Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., Modify Authentication Process).(Citation: Google Cloud Mandiant UNC3886 2024)
An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
After modifying a binary, an adversary may attempt to Impair Defenses by preventing it from updating (e.g., via the yum-versionlock
command or versionlock.list
file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CM-06 | Configuration Settings | mitigates | T1554 | Compromise Host Software Binary | |
CM-05 | Access Restrictions for Change | mitigates | T1554 | Compromise Host Software Binary | |
IA-09 | Service Identification and Authentication | mitigates | T1554 | Compromise Host Software Binary | |
SR-11 | Component Authenticity | mitigates | T1554 | Compromise Host Software Binary | |
SR-04 | Provenance | mitigates | T1554 | Compromise Host Software Binary | |
SR-05 | Acquisition Strategies, Tools, and Methods | mitigates | T1554 | Compromise Host Software Binary | |
SI-03 | Malicious Code Protection | mitigates | T1554 | Compromise Host Software Binary | |
SI-07 | Software, Firmware, and Information Integrity | mitigates | T1554 | Compromise Host Software Binary | |
CM-02 | Baseline Configuration | mitigates | T1554 | Compromise Host Software Binary | |
CM-02 | Baseline Configuration | mitigates | T1554 | Compromise Host Software Binary |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
binary_authorization | Binary Authorization | technique_scores | T1554 | Compromise Host Software Binary |
Comments
Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.
References
|