Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
News
Security News
Attackers installing SIEM agents to evade!
Message
<blockquote data-quote="javier.castro" data-source="post: 1103739" data-attributes="member: 117282"><p>From Santiago Bassett:</p><p></p><p>The article, written by a Kaspersky analyst (<a href="https://www.linkedin.com/in/alexander-kryazhev-78078a252/" target="_blank">Alexander Kryazhev</a>), explains how Wazuh is misused by attackers who already had full administrative privileges over the victim's system. </p><p></p><p>This scenario is similar to how attackers might abuse other legitimate tools, like SSH, once they control a system.</p><p></p><p>According to the article, attackers installed the Wazuh agent and enabled "remote_commands" feature, which requires manual activation and admin-level access. This feature is useful for incident responders and digital forensics, and it is common in XDR (eXtended Detection and Response) products. The attackers misused it to run commands in the already compromised system.</p><p></p><p>In summary, Wazuh is not the attack vector. The system was already fully compromised. This is a common case of attackers abusing legitimate tools for malicious purposes after gaining admin access.</p><p></p><p>Wazuh itself is a defensive tool designed to protect systems, not to attack them.</p><p></p><p>I hope it helps.</p></blockquote><p></p>
[QUOTE="javier.castro, post: 1103739, member: 117282"] From Santiago Bassett: The article, written by a Kaspersky analyst ([URL='https://www.linkedin.com/in/alexander-kryazhev-78078a252/']Alexander Kryazhev[/URL]), explains how Wazuh is misused by attackers who already had full administrative privileges over the victim's system. This scenario is similar to how attackers might abuse other legitimate tools, like SSH, once they control a system. According to the article, attackers installed the Wazuh agent and enabled "remote_commands" feature, which requires manual activation and admin-level access. This feature is useful for incident responders and digital forensics, and it is common in XDR (eXtended Detection and Response) products. The attackers misused it to run commands in the already compromised system. In summary, Wazuh is not the attack vector. The system was already fully compromised. This is a common case of attackers abusing legitimate tools for malicious purposes after gaining admin access. Wazuh itself is a defensive tool designed to protect systems, not to attack them. I hope it helps. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
