Wazuh Agent Remote Execution

Rule Info

Name
Wazuh Agent Remote Execution
Author
X__Junior
Description
Detects enabling of remote commands in the Wazuh agent. By setting this value to 1, the agent is allowed to accept and execute remote commands from the Wazuh manager or other controlling systems. This could be used for legitimate remote administration, but it also opens up the potential for misuse if the Wazuh manager or server it's connecting to is malicious or compromised, as it grants significant control over the agent.
Reference
https://securelist.com/miner-campaign-misuses-open-source-siem-agent/114022/
Date
2024-10-07 00:00:00
Modified
None
Id
efab1f46-b043-4546-a747-962b42906493
Tags
attack.t1033
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022