What to watch with your FIM?

A few days ago, one of our readers posted a message in the general discussion forum about FIM (“File Integrity Management”) and, more precisely, which files/directories to monitor. Just a brief introduction for those who are not aware of File Integrity Monitoring: It's a security control that helps to validate the integrity of files present on a file system using a baseline of this system. The comparison with the baseline relies on file hashes but not only. Other file attributes can be monitored: the owner, access rights or the last modification time are good examples.

This control is implemented via processes and enforced with tools. Like most of information security tools, it's just… a dumb tool! The challenge is to configure it in the right way to increase your chances to detect a malicious activity. Available tools are delivered with baselines for standard environments but must be fine tuned to match your own requirements. I think that it’s a good idea to share and discuss some ideas on this topic: What do you monitor with your FIM?

Basically, they are two types of data that you can watch:

“System” files - They will help you to detect if a server is compromised, if its configuration has been changed or if users are performing dangerous activities (like copying files or installing applications).
“Data” files - Those are the files used by your “business".

In the second case, it’s impossible to build a list of interesting files. They depend on your business. Here are some examples where a FIM might be helpful:

Logging changes on source repository (to track the developers tasks)
Logging changes on sensitive department shares (HR, accounting, …)
Logging changes on public resources (like web servers, FTP servers)

The implementation of a FIM has also side effects. A classic issue is patching systems. By replacing system files, patches can generate a huge amount of false positives. From a system perspective, here is a non-exhaustive list of files/directories to monitoring on UNIX/Windows systems:

For UNIX systems:

/etc

/boot

/bin

/sbin

/usr/bin

/usr/sbin

/usr/local/etc

/usr/local/bin

/usr/local/sbin

/usr/local/etc

/opt

/var/opt

/lib

/usr/lib

/var/lib

/usr/local/lib

/lib64

Specific files can be monitored:

Executables in /tmp ,/usr/local/tmp, /var/tmp
Plain files in /dev

Others must be ignored (changing too often):

/etc/mtab

/etc/hosts.deny

/etc/mail/statistics

/etc/random-seed

/etc/adjtime

For Windows systems:

%WINDIR%/win.ini

%WINDIR%/system.ini

C:\autoexec.ba

C:\boot.ini

%WINDIR%/System32

%WINDIR%/regedit.exe

C:\Documents and Settings/All Users/Start Menu/Programs/Startup

C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup

On Windows, the registry contains many useful locations that can also be monitored by most FIM:

HKEY_LOCAL_MACHINE\Software\Classes\cmdfile

HKEY_LOCAL_MACHINE\Software\Classes\comfile

HKEY_LOCAL_MACHINE\Software\Classes\exefile

HKEY_LOCAL_MACHINE\Software\Classes\piffile

HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects

HKEY_LOCAL_MACHINE\Software\Classes\Directory

HKEY_LOCAL_MACHINE\Software\Classes\Folder

HKEY_LOCAL_MACHINE\Software\Classes\Protocols

HKEY_LOCAL_MACHINE\Software\Policies

HKEY_LOCAL_MACHINE\Security

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components

HKEY_LOCAL_MACHINE\Security\Policy\Secrets

HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users \Enum$

The following one can be ignored (changing too often):

C:\WINDOWS/System32/LogFiles

C:\WINDOWS/Debug

C:\WINDOWS/WindowsUpdate.log

C:\WINDOWS/iis6.log

C:\WINDOWS/system32/wbem/Logs

C:\WINDOWS/system32/wbem/Repository

C:\WINDOWS/Prefetch

C:\WINDOWS/PCHEALTH/HELPCTR/DataColl

C:\WINDOWS/SoftwareDistribution

C:\WINDOWS/Temp

C:\WINDOWS/system32/config

C:\WINDOWS/system32/spool

C:\WINDOWS/system32/CatRoot

And you? What are you monitoring? Please share your configurations and tips!

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Paris March 2021

Xme

579 Posts
ISC Handler

Mar 31st 2016

I think monitoring the list of trusted root certificates beneath <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates> would be valuable for detecting the import of potentially malicious root certificates that could be used to intercept encrypted traffic. Microsoft provides an overview of these Registry keys here: https://technet.microsoft.com/en-us/library/cc783813(v=ws.10).aspx#w2k3tr_cacrt_tools_tsno

Anonymous

I get a ton of alerts for files under C:\Windows\winsxs\ and C:\Windows\servicing\ and I generally have to ignore them because there are so many. When I came here, they said that the exclusions don't work. I can't wait to get a different product!

Anonymous

Had a semi-long comment that looks to have gone poof, so here is my short and to the point FIM Tips based on my experience.

For FIM, before anything else, you need to determine if your chosen FIM solution can integrate with your change management solution for the purpose of reconciling detected changes against whether of not there is a valid change ticket for the server, time window and rule being examined.

If it doesn't have this, and if you don't make having this a priority from day one during your design and implementation plan, unless you are a very small shop, you will get buried under changes, and that malicious action you are hoping to detect will be forever lost in a sea of valid normal changes.

Trust me, I've seen it from both sides, and you want integration with your change management solution from day one.

Best of luck!

StephenLange

1 Posts

Starting in 2008R2, the public user startup folder was moved to:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

So I added that to my include list.

StephenLange
2 Posts