*WHAT* are you monitoring in your file shares?
Posted by HardyTHG@reddit | sysadmin | View on Reddit | 15 comments
Regarding the monitoring of file shares
First, I'm not looking for bottled solutions, I have plenty of those, nor am I looking for *HOW* you are monitoring your file shares... rather, what I'm looking for is examples / ideas of *WHAT* you are monitoring in your file shares.
For example, aside from different monitoring solutions I have in place, I also have scheduled PowerShell scripts that provide reports on things like:
- List all new files created previous day + Sum/count per 1st-level folder within share
- List all file/folder auditing events per user/computer from previous day
- Show % of files modified previous day per 1st-level folder within each file share root
- Show size and free space of file share volumes
I have reasons why I have each of these daily reports, and what I'm interested in is additional ideas for what you monitor on your file shares, and why you monitor each.
Thank you in advance, no wrong answers... go>>
TheGraycat@reddit
Absolutely nothing like that. We provide the bucket and the service owners are responsible for the content.
InfoSec have some triggers built in of course.
Project__5@reddit
If we're talking windows File Servers, my go to trick has been to:
1.) On a share, create a directory called ".CryptoCanary" intended to be the first directory listed when sorted by name.
2.) Find a bunch of small <1KB log files in folder, make many copies in many subfolders, and then again, and then again, so you have this .CryptoCanary folder containing >1 million files, but overall very small in size.
3.) Use File Server Resource Manager (FSRM) on Windows Server to report on any add/mods/dels to the .CryptoCanary directory contents and if that happens send alert emails to IT, and send a scary email to the user instructing them to power down their computer.
This might be a little dated, but when cryptolocker/ransomeware viruses were common, generally if a users machine gets compromised and the ransomeware starts looping though drive letters encrypting things, when it works on this mapped drive, it will work on the .CryptoCanary directory first which will alert IT, the user, and slow down the encryption as it's millions of files needing to be encrypted one at a time before it has a chance to make it to the actual company data.
malikto44@reddit
I did that as well, where I had a ZFS subdirectory whose main purpose was to be hit by that. Combined with the backup program, it would alert me to a ransomware takeover, as well as keep backups from expiring until the event is over.
Project__5@reddit
That's cool. So many things you could automate these days as a response. I don't think we followed through on this, but we were also considering auto-disabling the network port or wifi the user's machine was connected to at the time.
OkEmployment4437@reddit
Project__5's canary folder trick is clever but you're still waiting for ransomware to start encrypting before you get the alert. if you've got MDE on your file servers it picks up anomalous SMB patterns and mass file operations natively, no custom scripts needed. we feed that into Sentinel and run KQL hunts for stuff like one account touching 500+ files across shares in under an hour or accounts accessing shares they've literally never mounted before. catches both exfil and lateral movement way earlier than FSRM will.
rejectionhotlin3@reddit
ZFS snapshots + replication. ZFS diff if I have questions on what changed in a particular folder/snapshot and zfs status to see the health of the pool.
RestartRebootRetire@reddit
I have auditing turned on for certain shares and then a script that emails me a nightly report of who deleted what. We have one particular folder with tons of multi-user company files that sometimes gets bashed around and people want to know who deleted what.
External_Weekend_120@reddit
Can you paste the PowerShell script here
HardyTHG@reddit (OP)
They are environment specific right now but I'll try and get them generalized and post - may take a day or so :-)
1cec0ld@reddit
Honestly you monitor better than I do. Got a copy of those to share?
HardyTHG@reddit (OP)
They are environment specific right now but I'll try and get them generalized and post - may take a day or so :-)
External_Weekend_120@reddit
can you paste the script here
ThatBCHGuy@reddit
I've used the tool, Varonis, for this specific need in the past. This covered the who did what and when and capacity planning. Not cheap, but it worked great for our regulatory comoliance needs.
Unable-Entrance3110@reddit
I monitor open file count, read queue depth and write queue depth (as well as up/down, obviously).
Valdaraak@reddit
I monitor two things:
-If exe files are being created in the shares.
-Mass file changes/deletions.
Both are big indicators of ransomware/viruses. Fair amount of false positives as well, but they're good monitoring/alerts to have.