Active Response Extensions

Wazuh has active-response functionality. The source code for the same is open source, well tested, and is available here. The three params required for the script are action, IP, and user.

We have created an osquery extension (https://github.com/sttor/osquery-wazuh-response) that executes the active-response scripts using osquery queries. You can also create your custom .sh,.cmd, and .py scripts and can execute via the osquery queries.

The syntax for executing the queries are select * from active_response where rule='host-deny.sh' and action='add' and ip='-' and user='-';

Below are the rules and compatible platforms, You can find more on https://documentation.wazuh.com/3.7/user-manual/capabilities/active-response/how-it-works.html

Rules

Platform

disable-account.sh

Linux

firewall-drop.sh

Linux, OSX

firewalld-drop.sh

Linux

host-deny.sh

Linux, OSX

ip-customblock.sh

Linux

ipfw.sh

Linux

ipfw_mac.sh

OSX

kill_process.py

Linux, OSX

netsh.cmd

Windows

npf.sh

Linux

pf.sh

Linux, OSX

route-null.cmd

Windows

route-null.sh

Linux

How to create custom command with osquery extension

You can create any python script, .sh and .cmd file, simply add it in the extension folder and include it in the active_response_extension.py file. We have added a template file in the Github repo.

  1. Refer kill_process.py structure

  2. import the custom file in active_response_extension.py like import kill_process.

  3. Add the filename in ActiveResponse.PYTHON_RULE or ActiveResponse.WAZUH_RULE or ActiveResponse.BASH_RULE

  4. In query add args as a JSON of arguments required.

Installation on Windows

The previous installation steps have included the extension installation for Linux and mac by default. For Windows, you have to follow additional steps as follows.

Python Installation on windows.

  1. Install Python3

    1. Check “Install launcher for all users”

    2. Check “Add Python to PATH”

  2. Select “Install Now”

  3. Open a Powershell instance

  4. pip install osquery

Grant Permission to extension

  1. On Powershell as an administrator,

    cd 'C:\Program Files\osquery'

    icacls .\extensions /setowner Administrators /t

    icacls .\extensions /grant Administrators:f /t

    icacls .\extensions /inheritance:r /t

    icacls .\extensions /inheritance:d /t

Edit Flag file.

Open osquery.flags in a notepad as an administrator. Append below line

--extensions_autoreload=C:\Program Files\osquery\extensions\active_response_extension.py.ext

Restart osquery

sc.exe stop osqueryd sc.exe start osqueryd