Skip to main content

Wazuh Denoising

Meldung: [Rule 510]: Trojaned version of file detected (/bin/diff)

Lösung:

  • Copy https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/rootkit_trojans.txt to /var/ossec/etc/shared/ on your hub server.
  • upgrade from source out of master

Weitere Informationen: https://github.com/ossec/ossec-hids/issues/2020

Meldung: [Rule 92213]: Executable file dropped in folder commonly used by malware (cleanmgr.exe)

Lösung:

Erstellen/erweitern der overwrites-custom-warnings.xml mit folgenden Inhalt (ggf. Rule ID anpassen):

  <rule id="110030" level="4">
    <if_sid>92204</if_sid>
    <field name="win.eventdata.image" type="pcre2">C:\\\\Windows\\\\system32\\\\sdiagnhost\.exe</field>
    <options>no_full_log</options>
    <description>CleanMGR - Downlevel Info</description>
  </rule>

 

 

 

Back to top