Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., Modify Authentication Process).(Citation: Google Cloud Mandiant UNC3886 2024)
An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
After modifying a binary, an adversary may attempt to Impair Defenses by preventing it from updating (e.g., via the yum-versionlock command or versionlock.list file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1554 | Compromise Host Software Binary |
Comments
This diagnostic statement protects against Compromise Host Software Binary through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1554 | Compromise Host Software Binary |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1554 | Compromise Host Software Binary |
Comments
This diagnostic statement provides protection from Compromise Host Software Binary the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1554 | Compromise Host Software Binary |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
References
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1554 | Compromise Host Software Binary |
Comments
This diagnostic statement provides for the implementation of procedures for management of third party products such as ensuring the authenticity and integrity of software.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1554 | Compromise Host Software Binary | |
| CM-05 | Access Restrictions for Change | mitigates | T1554 | Compromise Host Software Binary | |
| IA-09 | Service Identification and Authentication | mitigates | T1554 | Compromise Host Software Binary | |
| SR-11 | Component Authenticity | mitigates | T1554 | Compromise Host Software Binary | |
| SR-04 | Provenance | mitigates | T1554 | Compromise Host Software Binary | |
| SR-05 | Acquisition Strategies, Tools, and Methods | mitigates | T1554 | Compromise Host Software Binary | |
| SI-03 | Malicious Code Protection | mitigates | T1554 | Compromise Host Software Binary | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1554 | Compromise Host Software Binary | |
| CM-02 | Baseline Configuration | mitigates | T1554 | Compromise Host Software Binary | |
| CM-02 | Baseline Configuration | mitigates | T1554 | Compromise Host Software Binary |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1554 | Compromise Host Software Binary |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of binaries in Kubernetes containers thereby mitigating this technique. Because this is a recommendation, its score is capped at Partial.
References
|
| azure_update_manager | Azure Update Manager | technique_scores | T1554 | Compromise Host Software Binary |
Comments
This control provides partial protection against compromised client software binaries since it can provide a baseline to compare with potentially compromised/modified software binaries.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| binary_authorization | Binary Authorization | technique_scores | T1554 | Compromise Host Software Binary |
Comments
Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.
References
|