Example 3: Email alert when .EXE file changed

<< Click to Display Table of Contents >>

Navigation:  Additional Tips and Resources > Examples & Templates > Real-World Examples & Templates >

Example 3: Email alert when .EXE file changed

Scenario

You want to receive an email (or any other type of notification) if an .EXE file is changed in a certain folder, for example the c:\windows folder.

 

Goal

To be immediately notified when a critical system file is changed, or attempted to be changed.

 

Prerequisites

Object auditing needs to be enabled in order for the OS to generate audit failure events. Depending on your domain setup you will either have to enable this type of auditing on a domain / OU or server level.

The folder(s) you would like to monitor needs to be enabled for auditing.

 

Approach

1.Enable object auditing.
2.Configure auditing on one or more folders.
3.Create a filter to catch object access events and forward them to a SMTP notification.

 

1. Enable Object Auditing

On domain controllers, open either "Active Directory Users and Computers", or the "Group Policy Management" application if installed. On member servers or workstations you can open the "Local Security Policy".

 

In the Group Policy Object Editor, navigate to "Computer Configuration" -> "Windows Settings" -> "Security Settings" -> "Local Policies" -> "Audit Policy", shown in the screenshot below. There, change the "Audit Object Access" policy to include success and failure events:

 

clip0546

Figure 1

 

2. Configure auditing on one or more folders

Once object auditing is enabled on the domain, OU or computer you can start auditing the folders of interest. In our example we will be auditing the SYSTEM32 folder c:\windows of a Windows Server 2003 installation. Open up explorer and right-click the folder to be monitored and select Properties. Click the security tab, click the Advanced button and then click the Auditing tab. You will then see a list of auditing entries already present on this folder, in most cases this list will be empty. Click the Add button to add a new user that is to be audited. Since we want to audit every user, we will enter the built-in Everyone user:

 

clip0548

Figure 2

 

clip0547
Figure 3

 

We need to audit the following Successful + Failed access methods on this folder:

 

Create Files / Write Data

Create Folders / Append Data

Write Attributes

Write Extended Attributes

 

You should see a dialog similar to the one shown in figure 3 after you click the OK button in figure 2. Now click OK twice to save the audit settings. From now on, the OS will record all successful and unsuccessful write attempts to files in the c:\windows folder and all sub folders.

 

3. Creating a filter in EventSentry

Now, add an include filter to EventSentry that will match all "Audit Success" or "Audit Failure" events in the Security event log that have event id 560. Specify the filter text as follows:

 

Object Open:*Object Name:*.exe*Handle ID*Accesses:*DELETE*WriteData*Privileges:*-*Restricted*

 

You can remove the *.exe extension above if you want to monitor all files, or specify a different extension if you want to monitor different file extension. The complete filter should look like the dialog shown in figure 4 below:

 

clip0236

Figure 4

 

After performing these steps, you will now be notified via email every time a new .exe file is added to the c:\windows folder, or if an existing .exe file is modified.