Monitors for unexpected modifications of system or application binaries, particularly signed executables. Correlates file write events with subsequent unsigned or anomalously signed process execution, and checks for tampered binaries outside normal patch cycles.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Modification (DC0061) | WinEventLog:Sysmon | EventCode=2 |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Field | Description |
|---|---|
| MonitoredPaths | Define critical directories (e.g., C:\Windows\System32, Program Files) for binary integrity checks |
| SignatureValidation | Adjust enforcement level of digital signature verification based on enterprise risk appetite |
| TimeWindow | Correlate file modification with subsequent process execution within a defined time window |
Detects modification of system or application binaries by monitoring /usr/bin, /bin, and other privileged directories. Correlates file integrity monitoring (FIM) events with unexpected process executions or service restarts.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open, write |
| Process Creation (DC0032) | auditd:EXECVE | execve |
| Field | Description |
|---|---|
| WatchedDirectories | Customize monitored directories (e.g., /usr/bin, /usr/sbin, /opt/apps) for binary tampering |
| BaselineHashes | Maintain golden file hashes for integrity validation |
Monitors binary modification in /Applications and system library paths. Detects unsigned or improperly signed binaries executed after modification. Tracks Gatekeeper or notarization bypass attempts tied to modified binaries.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | macos:unifiedlog | binary modified or replaced |
| Process Creation (DC0032) | macos:unifiedlog | execution of modified binary without valid signature |
| Field | Description |
|---|---|
| ApplicationPaths | Tune which application and library directories are monitored for tampering |
| SignatureVerificationDepth | Define strictness of code-signing validation checks |
Detects unauthorized modification of host binaries, modules, or services within ESXi. Correlates tampered files with subsequent unexpected service behavior or malicious module load attempts.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | esxi:hostd | binary or module replacement event |
| Module Load (DC0016) | esxi:vmkernel | unexpected module load |
| Field | Description |
|---|---|
| MonitoredModules | Define critical ESXi binaries and kernel modules requiring integrity validation |
| CorrelationWindow | Adjust timing correlation between binary modification and module/service anomalies |