Adversaries frequently exploit public and temporary directories, such as C:\Users\Public and C:\Users\UserName\AppData\Local\Temp, as common drop zones to upload malicious tools and payloads. These directories are often targeted due to their accessibility and low visibility in standard security monitoring.
This project aims to monitor public and temporary directories for unauthorized file uploads and changes, detecting early signs of malware, privilege escalation, and insider threats.
Firstly, we will need to configure ossec.conf file which is located under C:\Program Files(x86)\ossec-agent directory.
( Copy the ossec.conf file as a backup before we changes the configuration file for best practice.)
Open the ossec-conffile with Notepad and go to File Integrity Monitoring part
In this file, I added configuration for FIM to monitor these directories C:\Users\Public , C:\Users\*\AppData\Local\Temp and C:\Users\*\Documents for every 1min.
For more detailed configuration manual, please refer to
https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/creating-custom-fim-rules.html#custom-fim-rules-examples
Restart the Wazuh service, after modifying the ossec-conffile
Verify if our directories are being monitored or not by creating/modifying/deleting some files under these directories. After creating/modifying your test files, go to Wazuh Dashboard and you will see events made by our tests.
The who-data functionality allows the FIM module to obtain information about who made modifications to a monitored file. This information contains the user who made the changes to the monitored files and the program name or process used.
Perform the following steps to configure the FIM module. This configuration gets the information about the user and the process that modified the monitored files.
- Edit the Wazuh agent
C:\Program Files (x86)\ossec-agent\ossec.confconfiguration file and add theDocumentsdirectory for FIM monitoring. The configuration ensures that the FIM module records who-data information and also reports the exact changes made to text files:
- Restart the Wazuh agent using PowerShell with administrator privileges to apply the changes:
Restart-Service -Name wazuhAfter enabling whodata, we can view more detailed information about the system such as processid, username, differences made in the file, etc..
We can also detect persistence activities by monitoring registry run key that are used to establish persistence.
For more information, please refer to MITRE “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder”
https://attack.mitre.org/techniques/T1547/001/
Run following example Powershell script to test persistence
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v updates /t REG_SZ /d "C:\Path\To\Malware.exe" /f
New Registry Run Key has created on the system
We can see this event on Wazuh FIM dashboard
