uberAgent 7.1 Preview: File System Activity Monitoring for Windows & macOS
While we’re working on version 7.1 of our digital employee experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at an exciting new ESA feature: file system activity monitoring for Windows and macOS.
File system activity monitoring is uberAgent ESA’s capability to detect changes to objects in the file system. The monitored object types include files, of course, but also named pipes. uberAgent ESA can identify and react to the following types of file system events:
- File create
- File write
- File delete
- Creation time change
- Alternate data stream (ADS) create
- Raw read access
- Named pipe create
- Named pipe connect
There are numerous use cases for file system activity monitoring. The following examples provide but a brief glimpse into the many possibilities.
On Windows, when a file is downloaded from the internet, the downloading application adds a “Mark of the Web” (MOTW) to the file. Under the hood, the MOTW is an alternate data stream (ADS) named
Zone.Identifier whose contents mainly consist of the text
By monitoring the creation of alternate data streams whose name and contents match the MOTW, uberAgent can detect file downloads.
There are many places in the file system where attackers can create or modify files to achieve persistence. Examples include any user profile’s
Startup directory or the location where Windows stores scheduled task definitions,
By monitoring these and other locations, uberAgent can detect attempts to achieve persistence. Whenever such an attempt occurs, uberAgent creates an event with rich metadata in its backend SIEM (typically Splunk).
Operating systems and applications record user activity in a variety of logs. Such logs are a treasure trove for DFIR investigators, who can use them as forensic evidence to piece together a threat actor’s methodology. Attackers naturally like to cover their tracks by deleting such compromising information.
An excellent example of a log file that can be very revealing is the PowerShell command history, which is stored in
%AppData%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default.
By monitoring the file delete activity of this history file and similar logs, uberAgent can detect attempts to destroy forensic evidence. As with all other Threat Detection events, uberAgent collects rich metadata, such as the executing process, its parent, and the user account, to name but a few.
Initially, uberAgent exposes file system activity in its Threat Detection Engine. Future versions of uberAgent will probably use file system activity events in other parts of the uberAgent products, too.
On Windows, uberAgent uses a minifilter driver to monitor the file system. This new driver complements the existing drivers for network, registry, and process monitoring,
On macOS, uberAgent subscribes to events from the Endpoint Security Framework to monitor the file system.
The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.
uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.
uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.
About vast limits
vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.