/wazuh-gtfobins

A rule set for Wazuh to detect live-off-the-land techniques on Linux and Unix systems.

GNU Affero General Public License v3.0AGPL-3.0

wazuh-gtfobins

A rule set for Wazuh to detect live-off-the-land techniques on Linux and Unix systems.

What are GTFOBins?

From the project's webpage:

"GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems."

Source: GTFOBins

The thing is that these binaries are not malicious or vulnerable. They can be used in malicious ways.

This project aims to write process detection rules for Wazuh to detect such usages.

While there are similar projects like GTFOBins for Windows and drivers, wazuh-gtfobins just implements rules for Linux and Unix.

How to use GTFOBins?

  1. You need a running Wazuh instance
  2. Copy the files from the decoder directory into the decoder directory of your Wazuh manager, usually /var/ossec/ruleset/decoders
  3. Copy the files from the rules directory into the rules directory of your Wazuh manager, usually /var/ossec/ruleset/rules
  4. Add the contents of the files from the endpoint directory into the respective files on the endpoints. To prevent that the files are accidentally overwritten they have the suffix .gtfo.

The ps command you add from the ossec.conf.gtfo file can also be added on the manager in a centralized agent.conf file. However, there is no copy and paste for that in this repository for now.

How is this project structured?

It follows a simple structure.

Configurations that have to be made on the endpoint, i.e. agent, are in the subfolder endpoint.

Global configuration files, e.g. ossec.conf, have the suffix .gtfo to prevent accidental overwritings. These snippets have to be added to existing files.

The rule files are in the subfolder rules and are prefixed with

  • a four digit number
  • a dash
  • gtfo
  • a dash.

Numbers start with 2000. There must be a gap of 10. These files have to be copied to the Wazuh manager and in the rules directory.

Example: 2000-gtfo-onerule.xml, 2010-gtfo-anotherrule.xml.

How to contribute?

  1. Clone this project
  2. Check which rules are not implemented yet in the issues tab (incomplete) or in the rules directory or contact me if unsure.
  3. Check the example command string from the GTFOBins project
  4. Write the rule. Please have a look at existing rules and mind the prefix number
  5. add - commit - pull request
  6. :)