Blog / Engineering / How to detect Active Directory attacks with Wazuh [Part 2 of 2]
...#sekurlsa::logonpasswords We can see the NTLM hash of the user john is 812792a1f13bb10964ed1dfeac78c64b. Authentication Id : ; 4062248 (00000000:003dfc28) Session : RemoteInterActive from 5 User Name : john Domain :...
Blog / Engineering / Monitoring root actions on Linux using Auditd and Wazuh
...key="audit-wazuh-c" type=EXECVE msg=audit(1574420226.095:1325): argc=2 a0="touch" a1="/tmp/malicious_file" Example If we run the following commands: [John@wazuhmanager ~]id uid=1001(John) gid=1001(John) groups=1001(John),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [John@wazuhmanager ~]sudo ls /etc [sudo] password for John: bin boot dev...
Blog / Engineering / Emulation of ATT&CK techniques and detection with Wazuh
Introduction Attacks emulation plays an important role in identifying the Techniques, Tactics, and Procedures (TTP) used by adversaries. Projects like Atomic Red Team (ART) can help automate the emulation while...
Blog / Engineering / Adversary emulation with CALDERA and Wazuh
Introduction Adversary emulation plays an important role in identifying the Tactics, Techniques, and Procedures (TTP) used by threat actors. CALDERA™ is a cybersecurity framework developed by MITRE, which allows cyber...
Blog / Engineering / Detecting PsExec usage with Wazuh
Introduction PsExec is a part of Sysinternals command line tools named PsTools. It facilitates system administration and can execute processes on local and remote systems. While PsExec is not malicious,...
Blog / Engineering / Detecting and removing WhisperGate malware
WhisperGate is a destructive file-wiper malware that is being used in a campaign targeting Ukrainian organizations. The malware targets Windows devices, corrupts the Master Boot Record (MBR), and the hard...
Blog / Engineering / Detecting and responding to Latrodectus malware with Wazuh
Latrodectus malware is a sophisticated malware loader that has emerged as a significant threat in recent cyberattacks targeting Windows operating systems. Latrodectus is designed to deliver payloads and execute arbitrary...
Blog / Engineering / Detecting Follina (CVE-2022-30190) attack with Wazuh
...clone https://github.com/JohnHammond/msdt-follina.git cd msdt-follina We generate the corrupted file and set up the CnC server with the following command. Replace <CnC_IP_Address> with the IP address of the Ubuntu CnC server....