Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - What to watch with your FIM? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

What to watch with your FIM?

Published: 2016-03-30
Last Updated: 2016-03-31 07:34:39 UTC
by Xavier Mertens (Version: 1)
4 comment(s)

A few days ago, one of our readers posted a message in the general discussion forum about FIM (“File Integrity Management”) and, more precisely, which files/directories to monitor. Just a brief introduction for those who are not aware of File Integrity Monitoring: It's a security control that helps to validate the integrity of files present on a file system using a baseline of this system. The comparison with the baseline relies on file hashes but not only. Other file attributes can be monitored: the owner, access rights or the last modification time are good examples.
 
This control is implemented via processes and enforced with tools. Like most of information security tools, it's just… a dumb tool! The challenge is to configure it in the right way to increase your chances to detect a malicious activity. Available tools are delivered with baselines for standard environments but must be fine tuned to match your own requirements. I think that it’s a good idea to share and discuss some ideas on this topic: What do you monitor with your FIM?
 
Basically, they are two types of data that you can watch:
  • System” files - They will help you to detect if a server is compromised, if its configuration has been changed or if users are performing dangerous activities (like copying files or installing applications).
  • Data” files - Those are the files used by your “business".
In the second case, it’s impossible to build a list of interesting files. They depend on your business. Here are some examples where a FIM might be helpful:
  • Logging changes on source repository (to track the developers tasks)
  • Logging changes on sensitive department shares (HR, accounting, …)
  • Logging changes on public resources (like web servers, FTP servers)
The implementation of a FIM has also side effects. A classic issue is patching systems. By replacing system files, patches can generate a huge amount of false positives. From a system perspective, here is a non-exhaustive list of files/directories to monitoring on UNIX/Windows systems:
 
For UNIX systems:
 
/etc
/boot
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/etc
/usr/local/bin
/usr/local/sbin
/usr/local/etc
/opt
/var/opt
/lib
/usr/lib
/var/lib
/usr/local/lib
/lib64

Specific files can be monitored:

  • Executables in /tmp ,/usr/local/tmp, /var/tmp
  • Plain files in /dev
Others must be ignored (changing too often):
 
/etc/mtab
/etc/hosts.deny
/etc/mail/statistics
/etc/random-seed
/etc/adjtime

For Windows systems:

%WINDIR%/win.ini
%WINDIR%/system.ini
C:\autoexec.ba
C:\boot.ini
%WINDIR%/System32
%WINDIR%/regedit.exe
C:\Documents and Settings/All Users/Start Menu/Programs/Startup
C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup
 
On Windows, the registry contains many useful locations that can also be monitored by most FIM:
 
HKEY_LOCAL_MACHINE\Software\Classes\cmdfile
HKEY_LOCAL_MACHINE\Software\Classes\comfile
HKEY_LOCAL_MACHINE\Software\Classes\exefile
HKEY_LOCAL_MACHINE\Software\Classes\piffile
HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects
HKEY_LOCAL_MACHINE\Software\Classes\Directory
HKEY_LOCAL_MACHINE\Software\Classes\Folder
HKEY_LOCAL_MACHINE\Software\Classes\Protocols
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\Security
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\Security\Policy\Secrets
HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users \Enum$
 
The following one can be ignored (changing too often):
 
 C:\WINDOWS/System32/LogFiles
C:\WINDOWS/Debug
C:\WINDOWS/WindowsUpdate.log
C:\WINDOWS/iis6.log
C:\WINDOWS/system32/wbem/Logs
C:\WINDOWS/system32/wbem/Repository
C:\WINDOWS/Prefetch
C:\WINDOWS/PCHEALTH/HELPCTR/DataColl
C:\WINDOWS/SoftwareDistribution
C:\WINDOWS/Temp
C:\WINDOWS/system32/config
C:\WINDOWS/system32/spool
C:\WINDOWS/system32/CatRoot  

And you? What are you monitoring? Please share your configurations and tips!

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

4 comment(s)
Diary Archives