Ultimately everything is a file regardless of your platform or operating system. So, it naturally follows that monitoring file system changes is crucial to multiple defense scenarios and security requirements. In terms of compliance, PCI-DSS (which I find the most prescriptive in terms of specific security techniques) specifically calls out file integrity monitoring but all the frameworks call for detecting unauthorized changes and no one disputes FIM is an integral part of that.
Don’t think of FIM as just a tool for catching configuration drift or trojan file replacement. As important as those are, monitoring file system changes is so valuable for monitoring things that are arcane to your particular environment and business.
Here are 2 examples from our own operations. We have file auditing set up on the static file folders of our website and are instantly notified whenever files are added, deleted or modified. In our case we chose to get the notification whether it was a planned change or not because the innocuous notifications provide some positive confirmation that our monitoring and notification pipeline is working end-to-end. Another side of our company maintains a commercial software product. Monitoring changes to the source code repo and other key folders on the build server is part of a comprehensive defense-in-depth strategy to prevent us being the medium for a supply-chain compromise against our customers. So look for locations and systems specific to your environment where high value files are subject to well-defined modification patterns – these are great candidates for FIM above and beyond the generic OS.
In Windows, file auditing is covered by aptly named “File System” category. In this real training for free webinar, I’ll explain the 2-level file system audit policy in Windows where it’s necessary to turn it on at the system level and then on specific folders. I’ll show you how folder audit policy is based on the use of specified permissions. We’ll look at some of the more complex issues in Windows file auditing such as detecting file creations, duplicate events, and the limits of file auditing in terms of detecting what changed about a given file. In particular we will cover Event IDs:
- 4656 - A handle to an object was requested
- 4658 - The handle to an object was closed
- 4659 - A handle to an object was requested with intent to delete
- 4660 - An object was deleted
- 4663 - An attempt was made to access an object
- 4670 - Permissions on an object were changed
In Windows though, you also need to audit the registry because so much of the operating system security and application configuration is stored there. Ultimately the registry is a few monolithic “hive” files, but file auditing isn’t effective for the registry since each hive file holds thousands of settings. Thankfully there’s another audit category, “Registry”, which allows us to monitor registry keys and the values within them – even including the before and after data value. Registry auditing uses the same events as above except for 4657 which explicitly reports registry value changes. I’ll demonstrate how Registry auditing works in this session as well.
Windows auditing is a powerful tool that I rely on in our security efforts, but I have to acknowledge that along with that raw power comes some challenges. My sponsor for this real training for free session is Netwrix and Dirk Schrader, VP of Security Research at Netwrix, will briefly show you how Netwrix Change Tracker solves those challenges and will briefly show you how Netwrix Change Tracker solves those challenges and brings true integrity monitoring discipline to Windows environments. Netwrix Change Tracker continuously records all changes to files, folders, and registry keys — planned or unplanned — and correlates each change with its originating user, process, and configuration state. It eliminates the noise and ambiguity of raw event logs by providing clear, authoritative change intelligence: what changed, when, by whom, whether it was authorized, and whether it introduced risk.
Change Tracker also baselines system and application configurations, highlights drift from your approved golden state and automatically reconciles planned changes so your teams can focus on real unauthorized activity instead of combing through duplicate or low-value audit events. Its ability to track and validate change trails across Windows servers, workstations, and hybrid infrastructure makes it an ideal complement to native file and registry auditing — giving you full PCI-aligned file integrity monitoring, simplified compliance reporting, and immediate insight into any unexpected modifications across your environment.
Every bad guy wants to gain execution persistence (MITRE ATT&CK TA0003) and Windows offers an embarrassing plethora of places to do just that in the Registry (MITRE ATT&CK T1547.001). To combat this the first step is to simply know all those places that have accreted over the decades by various teams at Microsoft. In this week’s real training for free session, I’ll show you a Sysinternals tool and other community efforts to fill that initial need.
But then you need to detect (MITRE ATT&CK DET0365) when any of those locations is changed and determine if the change is legitimate or malicious. Periodically scanning all the different registry autorun locations is not the way to go because by that time the proverbial horse is already out of the barn.
The good news is that Windows has built-in support for auditing registry changes and reporting them to the security. Of course you don’t want to audit every change to every key in the registry so I will show you how to enable that auditing over specific autorun keys using group policy or Intune. Then we’ll perform some changes and look at the events provided by the security log.
Then I’ll compare and contrast those native Windows audit events to the registry monitoring capabilities of Sysinternals Sysmon which is a free tool from Microsoft. Sysmon does provide a lot of functionality you don’t get with native auditing. I wish Microsoft would actually build into Windows auditing itself instead of forcing us to install and maintain an extra tool that increases care and feeding costs. So it’s important to count the costs before committing to Sysmon and this compare/contrast portion of the webinar will help you do that.
This will be a technical deep dive into the heart of Windows security – don’t miss it.