Operating System Monitoring
Definition
The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute Operating System Monitoring.
Technique Overview
"An operating system (OS) is system software that manages computer hardware and software resources and provides common services for computer programs." [1]
Operating System Monitoring Techniques have varied implementations including built-in kernel modules, third-party privileged system daemons, or even standard systems administration tools included with an operating system.
Technique Subclasses
There are 10 techniques in this category, Operating System Monitoring.
| Name | ID | Definition | Synonyms |
|---|---|---|---|
| Operating System Monitoring | D3-OSM | The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**. | |
| - Memory Boundary Tracking | D3-MBT | Analyzing a call stack for return addresses which point to unexpected memory locations. | |
| - Scheduled Job Analysis | D3-SJA | Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling. | Scheduled Job Execution |
| - System Daemon Monitoring | D3-SDM | Tracking changes to the state or configuration of critical system level processes. | |
| - System File Analysis | D3-SFA | Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering. | |
| - System Init Config Analysis | D3-SICA | Analysis of any system process startup configuration. | Autorun Analysis , and Startup Analysis |
| - User Session Init Config Analysis | D3-USICA | Analyzing modifications to user session config files such as .bashrc or .bash_profile. | User Startup Config Analysis |
| - Endpoint Health Beacon | D3-EHB | Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised. | Endpoint Health Telemetry |
| - Input Device Analysis | D3-IDA | Operating system level mechanisms to prevent abusive input device exploitation. | |
| - Service Binary Verification | D3-SBV | Analyzing changes in service binary files by comparing to a source of truth. |
References
The following references were used to develop the Operating System Monitoring knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Host intrusion prevention system using software and user behavior analysis
MITRE Comments
The patent describes a technique for performing behavior based threat detection. User and code behavior data is collected and stored to create baseline user and code behavior profiles. User behavior data collected over a user session or over multiple sessions can include a user:
- clicking on a link
- scrolling down a page
- opening or closing a window
- downloading a file
- saving a file
- running a file
- typing a keyword
Code behavior monitored includes code:
- copying itself to a system folder
- setting a run key to itself in the registry
- setting a second runkey to itself in the registry in a different location
- disabling OS tools in the registry
- opening a hidden file
The user interaction and the code process executed during the user session are monitored and compared with predetermined malicious behavior profiles that are typically present in a malicious user session. The predetermined collection of malicious behaviors are created based on analysis of families of malware in run time in a threat research facility. If a match is made an action is taken that can include isolating the computer on which the user interaction occurs and limiting network access to or from the computer.