Thanks for the answer.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:323 at rkcl_get_entry(): DEBUG: Checking entry: 'Gpcoder Trojan {PCI_DSS: 11.4}'.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:390 at rkcl_get_entry(): DEBUG: Checking file: 'C:\Windows\System32\ntos.exe'.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:505 at rkcl_get_entry(): DEBUG: Condition ANY.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:390 at rkcl_get_entry(): DEBUG: Checking file: 'C:\Windows\Sysnative\ntos.exe'.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:505 at rkcl_get_entry(): DEBUG: Condition ANY.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:390 at rkcl_get_entry(): DEBUG: Checking file: 'C:\Windows\System32\wsnpoem'.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:505 at rkcl_get_entry(): DEBUG: Condition ANY.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:390 at rkcl_get_entry(): DEBUG: Checking file: 'C:\Windows\Sysnative\wsnpoem'.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:392 at rkcl_get_entry(): DEBUG: Found file.
2021/09/24 20:58:15 rootcheck[3764] common_rcl.c:505 at rkcl_get_entry(): DEBUG: Condition ANY.
WARNING:
2021/09/24 20:55:52 wazuh-agent[3764] rootcheck.c:189 at rootcheck_init(): WARNING: The check_winaudit option is deprecated in favor of the SCA module.
{
"cluster": {
"node": "manager",
"name": "wazuh"
},
"agent": {
"ip": "172.31.2.173",
"name": "MS-ELC01",
"id": "004"
},
"data": {
"file": "C:\\Windows\\Sysnative\\wsnpoem",
"title": "Windows Malware: Gpcoder Trojan"
},
"rule": {
"firedtimes": 2,
"mail": false,
"level": 9,
"pci_dss": [
"11.4"
],
"description": "Windows malware detected.",
"groups": [
"ossec",
"rootcheck"
],
"id": "513",
"gpg13": [
"4.2"
],
"gdpr": [
"IV_35.7.d"
]
},
"full_log": "Windows Malware: Gpcoder Trojan {PCI_DSS: 11.4}. File: C:\\Windows\\Sysnative\\wsnpoem. Reference:
http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99 .",
"id": "1632506488.27963151",
"timestamp": "2021-09-24T18:01:28.445+0000",
"manager": {
"name": "wazuh-master"
},
"decoder": {
"name": "rootcheck"
},
"input": {
"type": "log"
},
"@timestamp": "2021-09-24T18:01:28.445Z",
"location": "rootcheck",
"_id": "1c_4GHwBT_jhKGNvSg2R"
}
The following trigger is also present in the logs, but it is not present in the alerts (there is also no triggering on the file inside the folder "g2svc.exe", even in the debug):
2021/09/24 20:58:16 rootcheck[3764] common_rcl.c:323 at rkcl_get_entry(): DEBUG: Checking entry: 'Remote Access - GoToMyPC {PCI_DSS: 10.6.1}'.
2021/09/24 20:58:16 rootcheck[3764] common_rcl.c:390 at rkcl_get_entry(): DEBUG: Checking file: 'C:\Program Files\Citrix\GoToMyPC'.
2021/09/24 20:58:16 rootcheck[3764] common_rcl.c:392 at rkcl_get_entry(): DEBUG: Found file.
2021/09/24 20:58:16 rootcheck[3764] common_rcl.c:505 at rkcl_get_entry(): DEBUG: Condition ANY.