Esc

System Daemon Monitoring

D3-SDM
D3-SDM (System Daemon Monitoring)

Definition

Tracking changes to the state or configuration of critical system level processes.

How it works

Attackers may manipulate system settings or services to disable system logging or monitoring of security tools and events. Firewall and antivirus services are popular targets for attackers. Disabling system logs will also allow an attacker's actions to go unnoticed. Analysis of logs, registries, and process monitoring help defenders locate signs of tampering. Two possible approaches are to monitor hardened system services or to monitor registry updates for modifications to security settings.

loading...
json
loading...

References

All
Patent
External Knowledge Base

The following references were used to develop the System Daemon Monitoring knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

Host intrusion prevention system using software and user behavior analysis

MITRE Comments

The patent describes a technique for performing behavior based threat detection. User and code behavior data is collected and stored to create baseline user and code behavior profiles. User behavior data collected over a user session or over multiple sessions can include a user:

  • clicking on a link
  • scrolling down a page
  • opening or closing a window
  • downloading a file
  • saving a file
  • running a file
  • typing a keyword

Code behavior monitored includes code:

  • copying itself to a system folder
  • setting a run key to itself in the registry
  • setting a second runkey to itself in the registry in a different location
  • disabling OS tools in the registry
  • opening a hidden file

The user interaction and the code process executed during the user session are monitored and compared with predetermined malicious behavior profiles that are typically present in a malicious user session. The predetermined collection of malicious behaviors are created based on analysis of families of malware in run time in a threat research facility. If a match is made an action is taken that can include isolating the computer on which the user interaction occurs and limiting network access to or from the computer.

Reference Type: Patent Organization: Sophos Ltd Author: Clifford C. Wright
Source: https://patents.google.com/patent/US20110023115A1

Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system

MITRE Comments

This patent describes detecting registry changes using a prohibited change heuristic or a database of prohibited functions/function parameters.

Reference Type: Patent Organization: Symantec Corporation Author: Adam Glick, Patrick Gardner, Pieter Viljoen
Source: https://patents.google.com/patent/US8239947B1

CAR-2016-04-003: User Activity from Stopping Windows Defensive Services

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source: https://car.mitre.org/analytics/CAR-2016-04-003/

A knowledge graph of cybersecurity countermeasures