Introduction
In my recent hands-on work, I implemented File Integrity Monitoring (FIM) on Windows to detect and prevent unauthorized changes to critical files and system configurations. Through this practical experience, I explored different approaches, including native Windows auditing, Sysinternals Sysmon, and advanced integration with Wazuh SIEM. Each method offered unique strengths, from granular event visibility to centralized monitoring and alerting, helping me build a layered defense against file tampering and insider threats.
The Prerequisites
- Server or Windows 10/11.
- Administrator rights.
- Access to the Local Security Policy and Event Viewer.
- Installing the Wazuh agent and connecting it to the Wazuh manager.
Step 1: Set up the Audit Policies for Windows Native
Enable Object Access Auditing
Press Win + R, type secpol.msc, and press Enter.
Navigate to:
Security Settings → Local Policies → Audit Policy → Audit Object Access.
Enable Success and Failure.
Apply Auditing to Particular Folders or Files
Right-click a folder → Properties
*Click on Security → Advanced *
Clik on Auditing → Add.
Select a principal → Everyone
Verify in Event Viewer
Open Event Viewer → Windows Logs → Security.
Look for Event ID 4663 (Object Access).
Step 2: Using Sysinternals Sysmon
Steps to Install Sysmon on Windows
- Download Sysmon Go to the official Microsoft Sysinternals page:
Extract the .zip file into a directory. Inside that folder, you'll see:
- Sysmon.exe (for 32-bit systems)
- Sysmon64.exe (for 64-bit systems)
Open PowerShell (Admin Mode)
- Press Win + X → Windows PowerShell (Admin).
- Navigate to the folder where you extracted Sysmon:
C:\Users\Administrator\Downloads\Sysmon
Basic Install Command
To install with default settings (no config file), I installed with this code:
.\Sysmon64.exe -accepteula -i
To Verify the Installation
I Open Event Viewer → Applications and Services Logs → Microsoft → Windows →
You should see Event IDs like 1 (Process Create), 11 (File Create), etc.
Sysmon → Operational
To Monitor File Events
Sysmon logs events in:
Applications and Services Logs → Microsoft → Windows → Sysmon → Operational.
Step 3: Integrating with Wazuh for Centralized FIM
Although Sysmon and Windows auditing can identify changes, manual log analysis is ineffective. Wazuh's File Integrity Monitoring (syscheck) module makes this automated.
Comprehensive Scan
In this sense, you can use Wazuh to monitor a file. Whenever someone makes changes to the file, Wazuh is notified immediately, showing both the original content and the changes made.
To put it another way, whenever someone modifies a file, Wazuh will record who made the modifications, what was changed, when it was modified, and other precise details.
*The Wazuh agent and its impact on an operating system *
Logs from endpoints (operating systems) must be collected by the Wazuh Agent and reported to Wazuh. When an agent is deployed on an operating system, the Wazuh agent logs all activities that occur in that endpoint and reports them to the Wazuh dashboard.
How to Install the Wazuh Agent on Windows
Download the Windows agent from the Wazuh site.
Installation
File integrity monitoring
One of the most critical environments to be monitored with Wazuh
- Public Folder
- User Folder
- The whole Local Disk
An Endpoint's installed agent file
When an agent is deployed on a Linux or Windows operating system, a file named ossec is installed along with it. This file is located in the ossec-agent folder, which contains the specified files responsible for reporting all activity logs on this endpoint to the Wazuh dashboard.
File configuration for Ossec
This file has a ton of configuration options. In this case, we would like to set up file integrity monitoring within this file. The ideal approach is to duplicate the file before making any configuration changes to it. This way, if the configured file copy is corrupted, the backed-up file can be used as a backup.
How to access the Oscec file
There are two methods for opening the OSSEC file: Using the GUI interface or opening the file
Ossec Confi file
Add FIM rules inside
Enter your directory path in the script's File Integrity Monitoring section. After entering the path, click Save.
How to get the Wazuh agent to restart
To restart the agent, click the GUI interface, then select "OK."
Another way to restart the Wazuh agent
An additional method for wazuh agent restart
Enter "services" into the search field, then click on the services to display all of the active services and launch the desktop application interface. This will help you determine if the Wazuh agent has started operating.
Validate in Wazuh Dashboard
After selecting "monitored" under "file integrity monitoring," you will notice that two directory paths have been added to the monitored environment.
An overview of the section on file integrity monitoring
Windows Event Viewer logs the access, while Sysmon logs file creation/modification. And the Wazuh dashboard displays alerts for file changes.
The Best Ways to Use Windows FIM
- Keep an eye on essential directories: Registry keys, C:\Windows\System32, and C:\Program Files.
- To cut down on noise, remove high-churn folders like Temp and Cache.
- To prevent false positives, set the right alerting thresholds.
- Review FIM alerts regularly as part of your SOC procedure.
- To find suspicious activity chains, integrate SIEM correlation rules (e.g., unauthorized user → changed system DLL).
In conclusion
By identifying file and configuration manipulation, File Integrity Monitoring on Windows improves endpoint security. Administrators can employ a tiered strategy for file integrity monitoring by utilizing native auditing, Sysmon, and sophisticated tools like Wazuh.
In addition to offering insight into unauthorized modifications, an adequately designed FIM system facilitates adherence to regulations such as PCI DSS, HIPAA, and ISO 27001 requirements.
Top comments (2)
Great walkthrough—clear steps from 4663 auditing to Sysmon and Wazuh make FIM on Windows very approachable. Loved the tips on excluding high-churn folders. With this setup, tamperers don't stand a checksum of getting by!
great guide love it ❤️