Using File Integrity Monitoring to Catch Imposter EXE/DLL Replacements and Tampering – Without the Noise

Webinar Registration

Getting arbitrary code to run on a target system is a crucial part of any attack. A time-proven method used on any operating system is to replace trusted executables with imposters – usually ones that still perform the replaced program’s functionality, but with additional nefarious logic added. They do this by either completely replacing the file in situ, or adding an eponymous file in a folder that appears earlier in the system’s PATH environment variable, so that the impostor is found first and is loaded instead of the legitimate file. Other times, the file isn’t replaced but is just patched.

How do you catch changes like this? If you try using Windows native file auditing, here’s what it looks like (I’ll go into more detail in the webinar):

Enable file auditing at the system level
Enable auditing of file creation and changes on:
1. Operating system folders
2. Application folders
3. Other folders in the PATH variable
Monitor event IDs in the 4600 range but mostly 4663

But, there are some real gotchas with native file auditing that you need to be aware of… you need to understand how Windows audits file creation, file changes, file moves and file renames, because bad guys can use all of these methods to get their malicious code where they want it.

Two of the biggest issues to deal with are:

How to filter out false positives from the constant updates of Windows Update, .NET native compilation and other trusted updaters like Windows Defender?
How to filter out false positives of updates and creations of non-executables? (You have to be careful on this one so you don’t allow bad guys to take advantage of your filtering by initially creating the file with a non-executable file extension.)

I’ll take you through all of these details so that you understand what’s possible and the best way to go about things. However, often times File Integrity Monitoring (FIM) technology is more effective, and Jamie Hynds from our sponsor, SolarWinds, will show you SolarWinds® Log & Event Manager’s FIM technology, and how it goes beyond native file auditing for both executable tampering, as well as change auditing of documents and more.

Please join us for this real training for free event.

Required

First Name:	Required
Last Name:	Required
Work Email:	Required Invalid email address
Phone:	Required
Organization:	Required
Country:	Required
Zip/Postal Code:	Required
	Your information will be shared with the sponsor. By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor. Tweet

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.