Detecting New Programs and Modifications to Executable Files with Windows File Access Auditing and File Integrity Monitoring


Every big data breach I've studied over the past several years required attackers – at least midway into the attack - to install executables on the victim organization's computers. Detecting and preventing that is a major way to prevent data breaches. There are a variety of advanced technologies to help you do that such as application whitelisting on the endpoint and network.

But you can also use native Windows functionality already available throughout your network. In this technical real training for free ™ event I will show you how to use Windows File System Auditing and the Security Log to detect the creation of new executable files, DLLs and scripts as well as modifications to existing programs.

First I'll explain which audit policies need to be enabled to start catching software file modification and creation. Then I'll show you the events Windows records to the Security Log and how to interpret them. We'll spend time on understanding the biggest challenge in this area which is dealing with all the unwanted events that File System Auditing logs. I'll show you different options for filtering this noise out before it hits your SIEM or log management solution.

Windows file system auditing allows you to track the creation and modification of software files. But Windows Process Tracking allows you to track the actual execution of EXEs – but not other programs like DLLs and scripts. Nevertheless, Process Tracking has an important role in this story which I will cover.

Technical areas we will dive into include:

  • File System auditing
  • Process Tracking
  • Specific Event IDs logged and how to interpret
  • Noise filtering

But beyond Windows native auditing we will also take the conversation into File Integrity Monitoring. 3rd party FIM is an important alternative to consider because its purpose built technology can provide a more targeted and efficient solution to catching software modification than native file auditing. The good news is that our sponsor, SolarWinds Log and Event Manager (LEM) empowers you to leverage all three technologies discussed in my training session. LEM is first and foremost an easy-to-use SIEM that can efficiently collect and alert on the File System Auditing and Process Tracking events discussed above. But LEM's agent also comes with built-in FIM technology that allows you to do powerful monitoring not possible with native auditing.

Don't miss this real training for free ™, technical, Security Log Secrets event! Please register now.

 - Featuring LEM's FIM vs. Windows native auditing

Click here to download a Free Trail of SolarWinds LEM.



Additional Resources