Monitor for runtime data manipulations by detecting suspicious modification of application binaries, API hooking, or unexpected behavior from processes responsible for rendering or displaying data. Correlate registry edits, process creation, and unexpected binary hash mismatches.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Field | Description |
|---|---|
| MonitoredPaths | Directory paths of business-critical applications where runtime manipulations are most impactful. |
| HashBaseline | Expected cryptographic hashes of application binaries used for runtime data display. |
Detect runtime manipulation by monitoring system calls for modifications to shared libraries, ELF binaries, or environment variables that affect how data is displayed. Look for suspicious writes to application directories and mismatch in binary integrity baselines.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open, write: File writes to application binaries or libraries at runtime |
| OS API Execution (DC0021) | linux:syslog | Execution of modified binaries or abnormal library load sequences |
| Field | Description |
|---|---|
| WatchedBinaries | Specific critical application binaries or libraries to monitor for unauthorized changes. |
| IntegrityCheckFrequency | Interval for verifying hashes of executables and libraries. |
Monitor for runtime manipulation by observing changes in application bundles, unexpected signing modifications, and runtime API calls that inject or alter how data is displayed. Detect alterations in CFNetwork or CoreFoundation frameworks responsible for rendering data.
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | macos:unifiedlog | Unexpected application binary modifications or altered signing status |
| File Modification (DC0061) | macos:osquery | CALCULATE: Mismatch in file integrity of critical macOS applications |
| Field | Description |
|---|---|
| AllowedApps | Whitelisted applications expected to handle sensitive runtime data. |
| SignatureEnforcement | Policy enforcement for validating application code signing integrity. |