EXPLORE
Sign In
← Back to Explore
T1554

Compromise Host Software Binary

Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications. Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binar...

LinuxmacOSWindowsESXi
18
Detections
3
Sources
2
Threat Actors

BY SOURCE

9elastic5sigma4splunk_escu

PROCEDURES (12)

Service3 detections

Auto-extracted: 3 detections for service

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Inject2 detections

Auto-extracted: 2 detections for inject

Privilege2 detections

Auto-extracted: 2 detections for privilege

Bypass2 detections

Auto-extracted: 2 detections for bypass

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Inject1 detections

Auto-extracted: 1 detections for inject

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Credential1 detections

Auto-extracted: 1 detections for credential

Persist1 detections

Auto-extracted: 1 detections for persist

THREAT ACTORS (2)

APT5UNC3886

DETECTIONS (18)

Circle CI Disable Security Job
splunk_escu
Circle CI Disable Security Step
splunk_escu
Deprecated - Adobe Hijack Persistence
elasticlow
DNS HybridConnectionManager Service Bus
sigmahigh
GitHub Workflow File Creation or Modification
splunk_escu
HybridConnectionManager Service Installation
sigmahigh
HybridConnectionManager Service Running
sigmahigh
Linux Setgid Capability Set on a Binary via Setcap Utility
sigmalow
Linux Setuid Capability Set on a Binary via Setcap Utility
sigmalow
Potential Masquerading as Communication Apps
elasticmedium
Potential OpenSSH Backdoor Logging Activity
elasticlow
Potential SSH Password Grabbing via strace
elasticmedium
Renaming of OpenSSH Binaries
elasticlow
Shai-Hulud Workflow File Creation or Modification
splunk_escu
Sublime Plugin or Application Script Modification
elasticlow
Suspicious Communication App Child Process
elasticmedium
Unusual Exim4 Child Process
elasticlow
Unusual Process Modifying GenAI Configuration File
elasticmedium