System Daemon Monitoring
Tracking changes to the state or configuration of critical system level processes.
How it works
Attackers may manipulate system settings or services to disable system logging or monitoring of security tools and events. Firewall and antivirus services are popular targets for attackers. Disabling system logs will also allow an attacker's actions to go unnoticed. Analysis of logs, registries, and process monitoring help defenders locate signs of tampering. Two possible approaches are to monitor hardened system services or to monitor registry updates for modifications to security settings.
CAR-2016-04-003: User Activity from Stopping Windows Defensive Services
Host intrusion prevention system using software and user behavior analysis
The patent describes a technique for performing behavior based threat detection. User and code behavior data is collected and stored to create baseline user and code behavior profiles. User behavior data collected over a user session or over multiple sessions can include a user:
- clicking on a link
- scrolling down a page
- opening or closing a window
- downloading a file
- saving a file
- running a file
- typing a keyword
Code behavior monitored includes code:
- copying itself to a system folder
- setting a run key to itself in the registry
- setting a second runkey to itself in the registry in a different location
- disabling OS tools in the registry
- opening a hidden file
The user interaction and the code process executed during the user session are monitored and compared with predetermined malicious behavior profiles that are typically present in a malicious user session. The predetermined collection of malicious behaviors are created based on analysis of families of malware in run time in a threat research facility. If a match is made an action is taken that can include isolating the computer on which the user interaction occurs and limiting network access to or from the computer.
Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system
This patent describes detecting registry changes using a prohibited change heuristic or a database of prohibited functions/function parameters.