Esc

System File Analysis

D3-SFA
D3-SFA (System File Analysis)

Definition

Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.

How it works

This technique ensures the integrity of system owned file resources. System files can impact the behavior below the user level.

Considerations

  • Need to manage the size of log file analysis.
  • False positives are a concern with this technique and filtering will need to be given additional thought.
  • A baseline or snapshot of file checksums should be established for future comparison.
loading...
json

Technique Subclasses

There are 2 techniques in this category, System File Analysis.

Name ID Definition Synonyms
System File Analysis D3-SFA Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.
- Service Binary Verification D3-SBV Analyzing changes in service binary files by comparing to a source of truth.
loading...

References

All
External Knowledge Base

The following references were used to develop the System File Analysis knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

CAR-2019-07-001: Access Permission Modification

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source: https://car.mitre.org/analytics/CAR-2019-07-001/

CAR-2013-01-002: Autorun Differences

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source: https://car.mitre.org/analytics/CAR-2013-01-002/

CAR-2016-04-002: User Activity from Clearing Event Logs

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE
Source: https://car.mitre.org/analytics/CAR-2016-04-002/

A knowledge graph of cybersecurity countermeasures