EXPLORE
Sign In
← Back to Explore
T1554

Compromise Host Software Binary

Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications. Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binar...

ESXiLinuxmacOSWindows
18
Detections
3
Sources
2
Threat Actors

BY SOURCE

9elastic5sigma4splunk_escu

PROCEDURES (12)

Service3 detections

Auto-extracted: 3 detections for service

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Credential2 detections

Auto-extracted: 2 detections for credential

Privilege2 detections

Auto-extracted: 2 detections for privilege

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Inject1 detections

Auto-extracted: 1 detections for inject

Credential1 detections

Auto-extracted: 1 detections for credential

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (2)

APT5UNC3886

DETECTIONS (18)

Circle CI Disable Security Job
splunk_escu
Circle CI Disable Security Step
splunk_escu
Deprecated - Adobe Hijack Persistence
elasticlow
DNS HybridConnectionManager Service Bus
sigmahigh
GitHub Workflow File Creation or Modification
splunk_escu
HybridConnectionManager Service Installation
sigmahigh
HybridConnectionManager Service Running
sigmahigh
Linux Setgid Capability Set on a Binary via Setcap Utility
sigmalow
Linux Setuid Capability Set on a Binary via Setcap Utility
sigmalow
Potential Masquerading as Communication Apps
elasticmedium
Potential OpenSSH Backdoor Logging Activity
elasticlow
Potential SSH Password Grabbing via strace
elasticmedium
Renaming of OpenSSH Binaries
elasticlow
Shai-Hulud Workflow File Creation or Modification
splunk_escu
Sublime Plugin or Application Script Modification
elasticlow
Suspicious Communication App Child Process
elasticmedium
Unusual Exim4 Child Process
elasticlow
Unusual Process Modifying GenAI Configuration File
elasticmedium