LIDS and FIM Policy Templates

LIDS and FIM Templates for Security Vigilance and Integrity

Daniel Wolczenkow / 11.05.19

CloudPassage recently released new templates for Windows 2019 Log-based Intrusion Detection System (LIDS) and File Integrity Monitoring (FIM). In this article, I will go over some use cases and how organizations can use the templates to protect and secure their infrastructure.

While a lot of host protection solutions have functionality for behavioral or heuristic threat detection, sometimes threat actors defeat all of them using completely new attack vectors. And in such cases, when advanced threat detection doesn’t help, low-level and fundamental methods can help in the detection of malicious behavior. LIDS vigilance and FIM are two such tools that can come to the rescue.

We created the most recent Windows 2019 templates while keeping in mind that continuous monitoring and integrity checking are two really easy and effective methods for the detection of unusual system behavior. Frequently malware makes some changes to the system where it resides, and these changes or attempts to make them can be detected while looking at the actions on hosts or changes to files. CIA triad (states for confidentiality, integrity, and availability), names integrity as one of the crucial elements of hardening the system, while NIST (US National Institute of Standards and Technology) publishes a guideline, which describes the importance of continuous Information Security Monitoring in their SP 800-137 publication.

Log-based Intrusion Detection System (LIDS)

Our recently released LIDS policy for Windows Server 2019 consists of more than 250 security-related events. Some log events are brand new for Windows 2019 while others are similar to earlier Windows Server releases. Since Windows keeps its event codes and their meaning persistent between releases, the new policy can be used against other Windows Server systems starting from Windows Server 2008. In this case, only the policy events that are relevant for the monitored OS version will be logged and detected.

Also, we pre-analyzed the severity of each event in this policy and marked some events as “critical” for which special attention is needed. This policy is suitable both for Domain Controller and Member servers and it combines events specific for all types of installations.

LIDS Policy attempt

Example of LIDS Policy Applied to Windows Server

Above is an example of how the LIDS policy applied to a Windows Server machine identifies an unsuccessful login attempt. The CloudPassage agent polls event logs on the Windows Server machine, extracts security-related events, and makes them accessible to view in the Halo portal or any other SIEM system of your choice, to which Halo can be integrated via our REST API. 

New Windows 2019 Events Integrated into this Template

  • 5379 Credential Manager credentials were read
  • 5380 Vault Find Credential
  • 5381 Vault credentials were read
  • 5382 Vault credentials were read
  • 6423 The installation of this device is forbidden by system policy
  • 6424 The installation of this device was allowed, after having previously been forbidden by policy
  • 6422 A device was enabled
  • 6421 A request was made to enable a device
  • 6420 A device was disabled
  • 6419 A request was made to disable a device
  • 6418 The FIPS mode crypto self-tests failed
  • 6416 A new external device was recognized by the system
  • 6410 Code integrity determined that a file does not meet the security requirements to load into a process, which could be due to the use of shared sections or other issues

File Integrity Monitoring (FIM)

File Integrity Monitoring sets you up to comply with the fundamental integrity principle. For instance, looking at the most recent Windows Server 2019 release, it consists of two separate FIM policies—one for core system files, and another for the core registry paths.

FIM creates a server (or groups of servers) baseline for policy-specified files or registry keys, creating a state snapshot, and in subsequent scans, compares them with the baseline. This enables identification of 0-day malware or malware for which there are no signatures in the virus or malware database. 

The Windows Server 2019 FIM policy for registry integrity monitoring detects the tampering of registry keys that might be used by threat actors for installing and masquerading their actions. It ensures the integrity of more than 250 core registry paths which have been collected from different information security agencies that analyze malware behavior. The second Windows Server 2019 FIM core ‘files’ policy consists of more than 300 paths in which malware could reside and tamper with files.

For demonstration, let’s go back to May 2017, when no-one knew about the WannaCry virus, which resulted in over 300,000 computers infected all over the globe. Let’s take a look at how the FIM policy helps detect previously unknown threats when they break registry integrity.

Clean System

A Clean System

To begin, on a clean machine, as shown above, we can see that scan results are good for the Core Registry Keys and Core System Files policies, which implies that crucial machine files are untouched.

FIM Monitoring

Server Infected with Ransomware

Then, let’s infect this server with WannaCry ransomware, keeping in mind that we’re in 2017 and our server antivirus does not have signatures to detect that malware.  

FIM Alert

Halo Notification of Registry Key Change

The security operator will receive a notification from Halo (top line red bullet “Critical”) due to the registry key change: HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run key.

Registry Key fix

Randomly Named Evil Value

The security operator will then view the new randomly named ‘evil’ value, go to the C:\Users\Administrator\Desktop\tasksche.exe path and find that the server is infected. Thus uncovering the infection and taking countermeasures to stop the attack.

To conclude, continuous monitoring and integrity checking are two really easy and effective methods for the detection of unusual system behavior and can be accomplished using CloudPassage LIDS and FIM. Try out our new Windows 2019 LIDS and FIM templates and let us know your feedback.

New to CloudPassage Halo?