detection.wiki

Compromise Host Software Binary T1554

Tactic: Persistence

Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.

Events covered

13 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 7Image loaded
SysmonEvent ID 11FileCreate
SysmonEvent ID 22DNSEvent (DNS query)
SysmonEvent ID 23FileDelete (File Delete archived)
SysmonEvent ID 26FileDeleteDetected (File Delete logged)
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4697A service was installed in the system.
Defender-DeviceEventsanyDefender event (any)
Defender-DeviceProcessEventsanyProcess activity (any)
ESFwriteFile Write (NOTIFY)
Sysmon-for-LinuxEvent ID 1Process Create

Authoring guide

Patterns shared across the 32 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (42 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
event.type10eq 10start, creation, change, end
EventType7eq 6, in 1exec, load, modification, FileCreated, FileModified
TargetFilename7wildcard 4, in 3, contains 1, ends_with 1*/.github/workflows/*.yaml, */.github/workflows/*.yml, */.github/workflows/discussion.yaml, */.github/workflows/discussion.yml, */.github/workflows/formatter_*.yaml
process_name6eq 4, in 1, is_not_null 1, wildcard 1sshd, agentactivationruntimestarter.exe, agentservice.exe, aggregatorhost.exe, brave.exe
host.os.type5eq 5
Image4ends_with 2, contains 1, ne 1/setcap, c:\program files (x86)\teams installer\teams.exe, c:\program files\rocketchat\rocket.chat.exe, hybridconnectionmanager
DAVISRiskLevel3eq 2, ne 1CRITICAL
Hashes3is_not_null 2, ne 1ddc7a6c3a4b50d23daffe8e364c575fd7df9af9711b14d153b09553ddd3670a0
Muted3eq 3false
parent_process_name3eq 3CiscoCollabHost.exe, Discord.exe, Teams.exe, exim4, outlook.exe
BuildProcessTime2le 2FileEditTime
CommandLine2contains 2cap_setgid, cap_setuid
VulnerabilityType2eq 1, ne 1CODE_LEVEL
dll.name2eq 2aadauthhelper.dll, aadcloudap.dll, aadjcsp.dll, axvlc.dll, libvlc.dll
event.category2eq 2file

Top indicator values (3488 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
7606
event.typeeq
creation
245
Mutedeq
false
33
BuildProcessTimele
FileEditTime
22
DAVISRiskLeveleq
CRITICAL
22
EventTypeeq
exec
2171
EventTypeeq
load
29
EventTypeeq
FileCreated
18
EventTypeeq
FileModified
1
EventTypeeq
modification
115
Imageends_with
/setcap
22
event.categoryeq
file
231
sourcetypeeq
circleci
22
AccessMaskeq
0X100
1
AccessMaskeq
0x4
1
AccessMaskeq
0x6
13
CommandLinecontains
cap_setgid
1
CommandLinecontains
cap_setuid
1
DAVISRiskLevelne
CRITICAL
1
EventDatacontains
.cpp
1
EventDatacontains
.cs
1
EventDatacontains
0x100
1
EventDatacontains
0x4
1
EventDatacontains
0x6
1
EventDatacontains
dotnet.exe
1
EventDatacontains
msbuild.exe
1
EventDatacontains
vbcscompiler.exe
1
EventIDeq
4663
134
EventIDeq
4688
1313
EventMessagecontains
os_updated
1

Exclusions (194 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
process.code_signature.trustedeq
true
3
Imagewildcard
?:\users\*\appdata\local\google\chrome\application\chrome.exe
2
Imagewildcard
?:\users\*\appdata\local\island\island\application\island.exe
2
Imagewildcard
?:\users\*\appdata\local\mozilla firefox\firefox.exe
2
Imagewildcard
?:\windows\system32\werfault.exe
2
Imagewildcard
?:\windows\syswow64\werfault.exe
2
Imagewildcard
/applications/sublime text*.app/contents/*
1
dll.code_signature.trustedeq
true
2
Imageeq
/home/sa-ansible
1
Imageeq
/usr/bin/dnf5
1
Imageeq
/usr/bin/microdnf
1
Imageeq
/usr/libexec/packagekitd
1
Imageeq
/usr/libexec/zypp/zypp-rpm
1
Imageeq
/usr/sbin/gdm
1
Imagestarts_with
/usr/share/elasticsearch/
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 5 rules

Elastic 14 rules

Splunk 4 rules

Kusto 9 rules