{
"_index": "wazuh-alerts-4.x-2025.03.31",
"_id": "FZu--7qG",
"_score": 1,
"_source": {
"syscheck": {
"size_before": "18",
"uname_after": "***",
"mtime_after": "2025-03-31",
"size_after": "24",
"md5_before": "8a73f8",
"diff": "---\n> oiii\n",
"win_perm_after": [
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES",
[
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
[
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
]
],
"name": "SISTEMA"
},
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
"name": "Administradores"
},
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
"name": "***"
}
],
"sha256_before": "**",
"mtime_before": "2025-03-31",
"mode": "whodata",
"path": "c:\\users\\***\\downloads\\senha.txt",
"sha1_after": "***",
"changed_attributes": [
"size",
"mtime",
"md5",
"sha1",
"sha256"
],
"audit": {
"process": {
"name": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad",
"id": "118"
},
"user": {
"name": "***",
"id": "S-1-5-2-40654"
}
},
"attrs_after": [
"ARCHIVE"
],
"uid_after": "************",
"event": "modified",
"md5_after": "d02809",
"sha1_before": "1a0db94",
"sha256_after": "0d72e"
},
"agent": {
"ip": "**.**.**.**",
"name": "***",
"id": "006"
},
"manager": {
"name": "wazuh-hmg"
},
"rule": {
"mail": true,
"level": 7,
"pci_dss": [
"11.5"
],
"hipaa": [
"164.312.c.1",
"164.312.c.2"
],
"tsc": [
"PI1.4",
"PI1.5",
"CC6.1",
"CC6.8",
"CC7.2",
"CC7.3"
],
"description": "Integrity checksum changed.",
"groups": [
"ossec",
"syscheck",
"syscheck_entry_modified",
"syscheck_file"
],
"nist_800_53": [
"SI.7"
],
"gdpr": [
"II_5.1.f"
],
"firedtimes": 3,
"mitre": {
"technique": [
"Stored Data Manipulation"
],
"id": [
"T1565.001"
],
"tactic": [
"Impact"
]
},
"id": "550",
"gpg13": [
"4.11"
]
},
"decoder": {
"name": "syscheck_integrity_changed"
},
"full_log": "File 'c:\\users\\*8*\\downloads\\senha.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '18' to '24'\nOld modification time was: '230', now it is '14351'\nOld md5sum was: '19cef8'\nNew md5sum is : 'd85a89'\nOld sha1sum was: '10614'\nNew sha1sum is : '026bb'\nOld sha256sum was: 'a64c'\nNew sha256sum is : '0d61e'\n",
"input": {
"type": "log"
},
"@timestamp": "2025-03-31T",
"location": "syscheck",
"id": "****",
"timestamp": "2025-03-31"
},
"fields": {
"syscheck.mtime_after": [
"2025-03-31"
],
"syscheck.mtime_before": [
"2025-03-31"
],
"timestamp": [
"2025-03-31"
],
"@timestamp": [
"2025-03-31T
]