Ctrl+K

T1554 - Compromise Client Software Binary

T1554 - Compromise Client Software Binary#

Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.

Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)

Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.

Atomic Tests:#

Currently, no tests are available for this technique.

Detection#

Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment. Look for changes to client software that do not correlate with known software or patch cycles.

Consider monitoring for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.

Shield Active Defense#

Behavioral Analytics#

Deploy tools that detect unusual system or user behavior.

Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system.

Opportunity#

There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.

Use Case#

A defender could monitor for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.

Procedures#

Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file. Use behavioral analytics to identify a system running development tools, but is not used by someone who does development. Use behavioral analytics to identify abnormal system processes being used to launch a different process.

Contents