Common Information
| Type | Value |
|---|---|
| Value |
Compromise Host Software Binary - T1554 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications. Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-08-30 | 18 | Linux Detection Engineering - A Sequel on Persistence Mechanisms — Elastic Security Labs | ||
| Details | Website | 2021-04-21 | 36 | Monitoring Pulse Connect Secure With Splunk (CISA Emergency Directive 21-03) | ||
| Details | Website | 2021-04-20 | 102 | Authentication Bypass Techniques and Pulse Secure Zero-Day | ||
| Details | Website | 2021-02-03 | 34 | MTR casebook: Uncovering a backdoor implant in a SolarWinds Orion server |