Security Blue TeamSecurity Blue Team logo

Logging Windows file tampering attempts

John Jonusauskas 30/10/2024
Logging Windows file tampering attempts

Imagine you’re working in a company, and an insider threat tampers with a critical file, like a financial document or a system configuration file. If you don’t know who, when, or what was modified, you may not even realize something is wrong until it’s too late. This can lead to data loss, operational issues, or worse, a security breach.

Tracking file access and modification attempts allows you to:

  • Track suspicious behavior and respond quickly.
  • Audit changes for compliance or internal policy.
  • Preserve file integrity, ensuring that only authorized users make changes.

In this blog we will be exploring Windows built-in capabilities to monitor and log activities on files and folders. This is done by enabling the Audit File System feature in Audit Policy. Generated logs can be reviewed through Windows Event Viewer or any other log monitoring tool to detect any suspicious activity.

Let’s start configuring our Windows system to monitor file tampering attempts in the following three steps.

STEP 1: Set up Audit Policy

The first step is to enable the file system auditing feature, which is managed through the Local Security Policy.

  1. Open a run command (Windows + R keys) then type secpol.msc. This opens the Local Security Policy console.  

Figure 1: Windows Run Console
Figure 1: Windows Run Console

2. In the left pane, go to Advanced Audit Policy Configuration > Object Access.

Figure 2. Local Security Policy Console
Figure 2: Local security policy console 

3. In the right pane, look for Audit File System. Double-click it and select both Success and Failure. This ensures that Windows logs both successful and failed attempts to modify files.

Figure 3. Configure Audit Events
 Figure 3: Configure audit events

4. Finally, click OK and close the Local Security Policy window. 

Now your system is ready to log changes on any file on your computer, but we need to configure specific files or folders to be monitored.

STEP 2: Modify Advanced Permissions

The second step is to select the file or folder which we want to monitor. In our blog we are going to set up monitoring on a C:\Windows\system.ini file.

  1. Open File Explorer and navigate to the C:\Windows directory
  2. Locate and right-click system.ini file and choose Properties

    Figure 4. system.ini File Properties
    Figure 4: system.ini file properties
     
  3. In the Properties window, click the Security tab, then click Advanced. 
  4. In the Advanced Security Settings window, go to the Auditing tab and click Add.

    Figure 5. Enabling Auditing
    Figure 5: Enabling auditing
     
  5. Click Select a Principal and type Everyone (or specific users/groups if you only want to monitor certain users). Then click OK.  

    Figure 6. Selecting Users for monitoring
    Figure 7: Selecting users for monitoring
     
  6. In the auditing entry window, under Type, select All to monitor both successful and failed attempts and click Show advanced permissions. 

    Figure 7. Displaying Advanced Permissions
    Figure 8: Displaying advanced permissions
     
  7. Enable only the following permissions:
    - Create files /write data
    - Create folders / append data
    - Delete 

    Figure 8. Applying Permissions
    Figure 9: Applying permissions
     
  8. Lastly click OK to apply the auditing settings. 

Now, your system will log any modification attempt to the system.ini file made by any user. 

STEP 3: Monitor File Tampering Attempts

The third and the last step is to monitor windows event ID 4663 in Windows Event Viewer to track any tampering attempts.

  1. Press Windows + R, type eventvwr.msc, and hit Enter. This opens the Event Viewer console. 

    Figure 9. Windows Run console
    Figure 10: Windows Run console
     
  2. In the left pane, go to Windows Logs > Security. 
  3. You can filter events by clicking Filter Current Log on the right pane. Filter by event ID 4663 (someone attempts to modify a file). 
  4. Look for events with the EventID 4633 and observe additional information such as: who accessed the file, when, and what actions adversary took. 

    Figure 10. Analysing File tempering attempt using Windows Event Viewer
    Figure 11: Analyzing file tampering attempt using Windows Event Viewer

Here we can clearly see that the user John has modified this file on 12/09/2024 at 20:05:45 by using Notepad application.

Best Practices for File Modification Logging 
 

Monitor Critical Files:

Do not monitor the whole drive C:\ or any other. Only focus on important folders or files, such as system configurations, executables, device drivers, financial records, or any other sensitive personal data.

Use Alerts:

Set up automated alerts to notify you when critical files are modified. You can use third-party tools like Splunk or Windows-native solutions like Task Scheduler to trigger alerts based on Event Viewer logs.

Regularly Review Logs:

Logs can pile up quickly, so make it a habit to review them regularly for any unusual activity.

Limit File Access:

Ensure only authorized personnel have access to sensitive files. The fewer people who can modify files, the less likely an unauthorized change will occur.

Test Your Audit Configuration:

Test your setup periodically to ensure logs are being captured as expected and that file modifications are properly logged. 

Learn more about our online cybersecurity training

Security Blue Team is a leading online defensive cybersecurity training provider with over 100,000 students worldwide, and training security teams across governments, military units, law enforcement agencies, managed security providers, and many more industries. 

About John Jonusauskas

John Jonusauskas

With over ten years of cybersecurity experience, John has worked in both offensive and defensive teams. In recent years, he has specialized in cybersecurity education, and he now heads up our live training department.