Wazuh and Sysinternals Integration, Part II — Scanning and Analysing Executable Files by their hash + VirusTotal

SOCFortress
3 min readMar 23, 2022

Introduction

(Part I on Persistent Footholds here)

The Sysinternals suite offers some tools that used via their CLI options can be easily integrated with the Wazuh stack, collecting events and ingesting and evaluating these events in the manager.

Sysinternals — Sigcheck

Official documentation can be found here.

Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.

Integrated with the Wazuh agent (more info in our GitHub repo, available here) Sigcheck can be used to scan files that are executable and located in “uncommon” locations, like the “Users” folder.

Coupled with Sigcheck’s VirusTotal capability all the file hashes from all the executable files found can be sent to this antimalware service for analysis.

CLI options included in Sigcheck allow to format the command output and append events to Wazuh’s active responses log:

Parameter Description
-accepteula Silently accept the Sigcheck EULA (no interactive prompt)
-c CSV output with comma delimiter
-e Scan executable images only (regardless of their extension)
-s Recurse subdirectories
-u If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files.
-v[rs] Query VirusTotal for malware based on file hash.
Add ‘r’ to open reports for files with non-zero detection.
Files reported as not previously scanned will be uploaded to VirusTotal if the ‘s’ option is specified. Note scan results may not be available for five or more minutes.
-vt Before using VirusTotal features, you must accept VirusTotal terms of service.

SOCFortress Integration

As part of this integration, periodic scans on the Windows “Users” folder and sub-folders are run, finding files that are executable, regardless of their extension, and submitting their file hashes to VirusTotal:

Sigcheck + VirusTotal Summary

Sigcheck CLI options include getting the information on the file signature. Files flagged by VirusTotal will include a direct link to their scan results

File Signature status and direct link to VirusTotal File Scan Results

Sigcheck — Full Scan Event Details

Sigcheck Scan Events

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).