Description

Exclude the legitimate location of the LNK generated by MS Office

Logs/Alerts example

Saving office file generates Sysmon event:

File created:
UtcTime: 2024-04-20 13:06:59.153
ProcessGuid: {b7834c3a-bde1-6623-3528-000000007000}
ProcessId: 24312
Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
TargetFilename: C:\Users\User\AppData\Roaming\Microsoft\Office\Recent\123.docx.LNK
CreationUtcTime: 2024-04-20 13:06:59.150
User: PC\User

Tests

• Compilation without warnings in every supported platform
  • Linux
  • Windows
  • MAC OS X
• Source installation
• Package installation
• Source upgrade
• Package upgrade
• Review logs syntax and correct language
• QA templates contemplate the added capabilities

• Memory tests for Linux
  • Scan-build report
  • Coverity
  • Valgrind (memcheck and descriptor leaks check)
  • Dr. Memory
  • AddressSanitizer
• Memory tests for Windows
  • Scan-build report
  • Coverity
  • Dr. Memory
• Memory tests for macOS
  • Scan-build report
  • Leaks
  • AddressSanitizer

• Retrocompatibility with older Wazuh versions
• Working on cluster environments
• Configuration on demand reports new parameters
• The data flow works as expected (agent-manager-api-app)
• Added unit tests (for new features)
• Stress test for affected components

• Decoder/Rule tests
  • Added unit testing files ".ini"
  • runtests.py executed without errors