Example 3: Email alert when .EXE file changed |
Top Previous Next |
Scenario You want to receive an email (or any other type of notification) if an .EXE file is changed in a certain folder, for example the c:\windows folder.
Goal To be immediately notified when a critical system file is changed, or attempted to be changed.
Prerequisites
Approach
1. Enable Object Auditing On domain controllers, open either "Active Directory Users and Computers", or the "Group Policy Management" application if installed. On member servers or workstations you can open the "Local Security Policy".
In the Group Policy Object Editor, navigate to "Computer Configuration" -> "Windows Settings" -> "Security Settings" -> "Local Policies" -> "Audit Policy", shown in the screenshot below. There, change the "Audit Object Access" policy to include success and failure events:
Figure 1
2. Configure auditing on one or more folders Once object auditing is enabled on the domain, OU or computer you can start auditing the folders of interest. In our example we will be auditing the SYSTEM32 folder c:\windows of a Windows Server 2003 installation. Open up explorer and right-click the folder to be monitored and select Properties. Click the security tab, click the Advanced button and then click the Auditing tab. You will then see a list of auditing entries already present on this folder, in most cases this list will be empty. Click the Add button to add a new user that is to be audited. Since we want to audit every user, we will enter the built-in Everyone user:
We need to audit the following Successful + Failed access methods on this folder:
You should see a dialog similar to the one shown in figure 3 after you click the OK button in figure 2. Now click OK twice to save the audit settings. From now on, the OS will record all successful and unsuccessful write attempts to files in the c:\windows folder and all sub folders.
3. Creating a filter in EventSentry Now, add an include filter to EventSentry that will match all "Audit Success" or "Audit Failure" events in the Security event log that have event id 560. Specify the filter text as follows:
Object Open:*Object Name:*.exe*Handle ID*Accesses:*DELETE*WriteData*Privileges:*-*Restricted*
You can remove the *.exe extension above if you want to monitor all files, or specify a different extension if you want to monitor different file extension. The complete filter should look like the dialog shown in figure 4 below:
Figure 4
After performing these steps, you will now be notified via email every time a new .exe file is added to the c:\windows folder, or if an existing .exe file is modified. |