Using File Integrity Monitoring to Catch Imposter EXE/DLL Replacements and Tampering – Without the Noise

Webinar Registration

Getting arbitrary code to run on a target system is a crucial part of any attack. A time-proven method used on any operating system is to replace trusted executables with imposters – usually ones that still perform the replaced program’s functionality, but with additional nefarious logic added. They do this by either completely replacing the file in situ, or adding an eponymous file in a folder that appears earlier in the system’s PATH environment variable, so that the impostor is found first and is loaded instead of the legitimate file. Other times, the file isn’t replaced but is just patched.

How do you catch changes like this? If you try using Windows native file auditing, here’s what it looks like (I’ll go into more detail in the webinar):

  1. Enable file auditing at the system level
  2. Enable auditing of file creation and changes on:
    1. Operating system folders
    2. Application folders
    3. Other folders in the PATH variable
  3. Monitor event IDs in the 4600 range but mostly 4663

But, there are some real gotchas with native file auditing that you need to be aware of… you need to understand how Windows audits file creation, file changes, file moves and file renames, because bad guys can use all of these methods to get their malicious code where they want it.

Two of the biggest issues to deal with are:

  1. How to filter out false positives from the constant updates of Windows Update, .NET native compilation and other trusted updaters like Windows Defender?
  2. How to filter out false positives of updates and creations of non-executables? (You have to be careful on this one so you don’t allow bad guys to take advantage of your filtering by initially creating the file with a non-executable file extension.)

I’ll take you through all of these details so that you understand what’s possible and the best way to go about things. However, often times File Integrity Monitoring (FIM) technology is more effective, and Jamie Hynds from our sponsor, SolarWinds, will show you SolarWinds® Log & Event Manager’s FIM technology, and how it goes beyond native file auditing for both executable tampering, as well as change auditing of documents and more.

Please join us for this real training for free event.

First Name:   
Last Name:   
Work Email:  
Zip/Postal Code:  

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources