LNK file parsing

[dmitri munteanu]

Hi all, 

I havent found any info, just want to know if Wazuh can parse LNK file to extract data from it, like "Target". 

...in my case why I need this, is to get an alert whe a user opens a file,  cause everytime when a a user do open a file it is creating or updating an LNK file of it in %APPDATA%\Roaming\Microsoft\Recent\ and the "Target" field of LNK file contains the full path of the opened file.

I've done with syscheck to that folder, but is not enough cause geting alert just the name of of the file, nor the path from where it was open that file.

[Gonzalo Membrillo Solbes]

Hello Dmitri,

In this case, you could configure Syscheck to report the changes made to the LNK file. By using this, you will be able to see all content changes performed to it. In your case, you will be able to see the changed path to the file. Keep in mind, it is imperative you only use the report_changes option to monitor singular files since Wazuh will make a copy of the selected files or directories in a private location. A great amount of files will consume a lot of disk space. You can find more information on this here: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-reporting-file-and-registry-value-changes

If you follow that link, you will see an example of the required configuration. But just in case, make sure to enable our FIM module in the manager's ossec.conf configuration file. You can do this from the Dashboard by going to Wazuh>Management>Configuration>Edit configuration. You can find the necessary steps to enable FIM here: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html.

I hope you find this helpful. Do let us know if you need anything else.

Regards,

Gonzalo

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/022b993f-0d47-4a8f-b84f-1f091092a9efn%40googlegroups.com.

[dmitri munteanu]

Hi Gonzalo,

I've done with report_changes, but geting unclear data:

syscheck.diff  < < Ü>iÁ æ× ÏçQJ»[Ù Â7‹îþZÙ < € --- > > Ü>iÁ æ× Ðvá6¼[Ù Â7‹îþZÙ > €

looks like Wazuh cannot syscheck cannot decode the content of LNK file.....

[Gonzalo Membrillo Solbes]

Hello again,

It would indeed appear that this solution can't help due to the inability to parse the LNK file. In this case, I do not think what you want is possible. Wazuh can, as you mentioned previously, notify you of a change done to the file but the change will remain unknown until you manually check the LNK file. We are currently working on making this feature work on other formats beyond text so you may be able to use this solution in a future release.

Do let us know if you need anything else.

Regards,

Gonzalo

[dmitri munteanu]

Thanks Gonzalo,

and sure, waiting for future realeses with posibility of decoding other file formats.

Cheers!