Vulnarex | Elite Cybersecurity Learning Platform

#If You Don't Know What Changed on Your System, You're Already Breached#link

Attackers modify system binaries, web shells appear in upload directories, and ransomware changes file extensions. Without file integrity monitoring (FIM), these changes go unnoticed for months. This lesson covers deploying and managing FIM across platforms with AIDE, Tripwire, and Windows SFC/File Integrity Monitoring—so you'll catch tampering before it becomes a headline.

How FIM Works: Baseline, Compare, Alert

FIM tools create a cryptographic baseline of file attributes (checksums, permissions, timestamps) for a set of monitored paths. On a schedule or on-demand, they re-scan and compare against the baseline, reporting any additions, deletions, or modifications. To avoid false positives, FIM databases must be updated after planned changes. The key is to store the baseline database and configuration on read-only media or offline to prevent tampering.

bash

# Install and initialize AIDE on Linux
sudo apt install aide
sudo aideinit
# The database is created at /var/lib/aide/aide.db.new
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Run a check
sudo aide -c /etc/aide/aide.conf --check

The initial aideinit builds the baseline. Moving the new database into place is crucial; otherwise, the next check will report everything as changed. Run periodically via cron and pipe output to a SIEM.

Windows System File Checker and File Integrity Auditing

Windows includes SFC (System File Checker) to verify integrity of protected system files. For broader FIM, use the built-in file auditing (SACL) and event logs (Event ID 4663 for object access), or deploy Microsoft Defender for Endpoint's custom file integrity monitoring. SFC /scannow repairs corrupted files from the component store, but it won't detect a custom backdoor named notepad.exe placed in a user's profile. For that, you need a SACL that audits writes.

Run SFC and check integrity of system files

root@vulnarex:~#sfc /scannow

info

💡 SFC only checks files protected by Windows Resource Protection. To monitor user-writable areas, configure SACLs and collect Event 4663 in your SIEM.

Tool	Platform	Key Feature
AIDE	Linux/macOS	Advanced rule sets, database can be offloaded
Tripwire	Linux/Windows	Enterprise-grade, policy-based, commercial
Windows SACL + Event 4663	Windows	Native auditing, integrates with SIEM
Microsoft Defender FIM	Windows	Cloud-managed, part of MDE suite

Operationalizing FIM: Tuning and Response

Raw FIM logs are noisy. Tuning means excluding directories where legitimate changes happen frequently (log files, temp folders) and focusing on critical binaries, config files, and web roots. Define a response playbook: when a critical file change is detected, isolate the host, capture a forensic snapshot, and investigate the process that made the change. Without a playbook, alerts become ignored noise.

▪Deploy FIM on all sensitive servers: monitor /etc, /usr/sbin, C:\Windows\System32, and web application directories.
▪Store the FIM database on a separate, read-only location or offline media.
▪Integrate FIM alerts with your SIEM; create high-severity rules for unexpected binary modifications.
▪Test and update the baseline after planned changes or patching cycles.

STRICT SECURE AUDIT RULE

⚠️ If an attacker gains root, they can modify the FIM database itself. Use an agent that ships events off-box in real-time and store the database on immutable storage.

quiz BLOCK (★ 50 XP)

After a planned Apache upgrade, your FIM tool reports thousands of changes. What must you do?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

FIM Deployment Challenge