I have a requirement to try and monitor changes to a file. The file in this instance is the “HOSTS” file for any machine on the network (this is c:windowssystem2driversetchosts). This is to simulate a bad actor modifying a HOSTS file to redirect traffic elsewhere. Symantec A&DC has a pre-built rule that works fine if the file is done from the local machine. As I discovered today if a bad actor modified a file from a remote location (for example accessing the UNC path of a device on the network) this doesn’t work. Is there a way to detect this? It seems a little short sighted to monitor a file but not being able to monitor the file if the change was done remotely. To illustrate this point a bit clearer
Workstation 1 has a monitored file (HOSTS) ==> Local Admin logged into (or running administratively) on Workstation 1 and modifies HOSTS file ==> SEP A&DC will detect and log this event
Workstation 1 has a monitor file (HOSTS) ==> Administrator on Workstation X or Server X (using administrator privileges accesses UNC path of Workstation 1 and modifies HOSTS file ==> SEP A&DC does not detect or log this event.
Is this something that is able to be worked around or should this be configured through something like File Integrity?