In this project, I implemented File Integrity Monitoring (FIM) using Wazuh to detect file system and Windows Registry changes in a lab environment. Custom FIM rules was configured to monitor user directories and registry Run keys, then validated the setup by manually creating, modifying, and deleting files and folders, and by running a benign malware simulation that triggered Windows processes leading to registry updates. This demonstrated how FIM detects not only direct malicious modifications but also related system-level activity that occurs during suspicious endpoint behavior, supporting incident investigation and root-cause analysis.
File Integrity Monitoring (FIM) is a security control used to track changes made to files and system configurations. It helps detect when files are created, modified, or deleted, and when critical system areas like the Windows Registry are altered. Since many attacks rely on changing files or registry keys to maintain persistence or evade detection, FIM provides an important layer of visibility into what’s happening on an endpoint. For this project, i used Windows endpoint.
Press enter or click to view image in full size
You can read more about File Integrity Monitoring in official Wazuh Documentation here
C:\Program Files (x86)\ossec-agent\ossec.confand edit the ossec.conf file using notepad (open as an administrator).
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\Public</directories>
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\Public\Downloads</directories>
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\Lily\Desktop</directories>Press enter or click to view image in full size
Restart-Service wazuh-agent2. Test the Configuration
I created a file on Desktop named “Malware Docs”
Alert Visualization
Join Medium for free to get updates from this writer.
Navigate to Endpoint security > File Integrity Monitoring > Events on the Wazuh dashboard to view the alert generated when the FIM module detects changes in the monitored file. The created file was logged as ‘file added’
To demonstrate file modification detection, I edited the contents of a file in the Downloads folder named “Malicious.txt”
Alert Visualization
This action was detected by Wazuh File Integrity Monitoring and logged as a “file modification” event in the dashboard.
Several files were deleted, and this activity was detected by Wazuh File Integrity Monitoring and logged as “File deleted” events.
To demonstrate registry monitoring, I ran a benign malware simulation that attempted to establish persistence. This action triggered legitimate Windows system processes, which in turn updated related registry keys in the background. Wazuh detected these changes and logged them as registry modification events, demonstrating how File Integrity Monitoring can capture both direct malware activity and the secondary system behaviors it provokes.
Press enter or click to view image in full size
Press enter or click to view image in full size
Press enter or click to view image in full size
This project demonstrated the practical value of File Integrity Monitoring through hands-on configuration, testing, and analysis using Wazuh. I successfully monitored file systems and Windows Registry keys, validated detection with manual changes and a malware simulation, and used the Wazuh dashboard to turn raw alerts into actionable insights.
FIM proved to be a critical visibility tool not just for compliance, but for real-time detection, rapid investigation, and understanding attack behaviors through change analysis. By capturing both legitimate and malicious modifications, it serves as a foundational layer in a proactive security posture.
Many thanks to
for inspiring me to take on this project.