D3-SBV

Detect
Service Binary Verification

Definition

Analyzing changes in service binary files by comparing to a source of truth.

How it works

System service applications may originate from the operating system installation or third-party applications installed with administrative privileges. These services have an entry point of some executable file-- a binary or a script. Attackers sometimes modify these executables to launch their own code. Analyzing changes in these files may uncover unauthorized activity.

Considerations

These files change for legitimate reasons when the system or software updates.

The source of truth must not be corrupted in order for this method to work.

Artifact Relationships

This defensive technique relates to specific digital artifacts.

analyzes
verifies
Service Binary Verification
Operating System File
Service Application

References

Reference - CAR-2014-02-001: Service Binary Modifications - MITRE