exit,always -F euid=0 -F arch=64 -S execve -k audit-wazuh-c
-a exit,always -F euid=0 -F arch=32 -S execve -k audit-wazuh-c

Understanding the Rule

-a exit,always

Records the event whenever the monitored system call completes.

-F euid=0

Targets processes running with an effective UID of 0 (root).

-F arch=64

Monitors 64-bit system calls.

-F arch=32

Monitors 32-bit system calls.

-S execve

The execve syscall is responsible for launching programs and commands. Monitoring this syscall allows us to track command execution on the system.

-k audit-wazuh-c

Assigns a custom key to help identify and search for matching events.

4

Reload the Auditd rules:

auditctl -R /etc/audit/audit.rules

This applies the new monitoring configuration without requiring a reboot.

5


Step 4: Generate Activity

To verify that monitoring is functioning correctly, execute a command as root.

For this PoC, we use:

netstat

Why Netstat?

The netstat command displays active network connections, listening ports, and routing information.

From a security perspective, attackers frequently enumerate network connections during reconnaissance and post-exploitation activities. Therefore, observing command execution events such as netstat can provide valuable visibility into endpoint activity.

netstat

6


Step 5: Investigate Events in Wazuh

Navigate to:

Wazuh Dashboard
 └── Target Agent
      └── Threat Hunting
           └── Events

You should now see Auditd events being forwarded from the agent.

These events contain useful information such as:

  • Executed command
  • User context
  • Process details
  • Timestamp
  • Audit key
  • Host information

This enables security analysts to investigate potentially suspicious command execution activity directly from the Wazuh interface.

7


Detection Flow

Command Executed
        │
        ▼
      Auditd
        │
        ▼
   audit.log
        │
        ▼
   Wazuh Agent
        │
        ▼
  Wazuh Manager
        │
        ▼
 Threat Hunting
        │
        ▼
 Analyst Investigation

Conclusion

In this PoC, we successfully integrated Auditd with Wazuh to monitor command execution performed by privileged users.

By creating custom Auditd rules and forwarding the resulting logs to Wazuh, we gained visibility into process execution events that could indicate privilege escalation attempts, attacker reconnaissance, malware execution, or unauthorized administrative actions.

While this demonstration uses a simple command (netstat) to generate events, the same approach can be expanded to monitor sensitive binaries, detect suspicious behavior, and enhance endpoint visibility within real-world SOC environments.

This foundational technique is widely applicable to:

  • Security Operations Centers (SOC)
  • Threat Hunting
  • Detection Engineering
  • Incident Response
  • Endpoint Monitoring
  • Linux Security Monitoring

Outro

If this walkthrough helped you, feel free to connect with me:

GitHub: https://github.com/AdityaBhatt3010
LinkedIn: https://www.linkedin.com/in/adityabhatt3010/
Medium: https://medium.com/@adityabhatt3010

More writeups soon. Cleaner, deeper and built from too many late-night labs.

If you found this useful, consider starring the repository and following my cybersecurity journey.


About

Wazuh, Auditd, Threat Hunting | Detecting privileged command execution and endpoint activity through centralized log monitoring.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors