FIM configuration for Windows

[Calebasah]

Description:

This ticket implements a comprehensive File Integrity Monitoring (FIM) configuration for all managed Windows endpoints. The purpose is to enhance our security posture by proactively detecting and alerting on unauthorized changes to critical system files, directories, and registry keys, which are common targets for malware and threat actors.

Key Objectives:

• Detect Malware & Persistence: Monitor key persistence locations (e.g., Registry Run keys, Services, Scheduled Tasks, Startup folders) for unauthorized modifications indicative of malware installation or attacker footholds.
• Ensure System Integrity: Safeguard critical system binaries (C:\Windows\System32, C:\Windows\SysWOW64), PowerShell environments, and other security-critical directories from tampering.
• Protect Application Security: Monitor configuration and executable paths for key applications like web browsers, Microsoft Office, and other widely targeted software.
• Protect Sensitive Data: Implement nodiff rules to prevent the exposure of cryptographic keys, passwords, and other secrets in alert logs, ensuring compliance with data protection standards.
• Maintain System Performance: Utilize extensive ignore patterns for volatile files (logs, Pagefile, temporary directories) and highly frequented, low-risk system paths to minimize noise and resource overhead.

[Vitalisn4]

• Have been working on the windows endpoint configurations and as well the documentations
• Once the configurations are okay, I will proceed with the necessary tests to ensure everything is working as expected
• Then the tests screenshots as well as the documentation will be placed here for review by the team members

[Calebasah]

WIP

[Vitalisn4]

The configurations are working with the default wazuh rules

[Vitalisn4]

[Calebasah]

Works in dev

[Calebasah]

@eva672 to do the documentation

[eva672]

This is the link to the documentation docs

waiting for @Calebasah review