search

zbalkan / IntegrityService

FIM service for Windows
GNU Affero General Public License v3.0
0 stars 0 forks source link

readme

IntegrityService

DevSkim Release

Overview

Integrity Service is a security related requirement for monitoring critical directories and Registry keys in Windows.

Yes, we need a better name.

Usage

  1. Install the service using IntegrityService.msi.
  2. The default values will be written to Registry.
  3. The filesystem monitoring will always be started.
  4. If the database is not disabled, and there is not a completed filesystem discovery, a filesystem discovery will be started.
  5. Use the ADMX file for domain installations to manage the configuration.
  6. The service does not provide enough information about a security incident, but constitutes a supportive information to collaborate. It is advised to use Sysmon and collaborate events together. Related Sysmon event IDs are 2, 9, 11, 12, 13, 14, 15, 23 and 26.

Internals

It is designed to be a Windows Service. In first use, it will start a scan based on the settings from Windows Registry, under HKLM\SOFTWARE\FIM.

If there is no path to monitor defined in the Registry, service will not do any action (no default value hard-coded).

In the first use, it will run a full discovery, search for all the files, calculate SHA256 checksum and save it in a local database as the baseline. File search process reads the data from NTFS MFT (Master File Table) so it will take up to 10 seconds. But file search will generally catch at least 500.000 files and folders on a fresh Windows 10 installation and take about 30 to 90 minutes for calculating hashes, obtaining and parsing ACLs and writing to database depending on the number of files and the system specifications. This search can be disabled via Group Policy or Registry. If you disabled the local database, just skip to the next paragraph.

The service will subscribe to file system events and when any changes occur, it will create an event log and update the database. You can see the SHA256 hashes for the current and (if exist) previous versions.

Windows has a lot of quirks when it comes to low level callbacks, especially for NTFS. Many of the use cases are handled but it needs to be fine-tuned for edge cases.

For ease of use, an ADMX file is created. So, the monitored paths, excluded paths (such as log folders), and excluded file extensions (such as log, evtx, etl) can be set via Group Policy. Suggested values for Group Policies can be found below.

Suggested values

Registry Value

Registry ValueData
Monitored Paths
  • C:\Windows\System32
  • C:\Windows\SysWOW64
  • C:\Program Files
  • C:\Program Files (x86)
Excluded Paths
  • C:\Windows\System32\winevt
  • C:\Windows\System32\sru
  • C:\Windows\System32\config
  • C:\Windows\System32\catroot2
  • C:\Windows\System32\LogFiles
  • C:\Windows\System32\wbem
  • C:\Windows\System32\WDI\LogFiles
  • C:\Windows\System32\Microsoft\Protect\Recovery
  • C:\Windows\SysWOW64\winevt
  • C:\Windows\SysWOW64\sru
  • C:\Windows\SysWOW64\config
  • C:\Windows\SysWOW64\catroot2
  • C:\Windows\SysWOW64\LogFiles
  • C:\Windows\SysWOW64\wbem
  • C:\Windows\SysWOW64\WDI\LogFiles
  • C:\Windows\SysWOW64\Microsoft\Protect\Recovery
  • C:\Program Files\Windows Defender Advanced Threat Protection\Classification\Configuration
  • C:\Program Files\Microsoft OneDrive\StandaloneUpdater\logs
Excluded Extensions
  • .log
  • .evtx
  • .etl
Enable Registry Monitoring

0 (false)
Monitored Keys
  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\FIM
  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Excluded keys
Heartbeat interval 60

Event Logs

Event logs IDs are taken from WINFIM.NET. Thanks redblueteam for inspiration.

Event ID Description
7770 An exception occurred
7776 File / Directory creation
7777 File modification
7778 File / Directory deletion
7786 Registry key creation
7787 Registry key/value modification
7788 Registry key deletion
7780 Other events (heartbeat checks in every 60 seconds, service start and stop, etc.)

Installation

MSI package installation

Use the IntegrityService.Installer.msi file to install. This is specifically used for ease of deployment. It will install the service with an automatic start setting. It does not start the service immediately. It is up to the administrators to let it start on next boot or an immediate start.

Details

The second project called IntegrityService.Installer is a Wix project to create the uninstaller. Currently, it seeks for a single-file executable in path ".\publish\", which is the Publish path in my profile. You just need to change it to match yours.

Suggested PublishProfile.pubxml setup

<?xml version="1.0" encoding="utf-8"?>
<!--
https://go.microsoft.com/fwlink/?LinkID=208121.
-->
<Project>
  <PropertyGroup>
    <Configuration>Release</Configuration>
    <Platform>Any CPU</Platform>
    <PublishDir>..\publish\</PublishDir>
    <PublishProtocol>FileSystem</PublishProtocol>
    <TargetFramework>net6.0-windows</TargetFramework>
    <RuntimeIdentifier>win-x64</RuntimeIdentifier>
    <SelfContained>true</SelfContained>
    <PublishSingleFile>true</PublishSingleFile>
    <PublishReadyToRun>true</PublishReadyToRun>
  </PropertyGroup>
</Project>

Development

You need to have .NET 8 for the service. The installer project requires Wix Toolset, and that requires enabling .NET 3.5 on development machine.

Roadmap

Special thanks to:

Icons8

Film Noir icon by Icons8 is used for the executable.

Mariano S. Cosentino

Thanks to Mariano S. Cosentino's REG_2_ADMX script, the initial draft of the ADMX files are created.