Windows 2012 - FIM - list of files who needs to be supervise
iisinfra...@gmail.com
I have been searching the Web quite a lot and, maybe I am not looking at the right place, but I can't find any answer.
I have to make a list of all the main files who needs to be supervise by a FIM solution on Windows 2012 (basic one like hosts and main DLL for exemple).
It's not that hard on linux and I have been able to find what I was looking for.
Is there any kind of referential for Windows? I can't even find one on Microsoft Technet. All I got is "what your suppose to do".
It seems like every FIM product on the market keep those informations like a secret. All I have found so far is this link : https://secludit.com/blog/windows-linux-vulnerable-files/ but it's already quite old.
Any place I can look? I'll happily provide some kind of database when I am done recensing what needs to.
Thanks,
lostinthetubez
Your best bet here might be to search for Windows-based digital forensics articles. SANS puts out a classic poster with some key system processes to keep tabs on: https://digital-forensics.sans.org/blog/2014/03/26/finding-evil-on-windows-systems-sans-dfir-poster-release
Pretty much anything that loads up by default from beneath C:\windows is worthy of watching. You might even just open Task Manager, add the column named “Image path name” and look at each process that’s running out of C:\Windows\*.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.