How to detect Active Directory attacks with Wazuh [Part 2 of 2]
In this blog post, we continue showing how Wazuh can detect some common Active Directory attacks using Windows security logs.
In this blog post, we continue showing how Wazuh can detect some common Active Directory attacks using Windows security logs.
In this article we will learn how monitoring root actions on Linux using Auditd and Wazuh. Analyze the events reported by Audit and generate alerts.
Introduction Attacks emulation plays an important role in identifying the Techniques, Tactics, and Procedures (TTP) used by adversaries. Projects like Atomic Red Team (ART) can help automate the emulation while the adversarial activities can be detected using Wazuh. The MITRE ATT&CK® framework, which stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), is a […]
Introduction Adversary emulation plays an important role in identifying the Tactics, Techniques, and Procedures (TTP) used by threat actors. CALDERA™ is a cybersecurity framework developed by MITRE, which allows cyber security teams to test their defenses. This article details how to emulate attacks on Linux and Windows endpoints with CALDERA and how to detect these […]
Introduction PsExec is a part of Sysinternals command line tools named PsTools. It facilitates system administration and can execute processes on local and remote systems. While PsExec is not malicious, several threat actors such as Turla, Fin6, and Cleaver use it for activities such as lateral movement and privilege escalation within a network; it is […]
WhisperGate is a destructive file-wiper malware that is being used in a campaign targeting Ukrainian organizations. The malware targets Windows devices, corrupts the Master Boot Record (MBR), and the hard disk of the victim endpoint. It is designed to look like ransomware but doesn’t present a ransom recovery mechanism, which renders the device inoperable. In […]
Latrodectus malware is a sophisticated malware loader that has emerged as a significant threat in recent cyberattacks targeting Windows operating systems. Latrodectus is designed to deliver payloads and execute arbitrary commands on infected systems. Its distribution has been linked to threat actors TA577 and TA578, who have employed it in various threat campaigns. It is […]
User mode and kernel mode are two operating states within a computer system that define different levels of access and control to the hardware resources of a computer. Choosing the right mode between the two is important, as it affects the security and stability of the computer. User mode is a restricted operating environment where […]
Persistence techniques refer to methods attackers or malicious software use to maintain access to a compromised endpoint even after reboots, logouts, or other interruptions. These techniques ensure that the malware or unauthorized user remains active and can continue to execute malicious activities without re-exploitation. Common Windows persistence techniques involve modifying startup scripts, abusing scheduled tasks […]
A remote code execution vulnerability affecting Microsoft Windows Support Diagnostic Tool (MSDT) was observed to be exploited as early as May 2022. The vulnerability is dubbed Follina and has the designation CVE-2022-30190 with a CVSS score of 7.3. The Follina vulnerability uses the Microsoft Office Remote template feature to retrieve an HTML file from a […]
Please make sure that all words are spelled correctly.