File Integrity Monitoring (FIM) in Wazuh: A Step-by-Step Guide

Riya Jain
4 min readJan 29, 2024

--

Why File Integrity Monitoring?

By keeping an eye out for and identifying unauthorized changes to files, File Integrity Monitoring (FIM) is essential for ensuring the security and integrity of a system. Let me give you some important factors:

  • Unauthorized Changes Detection: To stop security breaches, FIM locates and notifies users when important system files are altered without authorization.
  • Compliance Requirement: To comply with regulatory standards, like PCI DSS, HIPAA, and GDPR, FIM deployment is required.
  • Insider Threat Mitigation: By keeping an eye on changes made by internal users, FIM helps find and deal with possible insider threats.
Wazuh GUI Login

Step2: Go to Agents and click on Deploy new agent, as shown below.

Deploy Agent

Next, select an Operating system, enter your Wazuh Server address, and set your agent’s name as shown below.

In the end, you will get a PowerShell script and a command to start the Wazuh service from your agent, as shown below.

Next, go to your Windows 10 Machine and the script in your Powershell command prompt.

Next, start the Wazuh service.

Start Wazuh service

Finally, come back to your Wazuh platform and go to Agents; you should see your newly onboarded Windows agent here.

Wazuh Agents

Step3: Enable File Integrity Module on Windows Machine

Well, the good news is that the File Integrity Monitoring (FIM) module is by default enabled on agents.

You can verify that checking the configuration file(ossec.conf) located at C:\Program Files (x86) \ossec-agent

You can also open the Wazuh agent GUI (win32ui file) located in the same folder. This is also called a Wazuh Agent Manager. Click on View> View Config

Wazuh OSSEC Config file

Now, scroll a little and look for <syscheck> with the comment File Integrity Monitoring. You should see the <disabled> tag is set to NO, meaning it’s enabled.

FIM is enabled

Windows FIM Use Cases

There can be tons of use cases when it comes to File Integrity Monitoring, however, in this newsletter, we will cover two important ones.

Use Case: Monitoring System32 folder to track malicious executable

The System32 area holds important system files, dynamic link libraries (DLLs), and executables that the Windows operating system needs to work properly.

Path: C:\Windows\System32

Why Temp folder?

  • When malware gets into a system, it tries to set up persistence so that it can stay active and not be found. Malware can stay active for a long time by changing or removing files in System32. Users usually don’t notice these changes.
  • Malware creators try to make their programs look like they are part of the system. Because it lives in the System32 area, malware can hide among real system files, making it harder for regular security measures to find.

Let’s have our Wazuh agent keep track of System32 files.

Step1: Add temp folder in <directories> tag

Go to Wazuh Agent Manager. Click on View> View Config and edit the <syscheck> block as shown below

Step2: Restart the agent

Under the Manager tab of the Wazuh agent manager. Click the Restart option.

Step3: Visualize the alert

Add any random file to the folder C:\Windows\System32 Next come to the Wazuh > Security Alerts, you should see the alert as shown below.

Alert Visualization

--

--

Riya Jain

Security Analyst | Penetration Tester | Red Team | Blue Team | eJPT|CAP | CND | Purple Team