Ismail HakimNovember 2025

Defending Against Threat Actor’s Persistence Through File Integrity Monitoring (FIM) in Wazuh

Attackers often tamper with critical files to gain long-term access to systems. These changes can remain hidden without proper detection. File Integrity Monitoring (FIM) addresses this risk by checking for unauthorized file modifications. Wazuh FIM helps to detect threats early and supports compliance efforts.

Hi, I’m Ismail — Wazuh Ambassador from Indonesia. If you have ideas, feedback, or Wazuh features you’d like to explore together, you can contact me through this blog comment or LinkedIn post below. I’d love to hear from you and collaborate on making the most of Wazuh’s capabilities.

Ismail Hakim (ID) — https://wazuh.com/ambassadors/ismail-hakim/
LinkedIn Post — here

Purpose of File Integrity Monitoring

The primary purposes of FIM in Wazuh include:

● Detecting unauthorized file modifications that may indicate a security breach, such as changes to configuration files, binaries, or scripts.

● Ensuring compliance with standards like PCI DSS, HIPAA, and ISO 27001 that mandate regular monitoring of system integrity.

● Monitoring system-critical files, including boot scripts, user profiles, and application binaries to prevent unauthorized tampering.

MITRE ATT&CK — TA0003 Persistence

Persistence refers to post-exploitation tactics that adversaries use to maintain their foothold in a system across reboots, credential changes, or other interruptions. Under the MITRE ATT&CK framework, persistence tactics include modifying autorun configurations, scheduled tasks, or implanting malicious binaries that relaunch malware upon system startup.

Image: MITRE ATT&CK (https://attack.mitre.org/)

FIM in Wazuh is a powerful tool to detect such persistence tactics by:

● Monitoring files commonly abused for persistence, such as .bashrc, rc.local, systemd unit files, crontabs, and Windows registry hives.

● Generating alerts when persistence mechanisms are created or altered, helping SOC analysts swiftly investigate and remediate threats.

● Correlating file changes with user activity and system logs to build a complete picture of the intrusion path.

Configuring FIM in Wazuh Server

In this segment, our task is to add a syscheck entry inside ossec.conf to enable our Wazuh FIM. The location of ossec.conf is in /var/ossec/etc/ossec.conf.

sudo su
nano /var/ossec/etc/ossec.conf

As example, this is configuration that I add to Wazuh server via /var/ossec/etc/ossec.conf.

<ossec_config>
...

  <syscheck>
    ...

    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed every 15 minutes -->
    <frequency>900</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>

    <!-- Don't ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>

    <!-- FIM on SSH Authorized Keys -->
    <directories check_all="yes" realtime="yes">/home/*/.ssh/authorized_keys,/root/.ssh/authorized_keys</directories>

    <!-- FIM on Users Configurations -->
    <directories check_sha256sum="yes" realtime="yes">/etc/shadow,/etc/passwd,/etc/hosts,/etc/hostname,/etc/resolv.conf</directories>

    <!-- FIM on critical user-defined script -->
    <directories check_sha256sum="yes" check_perm="yes" check_owner="yes">/home/ubuntu/autobackup.sh</directories>

   ...
  <syscheck>

...
</ossec_config>

This Wazuh ossec.conf configuration implements a File Integrity Monitoring (FIM) policy that balances periodic scanning and real-time monitoring across critical areas of the system. Syscheck is enabled with a scan frequency of every 15 minutes, and it performs an immediate scan upon agent startup. New file creation is explicitly monitored, and auto-ignore is disabled to ensure frequent changes aren’t silently overlooked. Core system directories such as /etc, /usr/bin, /usr/sbin, /bin, /sbin, and /boot are monitored to detect unauthorized modifications.

Real-time monitoring is applied to sensitive SSH key files (authorized_keys in both user and root .ssh directories), allowing for immediate alerting on persistence attempts. Additionally, key user and system configuration files like /etc/shadow, /etc/passwd, /etc/hosts, /etc/hostname, and /etc/resolv.conf are monitored using SHA256 checksums for strong integrity assurance. The configuration also includes targeted monitoring of a custom backup script (autobackup.sh), verifying its content, permissions, and ownership to detect unauthorized changes.

Before we fully implement that configuration it is recommended to test the rule file. This is helpful for detecting mistakes and typos, such as duplicate Rule ID and unclosed tags.

/var/ossec/bin/wazuh-logtest
Image: Troubleshooting using wazuh-logtest binary. It is an intended error, we can see that there are errors in the directories tag on the ossec.conf

Finally, to fully operate the FIM, wazuh-manager must be restarted.

sudo systemctl restart wazuh-manager

Configuring FIM for Wazuh Agent

Even though FIM is configured for the Wazuh agent, it can be done using centralized configuration through the Wazuh Dashboard. This is the beauty of the centralized architecture of Wazuh. To enable and configure FIM through dashboard, we can replicate these steps.

Go to https://<wazuh-ip>/app/endpoint-groups#/manager/?tab=groups, change <wazuh-ip> to your server IP or URL and choose the corresponding group to be configured.

Choose Files tab to show all files related to Wazuh configuration.

Image: Editing Wazuh configuration for agents (based on group)

Input configuration below. Remember that all FIM configurations must be inside <syscheck> tag.

<agent_config>

...
  <syscheck>
    <disabled>no</disabled>

    <!-- Common FIM paths -->
    <directories check_all="yes" realtime="yes">/etc</directories>
    <directories check_all="yes" realtime="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories>

    <!-- FIM on Wazuh Agent -->
    <directories check_all="yes" realtime="yes">/var/ossec/etc</directories>

        <!-- FIM on SSH Authorized Keys -->
    <directories check_all="yes" realtime="yes">/home/*/.ssh/authorized_keys,/root/.ssh/authorized_keys</directories>

    <!-- FIM on Users Configurations -->
    <directories check_sha256sum="yes" realtime="yes">/etc/shadow,/etc/passwd,/etc/hosts,/etc/hostname,/etc/resolv.conf</directories>

    <!-- FIM on critical user-defined script -->
    <directories check_sha256sum="yes" check_perm="yes" check_owner="yes">/home/ubuntu/autobackup.sh</directories>
  </syscheck>

...
</agent_config>

This agent_config enables File Integrity Monitoring (FIM) on Wazuh agents with real-time monitoring for common system directories such as /etc, /bin, /sbin, and their subdirectories. It also includes monitoring of the Wazuh agent’s configuration directory at /var/ossec/etc. SSH authorized_keys files for both regular users and root are monitored in real time, while sensitive system configuration files like /etc/shadow, /etc/passwd, and DNS or hostname settings are verified using SHA256 checksums. Additionally, a specific user-defined script (/home/ubuntu/autobackup.sh) is monitored for changes in content, permissions, and ownership.

On Attack Perspective

This segment will demonstrate an attacker that has an initial foothold to the server. His goal is to gain permanent access on the server, so that he won’t need to re-exploit the vulnerability later on. Persistence tactics could be dangerous for the server because the attacker can still have access to the server, even after the vulnerability has been patched.

One simple persistence method is to add an attacker-owned public key to .ssh/authorized_key. After a successful attack, the attacker will gain ssh access to the server.

Image: The attacker include his public key to /root/.ssh/authorized_keys

Of course because we have already configured File Integrity Monitoring, this will create an alert for the SOC analysts. Rule ID 550 (syscheck.modified) triggered during the attack.

Image: Real-time detection of the attack

If we want to know more details about the attack, Wazuh provides us with complete information.

Image: Full log of alert generated by modifying authorized_keys.

Closing

While prevention mechanisms such as firewalls, antivirus, and hardening measures are essential, they are not infallible. Attackers often find ways to bypass defenses and maintain undetected access to critical systems. This is where defense-in-depth becomes vital — layering detection and monitoring alongside preventive controls. Wazuh’s File Integrity Monitoring (FIM) adds a crucial layer of visibility, enabling early detection of tampering and persistence attempts. By continuously tracking sensitive file changes and correlating them with system behavior, organizations gain the ability to detect what prevention might miss. In a modern threat landscape, where compromise is a matter of when — not if — FIM ensures that you are not blind to the warning signs hiding in plain sight.

Defending Against Threat Actor’s Persistence Through File Integrity Monitoring (FIM) in Wazuh was originally published in Cyberkarta on Medium, where people are continuing the conversation by highlighting and responding to this story.

PT Cyberkarta Tugu Teknologi

Platform belajar cyber security bersama komunitas cyber

Copyright © 2025 Cyberkarta

KelasBlogLoginDaftar
Layanan CyberkartaTerms & ConditionsPrivacy & PolicyFAQ
LinkedInInstagramYoutubeTwitter

Hubungi Kami

layanan@cyberkarta.com

+62 851 6183 5865

Yogyakarta