Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.
Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-8 | Penetration Testing | Protects | T1554 | Compromise Client Software Binary | |
| CM-2 | Baseline Configuration | Protects | T1554 | Compromise Client Software Binary | |
| CM-6 | Configuration Settings | Protects | T1554 | Compromise Client Software Binary | |
| IA-9 | Service Identification and Authentication | Protects | T1554 | Compromise Client Software Binary | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1554 | Compromise Client Software Binary | |
| SR-11 | Component Authenticity | Protects | T1554 | Compromise Client Software Binary | |
| SR-4 | Provenance | Protects | T1554 | Compromise Client Software Binary | |
| SR-5 | Acquisition Strategies, Tools, and Methods | Protects | T1554 | Compromise Client Software Binary | |
| SR-6 | Supplier Assessments and Reviews | Protects | T1554 | Compromise Client Software Binary | |
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1554 | Compromise Client Software Binary |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of binaries in Kubernetes containers thereby mitigating this technique. Because this is a recommendation, its score is capped at Partial.
References
|
| adaptive_application_controls | Adaptive Application Controls | technique_scores | T1554 | Compromise Client Software Binary |
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While name and publisher-based allow lists may fail to detect malicious modifications to executable client binaries, hash-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.
References
|
| azure_automation_update_management | Azure Automation Update Management | technique_scores | T1554 | Compromise Client Software Binary |
Comments
This control provides partial protection against compromised client software binaries since it can provide a baseline to compare with potentially compromised/modified software binaries.
References
|