Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Research Files and Folders to be monitored by Yara in the FIM #16

Open
ArmandMeppa opened this issue Feb 4, 2025 · 8 comments
Open

Research Files and Folders to be monitored by Yara in the FIM #16

ArmandMeppa opened this issue Feb 4, 2025 · 8 comments
Assignees
@ArmandMeppa

Comments

@ArmandMeppa
Copy link
Contributor

No description provided.

@ArmandMeppa ArmandMeppa self-assigned this Feb 4, 2025
@ArmandMeppa
Copy link
Contributor Author

@ArmandMeppa will do some research in parallel, while waiting for the meeting with Khaled

@ArmandMeppa
Copy link
Contributor Author

Essential Files and Directories for Security Monitoring in Linux and macOS

1. System Boot & Kernel Configuration

Category Common Files (Linux & macOS) Linux-Specific macOS-Specific
Boot Loader - /boot/grub/grub.cfg /System/Library/CoreServices/boot.efi
Init Scripts /etc/rc.common, /etc/rc.boot /etc/init.d/, /etc/systemd/system/ -
Kernel Parameters /etc/sysctl.conf /proc/cmdline /System/Library/Extensions/

2. User & Authentication

Category Common Files (Linux & macOS) Linux-Specific macOS-Specific
User Accounts /etc/passwd, /etc/group /etc/shadow, /etc/gshadow /etc/master.passwd, /var/db/dslocal/nodes/Default/users/
Authentication (PAM) /etc/pam.d/ - -
SSH Access /etc/ssh/sshd_config, ~/.ssh/authorized_keys - -

3. Network & Firewall Configuration

Category Common Files (Linux & macOS) Linux-Specific macOS-Specific
Network Config /etc/hosts, /etc/resolv.conf /etc/network/interfaces /Library/Preferences/SystemConfiguration/
Firewall Rules - /etc/iptables/, /etc/firewalld/ /Library/Preferences/com.apple.alf.plist

4. System & Security Logs

Category Common Files (Linux & macOS) Linux-Specific macOS-Specific
Authentication Logs /var/log/secure.log /var/log/auth.log /var/log/asl/
System Logs /var/log/system.log /var/log/syslog, /var/log/messages, /var/log/dmesg /private/var/log/install.log
Application Logs /var/log/apache2/ /var/log/nginx/, /var/log/httpd/, /var/log/mysql/ /Library/Logs/

5. Executables & Scheduled Tasks

Category Common Files (Linux & macOS) Linux-Specific macOS-Specific
System Binaries /bin, /sbin, /usr/bin, /usr/local/bin - -
Cron Jobs /etc/crontab /var/spool/cron/ /var/at/jobs/, ~/Library/LaunchAgents/
Launch Daemons & Agents /Library/LaunchDaemons/, /Library/LaunchAgents/ /etc/init.d/, /etc/systemd/system/ -

6. Temporary Files & Directories

Category Common Files (Linux & macOS)
Temporary Storage /tmp, /var/tmp

@ArmandMeppa
Copy link
Contributor Author

Essential Files and Directories for Security Monitoring in Windows

1. System Boot & Configuration

Category Windows File/Directory
Boot Loader C:\boot.ini, C:\BCD
System Files C:\Windows\System32\config\SAM
Registry Hives C:\Windows\System32\config\SYSTEM, C:\Windows\System32\config\SOFTWARE, C:\Windows\System32\config\SECURITY

2. User & Authentication

Category Windows File/Directory
User Profiles C:\Users\
Authentication C:\Windows\System32\config\SAM
Local Security Policy C:\Windows\System32\secpol.msc

3. Network & Firewall Configuration

Category Windows File/Directory
Hosts File C:\Windows\System32\drivers\etc\hosts
Firewall Rules C:\Windows\System32\LogFiles\Firewall\
Network Config C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\NetCfg

4. System & Security Logs

Category Windows File/Directory
Event Logs C:\Windows\System32\Winevt\Logs\
Security Logs C:\Windows\System32\config\SecEvent.Evt
Application Logs C:\ProgramData\Microsoft\Windows Defender\Support\

5. Executables & Scheduled Tasks

Category Windows File/Directory
System Binaries C:\Windows\System32\, C:\Windows\SysWOW64\
Scheduled Tasks C:\Windows\System32\Tasks\
Startup Programs C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

6. Temporary & Sensitive Files

Category Windows File/Directory
Temporary Files C:\Windows\Temp\, %TEMP%
Crash Dumps C:\Windows\Minidump\

Reference

@ArmandMeppa
Copy link
Contributor Author

WIP

@MarantosGeorge
Copy link
Contributor

Waiting for Review @Calebasah

@Calebasah
Copy link
Contributor

WIP.
Expecting a review from kaled(Consultant).

@ArmandMeppa
Copy link
Contributor Author

WIP.
Expecting a review from khaled(Consultant).

@ArmandMeppa
Copy link
Contributor Author

WIP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ArmandMeppa ArmandMeppa

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ArmandMeppa @MarantosGeorge @Calebasah