"Network activity using RDP port from-to loopback address, possible exploit using reverse tunneling."

[Buddha Man]

Since we upgraded we started seeing the following message after upgrading to the most recent Chrome and Wazuh server.

""Network activity using RDP port from-to loopback address, possible exploit using reverse tunneling."

We don't believe there is any malicious activity on the network (we have no indicators)   but Wazuh is reacting to something chrome is doing, We're seeing this alert on several endpoints but again no signs of bad acting?

Has anyone else seen this or have an idea of what in chrome could trigger it. We did some research and apparently some websites port scan in the background.

Thanks!

Peace be with us! 

[clsamc...@gmail.com]

It is a known issue. Have a look here: https://github.com/wazuh/wazuh/issues/13393

[Buddha Man]

We're using the updated alert and still periodically getting this Wazuh alert. We haven't had any luck in trying to figure out what's triggering it. Any additional troubleshooting steps would be appreciated.