File Integrity Monitoring Release 4.6

The following profile names in the library are now renamed to help you identify the associated compliance:

Imported profiles now include an appropriate name for the associated rules to better reflect their intended purpose.

This applies to the new imported profiles only.

See the following image, which shows the rule names.

We have added new rules to the below monitoring profiles, which help FIM detect any modifications to time synchronization files, such as NTP and Chrony, and ensure compliance with the PCI DSS 4.0 requirement 10.6.3:

• Linux Monitoring Profile for PCI DSS 4.0
  
• AIX Monitoring Profile for PCI DSS 4.0

See the following table for more details on new rules:

The queries are updated with new names, descriptions, and QQL to better meet your organization's needs for compliance and monitoring. You can view the new queries under Configuration > Library > Queries.
To view the list of new queries, refer to the FIM Online Help.

Linux patches and hotfixes are released periodically to address bugs and vulnerabilities. To strengthen overall security and compliance, such activities can be monitored with Qualys FIM alerting and correlation feature to detect changes to systems outside of authorized change control windows.

Query: "actor.process:'python' or actor.process:'dpkg' or actor.process:'update-alternatives'"

This rule identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor.

Query: "actor.process:'SolarWinds.Credentials.Orion.WebApi.exe` or actor.process:'SolarWinds.Orion.Topology.Calculator.exe' or actor.process:'Solarwinds-Orion-NPM.exe' or actor.process:'WerFault.exe' or actor.process:'Database-Maint.exe' or actor.process:'APMServiceControl.exe' or actor.process:'Solarwinds-Orion-NPM.exe' or actor.process:'ExportToPDFCmd.Exe'"

Compromised DLLs can lead to massive attacks. The compromised file in the SolarWinds supply chain attack was SolarWinds.Orion.Core.BusinessLayer.dll. The SolarWinds DLL file is a backdoor which then installs a Windows service to execute malicious code.

Query: "file.name:`netsetupsvc.dll` or file.name:`SolarWinds.Orion.Core.BusinessLayer.dll` or file.name:`app_web_logoimagehandler.ashx.b6031896.dll`"

The commands used to install, update, remove or search software packages on various Linux distributions and the Microsoft Windows installer process that performs software installations can be monitored with the help of alerting & correlation feature of Qualys FIM.

Query: "(platform:'Linux' and (actor.process:'dpkg' or actor.process:'python' or actor.process:'prelink' or actor.process:'update-alternatives')) or (platform: Windows and actor.process:'msiexec.exe')"

Files containing user accounts information, groups and password hashes are critical and should be monitored for any unauthorized modification. You can configure an alert in such a way that, in case of a user action wherein a critical authentication file is modified by an unauthorized user, Qualys FIM sends an immediate alert, so that necessary action can be taken.

Query: "(platform:'Linux' and (file.name:`passwd` or file.name:`shadow` or file.name:`password-auth` or file.name:`system-auth` and (action:Delete or action:Security or action:Content)) and not actor.userName:`root`)"

When the operating system or an application program is first loaded into memory, a part of the program performs initialization. With the help of Qualys FIM, a correlation rule can be created to monitor the modifications in any of the critical initialization files, which must be notified and acted upon immediately.

Query: "(platform:'Windows' and (file.name:`boot.ini` or file.name:`system.ini`) and not actor.userName:'NT AUTHORITY\\SYSTEM') or (platform:'Linux' and (file.name:`lilo.conf` or file.name:`grub` or file.name:`grub.conf` or file.name:`grub.cfg`) and not actor.userName:`root`)"

All program files (executable) that enter a system go through the antivirus scan.Trend Micro OfficeScan is a security suite that protects enterprise networks from malicious software. The services run by OfficeScan client could be monitored with Qualys FIM to detect any unauthorized modifications.

Query: "actor.process:TmListen.exe or actor.process:NTRtScan.exe or actor.process:TmProxy.exe or actor.process: TmPfw.exe or actor.process: TMBMSRV.exe or actor.process: DSAgent.exe"

Creation of abnormal content by UMWorkerProcess.exe in Exchange is an IOC (Indicator of Compromise). We should continuously monitor for Microsoft Exchange Server’s Unified Messaging service creating non-standard content on disk, suggesting exploitation of CVE-2021-26858 vulnerability.

Query: "file.fullPath:\"aspx\" and (actor.process:UMWorkerProcess.exe or actor.process:w3wp.exe)"

With Trusted Source Status, user can easily identify the good changes due to patches and security updates, and whitelist them.

Query: "reputationStatus:KNOWN and trustStatus:TRUSTED"

This rule helps to detect creation of executable files by the SolarWinds client.

Query: "actor.process:'solarwinds.businesslayerhost.exe' and (file.name:`netsetupsvc.dll` or file.name:`SolarWinds.Orion.Core.BusinessLayer.dll` or file.name:`app_web_logoimagehandler.ashx.b6031896.dll` or file.name:`gracious_truth.jpg` or file.name:`SolarWinds-Core-v2019.4.5220-Hotfix5.msp` or file.name:'SolarWinds.Credentials.Orion.WebApi.exe' or file.name:'SolarWinds.Orion.Topology.Calculator.exe' or file.name:'Solarwinds-Orion-NPM.exe' or file.name:'WerFault.exe' or file.name:'Database-Maint.exe' or file.name:'APMServiceControl.exe' or file.name:'Solarwinds-Orion-NPM.exe' or file.name:'ExportToPDFCmd.Exe')"

This query will capture all the deletions performed by privileged users.

Query: "action:Delete and (actor.userName:`root` or actor.userName:'System' or actor.userName:'Administrator')"

Configuration files contain information required to control the operation of a program. Qualys FIM helps you create alerts for any unauthorized modifications in configuration files that are of utmost importance for system startup and are also read by various applications to customize the environment.

Query: "(platform:'Linux' and (file.name:`login.defs` or file.name:`resolv.conf` or file.name:`audit.rules` and (action:Delete or action:Security or action:Content)) and not actor.userName:`root`)"

The SolarWinds DLL file is a backdoor which then installs a Windows service to execute malicious code. Evidence of this can be detected by looking for the SolarWinds.BusinessLayerHost.exe process being ran.

Query: "actor.process:`SolarWinds.BusinessLayerHost.exe` or actor.process:`SolarWinds.BusinessLayerHostx64.exe`"

Windows Update is often whitelisted or ignored as it generates a lot of events that may be expected as well as valid. Attackers usually take advantage of this fact and introduce malware masked as a valid-looking process such as windowsupdate.exe. This might look like another Windows Update executable similar to various other valid ones such as TiWorker, Windows-KB, wuauclt.exe, sihclient and so on. However, in reality, WindowsUpdate.exe is a malicious program that has been designed to steal sensitive information from a computer.

Query: "platform: Windows and actor.process: WindowsUpdate.exe and not (actor.process: TiWorker or actor.process:wuauclt.exe or actor.process:cleanmgr or actor.process:sihclient or actor.process:'wuauserv.exe')"

Microsoft issues periodic updates to fix known flaws in Microsoft products and operating systems which help improve performance, reliability, and security. To strengthen overall security and streamline compliance, the patch management process should be monitored to detect changes to systems outside of authorized change control windows. You can leverage the Qualys FIM's event correlation and alerting feature to keep a check on such events.

Query: "actor.process: TiWorker or actor.process:wuauclt.exe or actor.process:cleanmgr or actor.process:sihclient or actor.process:'wuauserv.exe'"

Exchange log files might contain the potential IOCs (Indicator of Compromise) for the exploit. Monitoring critical log files for any unauthorized modifications is a mandate for compliance regulations such as PCI DSS, HIPAA, SOX and others. Qualys FIM's alerting capabilities can be utilized to create a custom alert whenever a critical log file is deleted.

Query: "(file.fullPath:\"Exchange Server\" and file.fullPath:\"logging\") and (action: delete or action:Security)"

Configuration files contain information required to control the operation of a program. Qualys FIM helps you create alerts for any unauthorized modifications in configuration files that are of utmost importance for system startup and are also read by various applications to customize the environment.

Query: "(platform: Windows and (file.name: explorer.exe or file.name: bootstat.dat or file.name: config.sys or file.name: autoexec.bat and (action:Delete or action: Security or action: Content)))"

Monitoring critical log files for any unauthorized modifications is a mandate for compliance regulations such as PCI DSS Requirement 10.5.5, HIPAA, SOX and others. Qualys FIM's alerting capabilities can be utilized to create a custom alert whenever a critical log file is deleted. This rule can be used to create automated incidents or alerts for unauthorized deletion of log files to enhance the overall security posture.

Query: "file.name:'*.log' and action:Delete"

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Deletions in large quantities can be alarming.

Query: "action:Delete and not (actor.userName:`root` or actor.userName:`NT AUTHORITY\\SYSTEM` or actor.userName:'Administrator')"

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists on multiple system files, including the Security Accounts Manager database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Query: "file.name:SAM and (action:Security or action:Content or action:Attributes)"

Google products use a process called Google Update to periodically check for updates. Google Update Setup runs in the background of Windows and automatically starts up when your PC boots. It checks for software updates and automatically downloads and installs them if found. As the update process happens in the background and doesn't require any action on end user's part, you can monitor such events unauthorized changes with Qualys FIM.

Query: "actor.process: GoogleUpdate.exe"

A highly skilled manual supply chain attack on the SolarWinds Orion IT network monitoring product allowed hackers to compromise the networks of public and private organizations.

Query: "(file.name:`netsetupsvc.dll` or file.name:`SolarWinds.Orion.Core.BusinessLayer.dll` or file.name:`app_web_logoimagehandler.ashx.b6031896.dll` or file.name:`SolarWinds-Core-v2019.4.5220-Hotfix5.msp` or file.name:`OrionImprovementBusinessLayer.2.cs` or file.name:`gracious_truth.jpg`) or (actor.process:`SolarWinds.BusinessLayerHost.exe` or actor.process:`SolarWinds.BusinessLayerHostx64.exe` or actor.process:`Solarwinds-Orion-NPM.exe`)"

With File Reputation Status, user can identify if the change on the system is malicious or suspicious, and take necessary action to restrain the attack.

Query: "(reputationStatus:MALICIOUS or reputationStatus:SUSPICIOUS) and trustStatus:UNAVAILABLE"

With Windows registries storing a large number of programs and OS security settings and a large amount of raw data, threat actors have begun to use those registries as a data store for their malicious activity. It is therefore imperative for organizations to monitor changes in Windows registries as part of their file integrity monitoring program.

Query: "platform:Windows and (type:Key or type:Value) and (action:`Content` or action:`Security`) and not actor.process:`svchost.exe`"