Monitoring File Changes

I need a solution

I have a requirement to try and monitor changes to a file.  The file in this instance is the “HOSTS” file for any machine on the network (this is c:windowssystem2driversetchosts).  This is to simulate a bad actor modifying a HOSTS file to redirect traffic elsewhere.  Symantec A&DC has a pre-built rule that works fine if the file is done from the local machine.  As I discovered today if a bad actor modified a file from a remote location (for example accessing the UNC path of a device on the network) this doesn’t work.  Is there a way to detect this?  It seems a little short sighted to monitor a file but not being able to monitor the file if the change was done remotely.  To illustrate this point a bit clearer

Workstation 1 has a monitored file (HOSTS) ==> Local Admin logged into (or running administratively) on Workstation 1 and modifies HOSTS file ==> SEP A&DC will detect and log this event

Workstation 1 has a monitor file (HOSTS) ==> Administrator on Workstation X or Server X (using administrator privileges accesses UNC path of Workstation 1 and modifies HOSTS file ==> SEP A&DC does not detect or log this event.

Is this something that is able to be worked around or should this be configured through something like File Integrity?



Leave a Reply