Integrating Admin By Request (ABR) with Wazuh
September 3, 2025
Apos, first identified in April 2024, has drawn significant attention in the security community due to its stealthy behavior and layered infection chain. Unlike opportunistic threats that indiscriminately target systems, Apos demonstrates a calculated focus on persistence and evasion.
The malware often masquerades as legitimate software components, mimicking processes such as Chrome extension updates to blend seamlessly into routine activity. Once executed on Windows systems, it unpacks and loads malicious modules designed for credential theft, system reconnaissance, and command-and-control (C2) communications.
While frequently categorized as ransomware, Apos diverges from traditional file-encrypting ransomware. Instead, it prioritizes data exfiltration, stealing sensitive information, and using threats of exposure or sale of the data as leverage for extortion.
Apos conceals its presence through benign-looking artifacts, including DLLs with non-suspicious names, which serve both as payload delivery mechanisms and persistence enablers within Windows and browser environments. By leveraging trusted processes and disguising communications, Apos ensures long-term access and positions attackers for deeper lateral movement within compromised networks.
In this blog post, we demonstrate how organizations can detect the activities and malicious behaviors associated with Apos malware on infected Windows endpoints.
Below are some of the behaviors observed when Apos malware successfully infects a Windows endpoint:
__tmp_rar_sfx_access_check_*
in the same folder containing the malware executable.libffi-8.dll | libgcc_s_dw2-1.dll |
libgio-2.0-0.dll | libglib-2.0-0.dll |
libgmodule-2.0-0.dll | libgobject-2.0-0.dll |
libiconv-2.dll | libintl-8.dll |
libpcre2-8-0.dll | libwinpthread-1.dll |
zlib1.dll |
Update.exe
, in the working directory for further execution.Update.exe
and loads it into memory. The parent process terminates after launching this executable.Update.exe
loads all the DLLs imported by the parent process.Hash Algorithm | Value |
SHA256 | 33a99066776eacf39e2f36243b8fbee2e542e35a4b56531187463a266dd5b0ff |
SHA256 | e90249a27ea1181ac71f789c0c563d008cf920c5847b41c7a790952139b84808 |
We use the following infrastructure to demonstrate the detection of Apos malware with Wazuh:
We create custom detection rules to identify the known activities associated with the Apos malware.
We monitor system events on the Windows endpoint using Sysmon and create custom rules on the Wazuh server to detect the malicious behavior of Apos malware.
Follow the steps below to configure Sysmon on the monitored endpoint and forward logs in the Sysmon event channel to the Wazuh server for analysis.
<SYSMON_EXECUTABLE_PATH>
with the path to your Sysmon executable.> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
<ossec_config>
block of the C:\Program Files (x86)\ossec-agent\ossec.conf
file to forward Sysmon events to the Wazuh server:<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
6. Restart the Wazuh agent to apply the changes:
> Restart-Service -Name wazuh
In this section, we create rules to detect the activities related to Apos malware.
apos_malware_rules.xml
in the /var/ossec/etc/rules/
directory:# touch /var/ossec/etc/rules/apos_malware_rules.xml
/var/ossec/etc/rules/apos_malware_rules.xml
file:<group name="Apos, malware,"> <!-- Malware creates a file to check file creation access --> <rule id="102111" level="12"> <if_sid>61613</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\.exe</field> <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*\__tmp_rar_sfx_access_check</field> <description>File $(win.eventdata.targetFilename) created by $(win.eventdata.image). Activity associated with Apos malware detected.</description> </rule> <!-- Detects multiple DLLs creation by the malware--> <rule id="102112" level="12"> <if_sid>61613</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\.exe</field> <field name="win.eventdata.targetFilename" type="pcre2">(?i)(libffi-8\.dll|libgcc_s_dw2-1\.dll|libgio-2\.0-0\.dll|libglib-2\.0-0\.dll|libgmodule-2\.0-0\.dll|libgobject-2\.0-0\.dll|libiconv-2\.dll|libintl-8\.dll|libpcre2-8-0\.dll|libwinpthread-1\.dll|zlib1\.dll)$</field> <description>The DLL $(win.eventdata.targetFilename) was created by $(win.eventdata.image). Activity associated with Apos malware detected.</description> </rule> <!-- Malware creates Update.exe executable file --> <rule id="102113" level="12"> <if_sid>61613</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\.exe</field> <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*\\Update.exe$</field> <description>An executable file $(win.eventdata.targetFilename) was created. Activity associated with Apos malware detected.</description> </rule> <!-- Malware executes Update.exe application --> <rule id="102114" level="12"> <if_sid>61603</if_sid> <regex type="pcre2" field="win.eventdata.commandLine">(?i)C:\\.*\\Update\.exe</regex> <field name="win.eventdata.hashes" type="pcre2">(?i)SHA256=3DA500D9DC1A24E1C4A55146A1DD85088C07CDE5CB684F1AD4238B78B74CD5C1|A0027DF5CCC2A66C8A0BCAA7D7033AA438B58A92732030E73D5A9F77A7659639</field> <description>A malicious executable $(win.eventdata.image) was launched. Activity associated with Apos malware detected.</description> <mitre> <id>T1036</id> </mitre> </rule> <!-- Malware loads Update.exe image --> <rule id="102115" level="12"> <if_sid>61609</if_sid> <field name="win.eventdata.imageLoaded" type="pcre2">(?i)[C-Z]:.*\\Update.exe</field> <field name="win.eventdata.hashes" type="pcre2">(?i)SHA256=3DA500D9DC1A24E1C4A55146A1DD85088C07CDE5CB684F1AD4238B78B74CD5C1|A0027DF5CCC2A66C8A0BCAA7D7033AA438B58A92732030E73D5A9F77A7659639</field> <description>A malicious image $(win.eventdata.imageLoaded) was loaded. Activity associated with Apos malware detected.</description> <mitre> <id>T1073</id> </mitre> </rule> <!-- Update.exe application loads the DLLs created by parent process --> <rule id="102116" level="12"> <if_sid>61609</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\Update.exe</field> <field name="win.eventdata.imageLoaded" type="pcre2">(?i)[C-Z]:.*\.dll</field> <description>DLL $(win.eventdata.imageLoaded) was loaded by a malicious executable $(win.eventdata.image). Activity associated with Apos malware detected.</description> <mitre> <id>T1073</id> </mitre> </rule> </group>
Where:
102111
is triggered when the malware creates a file to test file creation access.102112
is triggered when the malware imports multiple DLL files.102113
is triggered when the malware creates an executable file Update.exe
.102114
is triggered when the Update.exe
executable is launched.102115
is triggered when the Update.exe
image is loaded into memory.103116
is triggered when the Update.exe
executable loads the DLLs imported by the parent process.# systemctl restart wazuh-manager
Follow the steps below to view the alerts generated on the Wazuh dashboard.
rule.groups
.is
.Apos
in the Values field.A strong defense against malware begins with early detection, before malicious code has the chance to run. By monitoring endpoints for suspicious file activity, security teams can identify and eliminate potential threats before they impact the system. The Wazuh File Integrity Monitoring (FIM) module plays a central role in this process by scanning designated directories at set intervals. This flags unexpected file creations or modifications that could indicate an attack in progress.
To strengthen this capability, Wazuh can be integrated with external intelligence sources and malware detection tools such as YARA and VirusTotal. These integrations provide access to continuously updated signatures and rule sets, enabling automated identification of known and emerging threats. When a suspicious file surfaces, the Wazuh Active Response module can be configured to automatically trigger a YARA scan, classify the file, and remove it if malicious. In this way, organizations can move beyond reactive cleanup and enforce a proactive security posture that stops threats before they escalate.
In this section, we illustrate how to remove malicious files by leveraging Wazuh integration with YARA.
Perform the steps below to configure the monitored endpoint for this integration.
pip
pre-installed). Ensure Add Python.exe to PATH option is checked during installation.Note
Run PowerShell as an administrator
> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.4/yara-master-v4.5.4-win64.zip -OutFile v4.5.4-win64.zip
> Expand-Archive v4.5.4-win64.zip
yara
folder in the C:\Program Files (x86)\ossec-agent\active-response\bin\
folder and copy the YARA binary into it:> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\' > cp .\v4.5.4-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
pip
utility to install valhallaAPI
. This API retrieves the public signature-based YARA ruleset:> pip install valhallaAPI
download_yara_rules.py
, and paste the below script into it:from valhallaAPI.valhalla import ValhallaAPI v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111") response = v.get_rules_text() with open('yara_rules.yar', 'w') as fh: fh.write(response)
download_yara_rules.py
script file to download YARA rules:> python download_yara_rules.py
C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\
folder and copy the rules into it:> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\' > cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar
and add the following Apos malware rule:rule Apos_malware { meta: description = "Detects Apos malware" author = "Aishat Awujola" reference = "https://github.com/Neo23x0/yarGen" date = "2025-08-26" strings: $x1 = "srvcli.dll" fullword wide /* reversed goodware string 'lld.ilcvrs' */ $x2 = "devrtl.dll" fullword wide /* reversed goodware string 'lld.ltrved' */ $x3 = "dfscli.dll" fullword wide /* reversed goodware string 'lld.ilcsfd' */ $x4 = "browcli.dll" fullword wide /* reversed goodware string 'lld.ilcworb' */ $x5 = "linkinfo.dll" fullword wide /* reversed goodware string 'lld.ofniknil' */ $s6 = "atl.dll" fullword wide /* reversed goodware string 'lld.lta' */ $s7 = "api-ms-win-core-synch-l1-2-0.dll" fullword wide /* reversed goodware string 'lld.0-2-1l-hcnys-eroc-niw-sm-ipa' */ $s8 = "SSPICLI.DLL" fullword wide $s9 = "UXTheme.dll" fullword wide $s10 = "oleaccrc.dll" fullword wide $s11 = "dnsapi.DLL" fullword wide $s12 = "iphlpapi.DLL" fullword wide $s13 = "WINNSI.DLL" fullword wide $s14 = "sfxrar.exe" fullword ascii $s15 = "Cannot create folder %sHChecksum error in the encrypted file %s. Corrupt file or wrong password." fullword wide $s16 = "libffi-8.dll" fullword ascii $s17 = "libpcre2-8-0.dll" fullword ascii $s18 = "D:\\Projects\\WinRAR\\sfx\\build\\sfxrar64\\Release\\sfxrar.pdb" fullword ascii $s19 = "233333333333333333" ascii /* hex encoded string '#33333333' */ $s20 = "$GETPASSWORD1:IDC_PASSWORDENTER" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 8000KB and 1 of ($x*) and 4 of them }
Downloads
folder of all users in real-time by adding the below configuration within the <syscheck>
block of the C:\Program Files (x86)\ossec-agent\ossec.conf
file:<directories realtime="yes">C:\Users\*\Downloads</directories>
Note
In this blog post, we only monitored the Downloads folder of all users. However, you can configure other directories you wish to monitor.
yara.bat
in the C:\Program Files (x86)\ossec-agent\active-response\bin\
folder and copy the below script into it. The Wazuh Active Response module runs this script to perform YARA scans for malware detection and removal::: This script deletes Apos malware executable as well as other malicious files matched by the YARA Rules @echo off setlocal enableDelayedExpansion reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT if %OS%==32BIT ( SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log" ) if %OS%==64BIT ( SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log" ) set input= for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do ( set input=%%a ) set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt" set syscheck_file_path= echo %input% > %json_file_path% FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO ( SET syscheck_file_path=%%F ) set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe" set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar" echo %syscheck_file_path% >> %log_file_path% for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do ( echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path% :: Deleting the scanned file. del /f "%syscheck_file_path%" >nul 2>&1 if exist "%syscheck_file_path%" ( echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path% ) else ( echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path% ) ) exit /b
> Restart-Service -Name wazuh
Perform the following steps to configure custom decoders, rules, and the Wazuh Active Response module on the Wazuh server.
/var/ossec/etc/rules/local_rules.xml
file: <group name= "syscheck,"> <rule id="102121" level="7"> <if_sid>550</if_sid> <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field> <description>File modified in the Downloads folder.</description> </rule> <rule id="102122" level="7"> <if_sid>554</if_sid> <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field> <description>File added to the Downloads folder.</description> </rule> </group> <!-- Rule for the decoder (yara_decoder) --> <group name="yara,"> <rule id="102123" level="0"> <decoded_as>yara_decoder</decoded_as> <description>Yara grouping rule</description> </rule> <!-- YARA scan detects a positive match --> <rule id="102124" level="12"> <if_sid>102123</if_sid> <match type="pcre2">wazuh-yara: INFO - Scan result: </match> <description>File "$(yara_scanned_file)" is a malware. Yara rule: $(yara_rule)</description> </rule> <!-- Wazuh successfully deletes malware with a positive match --> <rule id="102125" level="12"> <if_sid>102123</if_sid> <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match> <description>Successfully removed "$(yara_scanned_file)" by active response due to YARA rule $(yara_rule) positive match</description> </rule> <!-- Wazuh encounters an error when deleting malware with a positive match --> <rule id="102126" level="12"> <if_sid>102123</if_sid> <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match> <description>Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description> </rule> </group>
Where:
102121
is triggered when a file is modified in the Downloads
folder.102122
is triggered when a file is added to the Downloads
folder.102123
is the base rule for detecting YARA-related events.102124
is triggered when YARA scans and detects a malicious file.102125
is triggered when the executable has been successfully removed by the Wazuh Active Response module.102126
is triggered when the executable is not removed successfully by the Wazuh Active Response module./var/ossec/etc/decoders/local_decoder.xml
file to decode the logs generated by the Active Response script:<decoder name="yara_decoder"> <prematch>wazuh-yara:</prematch> </decoder> <decoder name="yara_decoder1"> <parent>yara_decoder</parent> <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex> <order>log_type, yara_rule, yara_scanned_file</order> </decoder> <decoder name="yara_decoder1"> <parent>yara_decoder</parent> <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex> <order>log_type, yara_rule, yara_scanned_file</order> </decoder> <decoder name="yara_decoder1"> <parent>yara_decoder</parent> <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex> <order>log_type, yara_rule, yara_scanned_file</order> </decoder>
<ossec_config>
block of the /var/ossec/etc/ossec.conf
file:<command> <name>yara</name> <executable>yara.bat</executable> <timeout_allowed>no</timeout_allowed> </command> <active-response> <command>yara</command> <location>local</location> <rules_id>102121,102122</rules_id> </active-response>
The Wazuh Active Response module runs the yara.bat
script when a file is added or modified in the Downloads
folder.
Where:
<name>
specifies that yara
is the name of the command being called in the <active-response>
block.<executable>
specifies that yara.bat
is the executable file to run.<command>
specifies the command that the Active Response module will use.<active response>
block calls the <command>
block when the rule ID 102121
or 102122
is triggered.<location>
specifies where the Active Response script is executed.# systemctl restart wazuh-manager
When the Apos malware executable is added to the Downloads
folder of the monitored Windows endpoint and successfully removed by the Wazuh Active Response module, alerts are generated on the Wazuh dashboard.
To view these alerts:
rule.id
.is one of
.102122
, 102124
, and 102125
in the Values field.In this blog post, we demonstrated how organizations can detect and proactively respond to Apos malware activities in a monitored Windows environment. We enriched logs from the victim endpoint by integrating Sysmon and created Wazuh detection rules to identify malicious behavior related to Apos malware. We also showed how to remove the malicious files by leveraging Wazuh integration with YARA.
Wazuh is a free open source security platform providing a wide range of capabilities to monitor and safeguard your infrastructure against malicious activities. Discover more about Wazuh by exploring our other blog posts and becoming a part of our growing community.