Wazuh File Integrity Monitoring: Tracking Endpoint Modifications in Real Time
OverviewIn this project, I implemented File Integrity Monitoring (FIM) using Wazuh to detect file sy 2026-7-6 06:34:23 Author: infosecwriteups.com(查看原文) 阅读量:8 收藏

Overview

In this project, I implemented File Integrity Monitoring (FIM) using Wazuh to detect file system and Windows Registry changes in a lab environment. Custom FIM rules was configured to monitor user directories and registry Run keys, then validated the setup by manually creating, modifying, and deleting files and folders, and by running a benign malware simulation that triggered Windows processes leading to registry updates. This demonstrated how FIM detects not only direct malicious modifications but also related system-level activity that occurs during suspicious endpoint behavior, supporting incident investigation and root-cause analysis.

File Integrity Monitoring (FIM) is a security control used to track changes made to files and system configurations. It helps detect when files are created, modified, or deleted, and when critical system areas like the Windows Registry are altered. Since many attacks rely on changing files or registry keys to maintain persistence or evade detection, FIM provides an important layer of visibility into what’s happening on an endpoint. For this project, i used Windows endpoint.

Press enter or click to view image in full size

You can read more about File Integrity Monitoring in official Wazuh Documentation here

Configuration & Detection

  1. Edit the agent’s ossec.conf file
  • On the Windows endpoint, the Wazuh agent configuration file is located at
C:\Program Files (x86)\ossec-agent\ossec.conf

and edit the ossec.conf file using notepad (open as an administrator).

  • Add the directories you want to monitor within the <syscheck> block
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\Public</directories>
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\Public\Downloads</directories>
<directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\Lily\Desktop</directories>

Press enter or click to view image in full size

ossec.conf
  • Restart the Wazuh agent to apply changes
Restart-Service wazuh-agent

2. Test the Configuration

  • Create files

I created a file on Desktop named “Malware Docs”

Alert Visualization

Get Aishat Olayinka Yusuf’s stories in your inbox

Join Medium for free to get updates from this writer.

Remember me for faster sign in

Navigate to Endpoint security > File Integrity Monitoring > Events on the Wazuh dashboard to view the alert generated when the FIM module detects changes in the monitored file. The created file was logged as ‘file added’

  • Modify Files

To demonstrate file modification detection, I edited the contents of a file in the Downloads folder named “Malicious.txt”

Alert Visualization

This action was detected by Wazuh File Integrity Monitoring and logged as a “file modification” event in the dashboard.

  • Delete Files

Several files were deleted, and this activity was detected by Wazuh File Integrity Monitoring and logged as “File deleted” events.

  • Registry Modification

To demonstrate registry monitoring, I ran a benign malware simulation that attempted to establish persistence. This action triggered legitimate Windows system processes, which in turn updated related registry keys in the background. Wazuh detected these changes and logged them as registry modification events, demonstrating how File Integrity Monitoring can capture both direct malware activity and the secondary system behaviors it provokes.

Press enter or click to view image in full size

Press enter or click to view image in full size

Dashboard Insights & Key Takeaways

Press enter or click to view image in full size

FIM Dashboard

This project demonstrated the practical value of File Integrity Monitoring through hands-on configuration, testing, and analysis using Wazuh. I successfully monitored file systems and Windows Registry keys, validated detection with manual changes and a malware simulation, and used the Wazuh dashboard to turn raw alerts into actionable insights.

FIM proved to be a critical visibility tool not just for compliance, but for real-time detection, rapid investigation, and understanding attack behaviors through change analysis. By capturing both legitimate and malicious modifications, it serves as a foundational layer in a proactive security posture.

Many thanks to

for inspiring me to take on this project.


文章来源: https://infosecwriteups.com/wazuh-file-integrity-monitoring-tracking-endpoint-modifications-in-real-time-269e384f3fa7?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh