Record of compromise attempt using Wazuh Agent

[Victor]

Sharing with you all a compromise attempt that would have succeeded if I didn't blacklist LoLBins using WDAC. The below events show that adversary has exploited Wazuh Agent to run net.exe and reg.exe , both of which are blacklisted using WDAC. 

--------------------------------------------------------------------

_index
wazuh-alerts-4.x-2025.08.31
agent.id

004
agent.ip
192.168.4.123
agent.name

Meow
data.win.eventdata.fileNameBuffer
\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\net.exe
data.win.eventdata.fileNameLength
48
data.win.eventdata.processNameBuffer
\\Device\\HarddiskVolume3\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
data.win.eventdata.processNameLength
71
data.win.eventdata.requestedPolicy
2
data.win.eventdata.status
3236495362
data.win.eventdata.validatedPolicy
1
data.win.system.channel
Microsoft-Windows-CodeIntegrity/Operational
data.win.system.computer
Meow
data.win.system.eventID
3033
data.win.system.eventRecordID
76919
data.win.system.keywords
0x8000000000000000
data.win.system.level
2
data.win.system.message
"Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\ossec-agent\wazuh-agent.exe) attempted to load \Device\HarddiskVolume3\Windows\SysWOW64\net.exe that did not meet the Enterprise signing level requirements."
data.win.system.opcode
111
data.win.system.processID
3644
data.win.system.providerGuid
{4ee76bd8-3cf4-44a0-a0ac-3937643e37a3}
data.win.system.providerName
Microsoft-Windows-CodeIntegrity
data.win.system.severityValue
ERROR
data.win.system.systemTime
2025-08-31T04:21:14.0488500Z
data.win.system.task
1
data.win.system.threadID
5060
data.win.system.version
0
decoder.name
windows_eventchannel
id
1756618297.817272
input.type
log
location
EventChannel
manager.name
fedora
rule.description
Windows error event.
rule.firedtimes
56
rule.gdpr
IV_35.7.d
rule.gpg13
4.3
rule.groups
windows, system_error
rule.id

60011
rule.level
5
rule.mail
false
timestamp

Aug 31, 2025 @ 01:31:37.064

-----------------------------------------------

_index
wazuh-alerts-4.x-2025.09.01
agent.id

004
agent.ip
192.168.4.123
agent.name

Meow
data.win.eventdata.fileNameBuffer
\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\reg.exe
data.win.eventdata.fileNameLength
48
data.win.eventdata.processNameBuffer
\\Device\\HarddiskVolume3\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
data.win.eventdata.processNameLength
71
data.win.eventdata.requestedPolicy
2
data.win.eventdata.status
3236495362
data.win.eventdata.validatedPolicy
1
data.win.system.channel
Microsoft-Windows-CodeIntegrity/Operational
data.win.system.computer
Meow
data.win.system.eventID
3033
data.win.system.eventRecordID
77436
data.win.system.keywords
0x8000000000000000
data.win.system.level
2
data.win.system.message
"Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\ossec-agent\wazuh-agent.exe) attempted to load \Device\HarddiskVolume3\Windows\SysWOW64\reg.exe that did not meet the Enterprise signing level requirements."
data.win.system.opcode
111
data.win.system.processID
3708
data.win.system.providerGuid
{4ee76bd8-3cf4-44a0-a0ac-3937643e37a3}
data.win.system.providerName
Microsoft-Windows-CodeIntegrity
data.win.system.severityValue
ERROR
data.win.system.systemTime
2025-09-01T04:16:12.8311867Z
data.win.system.task
1
data.win.system.threadID
5088
data.win.system.version
0
decoder.name
windows_eventchannel
id
1756700228.1022889
input.type
log
location
EventChannel
manager.name
fedora
rule.description
Windows error event.
rule.firedtimes
63
rule.gdpr
IV_35.7.d
rule.gpg13
4.3
rule.groups
windows, system_error
rule.id

60011
rule.level
5
rule.mail
false
timestamp
Sep 1, 2025 @ 00:17:08.648


-----------------------------------------------------
_index
wazuh-alerts-4.x-2025.09.01
agent.id

004
agent.ip
192.168.4.123
agent.name

Meow
data.win.eventdata.file Name
\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\reg.exe
data.win.eventdata.fileDescription
Registry Console Tool
data.win.eventdata.fileDescriptionLength
21
data.win.eventdata.fileNameLength
48
data.win.eventdata.fileVersion
10.0.26100.4484
data.win.eventdata.internalName
reg.exe
data.win.eventdata.internalNameLength
7
data.win.eventdata.originalFileName
reg.exe
data.win.eventdata.originalFileNameLength
7
data.win.eventdata.packageFamilyNameLength
0
data.win.eventdata.policyGUID
{0198212e-2842-7dc8-8484-b834c0142292}
data.win.eventdata.policyHash
05CDD911F6C627EAECBB89F6C733848E879F05E16943C2A64A8E5347C6897439
data.win.eventdata.policyHashSize
32
data.win.eventdata.policyID
129661
data.win.eventdata.policyIDLength
6
data.win.eventdata.policyName
Deny_mmc_regedit_reg_regedt32
data.win.eventdata.policyNameLength
29
data.win.eventdata.process Name
\\Device\\HarddiskVolume3\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
data.win.eventdata.processNameLength
71
data.win.eventdata.productName
Microsoft® Windows® Operating System
data.win.eventdata.productNameLength
36
data.win.eventdata.requested Signing Level
2
data.win.eventdata.sHA1 Flat Hash
4D7F2F43022BB075B1CF339437B1280846786B5E
data.win.eventdata.sHA1 Flat Hash Size
20
data.win.eventdata.sHA1 Hash
A2F4A44406B328A63DF9EE5C5DE154DC4567D6F8
data.win.eventdata.sHA1 Hash Size
20
data.win.eventdata.sHA256 Flat Hash
66C40433EA7D3AA175748AB795B0FA96CA10333D0092A1B6DF6CE44064CD79C6
data.win.eventdata.sHA256 Flat Hash Size
32
data.win.eventdata.sHA256 Hash
EA6D80ECD3BF738741617D9A8CDE781E4FACE58F503B6C82C08E1651A0A01088
data.win.eventdata.sHA256 Hash Size
32
data.win.eventdata.sI Signing Scenario
1
data.win.eventdata.status
0xc0e90002
data.win.eventdata.uSN
777578304
data.win.eventdata.userWriteable
true
data.win.eventdata.validated Signing Level
1
data.win.system.channel
Microsoft-Windows-CodeIntegrity/Operational
data.win.system.computer
Meow
data.win.system.eventID
3077
data.win.system.eventRecordID
77433
data.win.system.keywords
0x8000000000000000
data.win.system.level
2
data.win.system.message
"Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\ossec-agent\wazuh-agent.exe) attempted to load \Device\HarddiskVolume3\Windows\SysWOW64\reg.exe that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{0198212e-2842-7dc8-8484-b834c0142292})."
data.win.system.opcode
111
data.win.system.processID
3708
data.win.system.providerGuid
{4ee76bd8-3cf4-44a0-a0ac-3937643e37a3}
data.win.system.providerName
Microsoft-Windows-CodeIntegrity
data.win.system.severityValue
ERROR
data.win.system.systemTime
2025-09-01T04:16:12.8218168Z
data.win.system.task
18
data.win.system.threadID
5088
data.win.system.version
5
decoder.name
windows_eventchannel
id
1756700228.1012259
input.type
log
location
EventChannel
manager.name
fedora
rule.description
Windows error event.
rule.firedtimes
62
rule.gdpr
IV_35.7.d
rule.gpg13
4.3
rule.groups
windows, system_error
rule.id

60011
rule.level
5
rule.mail
false
timestamp

Sep 1, 2025 @ 00:17:08.552

[Victor]

The machine is an idle unused machine. 

[Jorge Eduardo Silva Jackson]

Hi Victor,

Thanks for reporting this case — it can be very useful for the community to understand how these attempts work and how to protect against them.

This is not a vulnerability of the Wazuh Agent itself, but it’s important to configure rules so that such attempts are detected and reported with a critical alert level.