NOTE: This project is no longer maintained and has been published from archived projects for reference. It is available for anyone interested in developing file analysis software.
FWT is a security analysis and file monitoring tool that utilizes Sysmon events. It tracks files reported by Sysmon event log sources, performs in-depth security analysis, and then generates reports in either XML or JSON format. These reports can be reported to a log file, an external API, or Windows Events.
The motivation behind this project is to gather additional information about newly created or modified files on a system, thereby providing security analysts with deeper insights and reducing analysis time. Furthermore, the information generated by FWT enables the creation of a wide range of new SIEM detection rules.
NOTE: Be sure to run Visual Studio as Administrator.
<FileWatchTower schemaversion="1.0">
<HashAlgorithms>md5,sha256,imphash,ssdeep</HashAlgorithms>
<CheckRevocation>true</CheckRevocation>
<AnalyzeDiscImages>true</AnalyzeDiscImages>
<AnalyzeLnkFiles>true</AnalyzeLnkFiles>
<ExtractFileNtfsZoneIdentifierInformation>true</ExtractFileNtfsZoneIdentifierInformation>
<MaxTargetFileSize>33554432</MaxTargetFileSize>
<!-- Write events to Windows Event logs.-->
<WriteToWinEventLogs>true</WriteToWinEventLogs>
<!-- accepted values: 'json', 'xml' -->
<WinEventLogOutputFormat>xml</WinEventLogOutputFormat>
<!-- Write events to a file. Leave empty to disable file reporter -->
<LogDirectoryPath>C:\logs</LogDirectoryPath>
<!-- accepted values: 'xml', 'json'. -->
<LogFileOutputFormat>json</LogFileOutputFormat>
<!-- accepted values: 'json' -->
<ApiLogOutputFormat>json</ApiLogOutputFormat>
<!-- Leave empty to disable API reporter -->
<ApiLogEndpointUrl></ApiLogEndpointUrl>
<ApiExtraHeaders>
<ApiExtraHeader>Authorization: OAuth xxx</ApiExtraHeader>
<ApiExtraHeader>User-agent: curl</ApiExtraHeader>
</ApiExtraHeaders>
</FileWatchTower>
{
"EventId": 11,
"RuleName": "Downloads",
"UtcTime": "2024-07-09T06:58:53.102",
"CreationUtcTime": "2024-07-09T06:58:52.653",
"EventName": "FileCreate",
"ProcessId": "10768",
"Image": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
"TargetFilename": "C:\\Users\\user\\Downloads\\good.exe:Zone.Identifier",
"User": "example\\user",
"ComputerName": "WKSTN-A.example.local",
"Md5": "a673313aa0a8885e4b7b5ed36bc90cb0",
"Sha256": "59a3dc89b1e629fe2c423d34c00a56771eeae794bffb7cee7e1f62d042e283e9",
"Entropy": 4.83,
"HasExportTable": false,
"HasImportTable": false,
"IsExecutableImage": false,
"IsDotNet": false,
"IsSigned": false,
"IsTrustedAuthenticodeSignature": false,
"HasValidAuthenticodeCertChain": false,
"CertificateNotValidBefore": "0001-01-01T00:00:00",
"CertificateNotValidAfter": "0001-01-01T00:00:00",
"InterestingStrings": "Go Compiler"
}{
"EventId": 11,
"RuleName": "Downloads",
"UtcTime": "2024-07-11T03:52:58.919",
"CreationUtcTime": "2024-07-11T03:52:58.919",
"EventName": "FileCreate",
"ProcessId": "7128",
"Image": "C:\\Windows\\Explorer.EXE",
"TargetFilename": "C:\\Users\\user\\Downloads\\pageant(2) - Copy.exe",
"User": "example\\user",
"ComputerName": "WKSTN-2.example.local",
"FileTimeDateStamp": "2024-04-06T12:49:38+03:00",
"Md5": "5ea699678f3f6d822276f84e16160a3d",
"Sha1": null,
"Sha256": "7addf7a1de108be44d4de20f7f6c35760087486eba44655d2e6b3b0dccffd519",
"ImpHash": "b8b6b1c2144f4f51c01ec39e077201b4",
"SsDeep": "24576:iGHy3QhuG8vaKIe0MStS/o6ui2O9iMMSJ:CAhn8SKIeVSc/zuiJiM9",
"TypeRefHash": null,
"Entropy": 7.41,
"ZoneIdentifier": "[ZoneTransfer] ZoneId=3; ReferrerUrl=https://www.chiark.greenend.org.uk/; HostUrl=https://the.earth.li/~sgtatham/putty/0.81/w32/pageant.exe[/ZoneTransfer]",
"PdbFileName": null,
"Machine": "I386",
"SubSystem": "WindowsGui",
"MetaDataHeaderSignature": null,
"HasExportTable": false,
"HasImportTable": true,
"Architecture": "32Bit",
"IsExecutableImage": true,
"IsDotNet": false,
"IsSigned": true,
"IsTrustedAuthenticodeSignature": false,
"HasValidAuthenticodeCertChain": false,
"SigningAuthenticodeCertificateIssuer": "CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB",
"CertificateSubject": "CN=Simon Tatham, O=Simon Tatham, S=Cambridgeshire, C=GB",
"InterestingStrings": "",
"CertificateNotValidBefore": "2021-11-06T03:00:00+03:00",
"CertificateNotValidAfter": "2024-11-06T02:59:59+03:00",
"IsoDisc": null,
"LnkFile": null
}- PeNet
- DiscUtils.Core
- DiscUtils.Iso9660
- DiscUtils.Streams
- securifybv.PropertyStore
- securifybv.ShellLink
- Trinet.Core.IO.Ntfs
This project is developed for testing and research purposes and is provided "as is."