Blog / Engineering / How to configure Rsyslog client to send events to Wazuh
Rsyslog is a high-performance, versatile log processing system commonly used in UNIX and Linux environments. It is responsible for handling log messages generated by various system components and applications. It...
Blog / Engineering / How to integrate external software using Integrator
Integrator is a tool which easily connects Wazuh with external software. This is achieved by integrating the alert system with the APIs of the software products through scripts. Examples of...
Blog / Engineering / Integrating Amazon Macie in Wazuh
Amazon offers many tools to monitor the status of its services. A good example is Amazon Macie, aimed at the surveillance of stored data. This is a resource of enormous...
Blog / Engineering / Detecting Metasploit attacks
...suspicious processes: root@DC-1:/# ps -eo user,pid,cmd | grep www-data www-data 4428 sh -c php -r 'eval(base64_decode(Lyo8P3B));' www-data 4429 php -r eval(base64_decode(Lyo8P3B)); Also, we can find an open connection for the...
Blog / Engineering / Adversary emulation on AWS with Stratus Red Team and Wazuh
...# ./stratus warmup aws.defense-evasion.cloudtrail-event-selectors # ./stratus detonate aws.defense-evasion.cloudtrail-event-selectors Cleanup the infrastructure At the end of the emulation, use the following command to destroy all the infrastructure created: $ ./stratus cleanup...
Blog / Engineering / Ensuring NIS2 compliance with Wazuh
...assessments are continuously validated. Evaluation of security measures effectiveness: Wazuh generates detailed reports on configuration compliance, allowing organizations to regularly evaluate the effectiveness of their security measures. By identifying misconfigurations,...
Blog / Engineering / Detecting Windows Screensaver persistence attack with Wazuh
...default screensaver folder as a defense evasion technique. For better defense evasion, the attacker may encode the payload so it cannot be detected by most antivirus solutions. Irrespective of the...
Blog / Engineering / Using Wazuh to detect Raspberry Robin worms
Raspberry Robin is an evasive Windows worm that spreads using removable drives. After infecting a system, it uses the Windows msiexec.exe utility to download its payload hosted on compromised QNAP...
Blog / Engineering / Detecting Lockbit 3.0 ransomware with Wazuh
...been in existence for three years, and during this period it has been upgraded twice to include new forms of infection and evasion techniques. Lockbit 3.0 is the latest version,...
Blog / Engineering / Web shell attack detection with Wazuh
...base64() and gzdeflate() functions to obfuscate commands by encoding and compressing them into unreadable formats. Then, use the eval() or assert() function to parse the data decoded with base64_decode() and...
Blog / Engineering / Hunting for suspicious Windows LNK files with Wazuh XDR
...trigger alerts when the Wazuh server detects Windows shortcuts with suspicious signatures: <group name="windows_shortcut,"> <rule id="110003" level="12"> <decoded_as>raw_json</decoded_as> <field name="lnk_data.command_line_arguments" type="pcre2">(?i)cmd|powershell|psexec|MSHTA|bitsadmin|certutil|vbc|csc|del|echo|tasklist|rundll32|regsvr32|%COMSPEC%|Assembly\.Load|\[Reflection\.Assembly\]::Load|\.dll|\.scr|\.pif|http|https|ftp|ServerXMLHTTP|\.url|cdn.|\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b|\.ps1|invoke|\[Convert\]|FromBase|-exex|-nop|-noprofile|-noni|-enc|-decode|-accepteula|hidden|bypass|javascript|jscript|vbscript|wscript|cscript|\.js|\.vb|\.wsc|\.wsh|\.wsf|\.sct|\.cmd|\.hta|\.bat|ActiveXObject|eval|\.7z|\.zip|\.cab|\.iso|\.rar|\.tar|\.bz2|\.lzh|\.dat|expand|makecab|winword|exel|powerpnt|\.rtf|\.doc|\.dot|\.xls|\.xla|\.csv|\.ppt|\.pps|\.xml|\.pdf|%PDF|\.swf|\.fws|setlocal|EnableExtensions|DisableDelayedExpansion|process call</field> <description>Suspicious Windows shortcut "$(lnk_data.file_path)" with malicious artifacts. Possible...
Blog / Engineering / How to detect and mitigate Panchan botnet using Wazuh
...legitimate systemd service /lib/systemd/system/systemd-worker.service to evade suspicion. This service runs upon system restart to maintain persistence of the Panchan botnet. root@ubuntu-2204:/home/ubuntu# find /lib/ /bin/ -name systemd-worker* -type f /lib/systemd/system/systemd-worker.service /bin/systemd-worker...