Unexpected file deletions on pfSense Plus detected by Wazuh

tuanson84uk

I'm reaching out seeking assistance regarding a concerning issue with my firewall setup using pfSense Plus with the latest firmware - as a virtual machine within ESXi - which I've setup Wazuh-Agent on for endpoint protection and threat detection, connected directly to a dedicated Wazuh Server. . Here's the breakdown of the problem:

The Issue: Recently, Threat Hunting in the Wazuh Dashboard has indicated a significant number of files have been deleted from the /usr/bin folder on my pfSense Plus. These include key tools such as what, vmstat, vtfontcvt, wall, etc... Despite the firewall continuing to operate normally, this deletion is raising red flags. Also I haven't upgraded or performed any major changes recently.

Requesting Help: I'm keen on understanding the potential causes of these deleted files and investigating whether any malicious activity is at play:

Suggestions for Investigation: What steps should I take next?
Identifying Potential Causes: Do you have expertise in identifying how such deletion events might be possible?
Any insights or suggestions would be greatly appreciated.

Thanks a lot.

Gertjan

@tuanson84uk

Normally, with a strong admin password, like "95g3eYXPrc2rWVT" that isn't stored in your browser for easy access, the SSH access, if enabled, protect it with "Public key only".
That's about it. You're good.
Normally, you need to be ware that the console access, a serial cable, is could be a possible security issue if everybody can attach a cable to it. Lock the firewall up physically ?
For you, it's VM. So everybody who has access to the hypervisor has acces to the 'console' and/or VM files system.

How so :

File '/usr/bin/wall' deleted
Mode : scheduled

Deletion was scheduled ?

And your using something called "Wazuh" that is not listed here System > Package Manager > Available Packages
Which means that you became the one and only expert for your setup, as pretty no one here knows what it is / does etc.

edit : found some forum posts about how to install Wazuh.

Reinstall one of those (the oldest one):

pkg-static install -f /var/cache/pkg/pkg-1.18.4_4.pkg

Yeah, right, waste bin me that advise.

So, yeah, system files that get deleted by the kernel (the only one who can do so **), as it was ordered to do so by a user-land application, like 'rm' and a connected user or any other process wants to remove OS core user land process files (programs) ... great. Something tells me its not pFsense doing this ^^
Tell us what happened, and we'll tell you what happened ^^

** I guess the good old disk sector edit tool would still work just fine also.

stephenw10

Were those binaries replaced? What's the file timestamp compared to others? What pfSense version are you running?

Do you have the full list of deleted binaries?