Monitoring platform components such as operating systems software, hardware devices, or firmware.
Platform monitoring consists of the analysis and monitoring of system level devices and low-level components, including hardware devices, to detect unauthorized modifications or suspicious activity.
Monitored platform components includes system files and embedded devices such as:
- Kernel software modules
- Boot process code and load logic
- Operating system components and device files
- System libraries and dynamically loaded files
- Hardware device drivers
- Embedded firmware devices
There are 17 techniques in this category, Platform Monitoring.
|Monitoring platform components such as operating systems software, hardware devices, or firmware.
|- File Integrity Monitoring
|Detecting any suspicious changes to files in a computer system.
|- Scheduled Job Analysis
|Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.
|Scheduled Job Execution
|- System Daemon Monitoring
|Tracking changes to the state or configuration of critical system level processes.
|- System File Analysis
|Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.
|- System Firmware Verification
|Cryptographically verifying installed system firmware integrity.
|- System Init Config Analysis
|Analysis of any system process startup configuration.
|Autorun Analysis , and Startup Analysis
|- User Session Init Config Analysis
|Analyzing modifications to user session config files such as .bashrc or .bash_profile.
|User Startup Config Analysis
|- Service Binary Verification
|Analyzing changes in service binary files by comparing to a source of truth.
|- Firmware Behavior Analysis
|Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.
|Firmware Timing Analysis
|- Firmware Embedded Monitoring Code
|Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data.
|- Firmware Verification
|Cryptographically verifying firmware integrity.
|- Endpoint Health Beacon
|Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.
|Endpoint Health Telemetry
|- Input Device Analysis
|Operating system level mechanisms to prevent abusive input device exploitation.
|- Memory Boundary Tracking
|Analyzing a call stack for return addresses which point to unexpected memory locations.
|- Operating System Monitoring
|The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**.
|- Peripheral Firmware Verification
|Cryptographically verifying peripheral firmware integrity.