https://fleetdm.com logo
Channels
  • Mystery Incorporated

    Mystery Incorporated

    1 year ago
    I know we can monitor when files are created, can we monitor if a certain file is altered in anyway?
  • theopolis

    theopolis

    1 year ago
    You should be able to monitor when a file's contents are modified. The relative events table for the OS you are using will let you know a modification happened, but not exactly what was modified. https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/ If you wanted more granular details about what was modified you could try to use the 
    yara_events
    table: https://osquery.readthedocs.io/en/latest/deployment/yara/
    Is this what you had in mind?
  • Mystery Incorporated

    Mystery Incorporated

    1 year ago
    @theopolis Thanks!!! yes just knowing it was modified is enough, I don't need to know what was changed.
  • CptOfEvilMinions

    CptOfEvilMinions

    1 year ago
    Tad bit late to this thread but you could have canary files deployed with known sha256 hashes. Then create a query using the hash table to check the hash of the canary file. 
    SELECT sha256 FROM hash WHERE path="<file>" AND sha256 != <sha256 of canary file>
    This might be more practical for envs where you can’t enable file monitoring.
Join thread in Slack
View count: 1