Technique on mitre.org

T1554: Compromise Host Software Binary

Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.

Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.

An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_persistence: PT-CR-1665: Unix_Lib_Modify: A system library file was changed unix_mitre_attck_persistence: PT-CR-438: Unix_Bin_Modify: A likely attempt to add malicious code to system files hacking_tools: PT-CR-842: Suspicious_BYOVKD_Driver_Loaded: A driver from the list of vulnerable BYOVKD drivers is loaded

Detection

ID	DS0022	Data source and component	File: File Deletion	Description	Monitor for unexpected deletion of client software binaries to establish persistent access to systems.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor changes to client software that do not correlate with known software or patch cycles.

ID	DS0022	Data source and component	File: File Metadata	Description	Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for newly constructed files that may modify client software binaries to establish persistent access to systems.

ID	Data source and component	Description
DS0022	File: File Deletion	Monitor for unexpected deletion of client software binaries to establish persistent access to systems.
DS0022	File: File Modification	Monitor changes to client software that do not correlate with known software or patch cycles.
DS0022	File: File Metadata	Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment
DS0022	File: File Creation	Monitor for newly constructed files that may modify client software binaries to establish persistent access to systems.

Mitigation

ID	M1045	Name	Code Signing	Description	Ensure all application component binaries are signed by the correct application developers.

ID	Name	Description
M1045	Code Signing	Ensure all application component binaries are signed by the correct application developers.