Monitoring platform components such as operating systems software, hardware devices, or firmware.
Platform monitoring consists of the analysis and monitoring of system level devices and low-level components, including hardware devices, to detect unauthorized modifications or suspicious activity.
Monitored platform components includes system files and embedded devices such as:
- Kernel software modules
- Boot process code and load logic
- Operating system components and device files
- System libraries and dynamically loaded files
- Hardware device drivers
- Embedded firmware devices
There are 14 countermeasure techniques in this category, Platform Monitoring.
|Platform Monitoring||D3-PM||Monitoring platform components such as operating systems software, hardware devices, or firmware.|
|- Firmware Verification||D3-FV||Using embedded trust identification markers to identify legitimate firmware and hardware configurations.|
|- Firmware Behavior Analysis||D3-FBA||Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.||Firmware Timing Analysis|
|- Firmware Embedded Monitoring Code||D3-FEMC||Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data.|
|- Scheduled Job Analysis||D3-SJA||Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.||Scheduled Job Execution|
|- Service Binary Verification||D3-SBV||Analyzing changes in service binary files by comparing to a source of truth.|
|- System Daemon Monitoring||D3-SDM||Tracking changes to the state or configuration of critical system level processes.|
|- System File Analysis||D3-SFA||Monitoring system files such as authentication databases, registry keys, system logs, and system executables, for modification or tampering.|
|- User Session Init Config Analysis||D3-USICA||Analyzing modifications to user session config files such as .bashrc or .bash_profile.||User Startup Config Analysis|
|- Endpoint Health Beacon||D3-EHB||Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.||Endpoint Health Telemetry|
|- Input Device Analysis||D3-IDA||Operating system level mechanisms to prevent abusive input device exploitation.|
|- Local Account Monitoring||D3-LAM||Analyzing local user accounts to detect unauthorized activity.|
|- Memory Boundary Tracking||D3-MBT||Analyzing a call stack for return addresses which point to unexpected memory locations.|
|- Operating System Monitoring||D3-OSM||The operating system software, for D3FEND’s purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**.|