Hi all. I tried to find any explanation for this but unfortunately i didnt found asnwers.
I get a lot of Wazuh alerts about rule 550 syscheck_integrity_changed, Both on Windows and Linux machines.
1. On windows, I made few days ago a test file on the startup folder and i didnt delete it, so i got that alert today (No one from my team touch it)>>
'File c:/programdata/microsoft/windows/start
menu/programs/startup/test_wazuh2.txt modified Mode: realtime Changed
attributes: permission Permissions changed. '
There is nothing in that .txt file, i didnt find any explenation about that..not in Microsoft support\forums or other.
2. Just one example on Ubuntu machine,
I know the type of the file and i dont have any schedualde tasks in my crontab about that, how is that scheduled task? >>
'File /usr/bin/cpio modified Mode: scheduled Changed attributes:
size,mtime,inode,md5,sha1,sha256 Size changed from 165504 to 140928 Old
modification time was: 1600341378 , now it is 1629888647 Old inode was:
131663 , now it is 131927 Old md5sum was:
ae7d0cc3c8f720d21ce8721281a0a4d0 New md5sum is :
edeccdb10332fab2e0be9eb87477be0b Old sha1sum was:
9dcbffa1798e9fa1de6be7ac43bcb74b71609b8e New sha1sum is :
cf2815a51a1c7452ae145d8273371b2da3f93c9d Old sha256sum was:
fa0f282e7a32050483a44655f0ba1ac739c4e6db3495afd1115381a13ec6892b New
sha256sum is :
4b7ed2951c779b4a8151044a4c74fed424d3a4e7ebe5704eb687b2e8a4d07bcb '
Is that normal activity both Windows & Linux machines?
Thank you !