T1554

Compromise Host Software Binary

Adversaries may modify host software binaries to establish persistent access to systems. Common targets include SSH clients/servers, FTP clients, web browsers, VPN daemons, and other frequently-executed system utilities. Attackers may replace a legitimate binary entirely with a trojanized version containing credential harvesting or backdoor functionality, or patch an existing binary at its entry point to redirect execution to malicious code before resuming normal operation. After modification, adversaries may use version-lock mechanisms (e.g., yum-versionlock, apt-mark hold) to prevent legitimate updates from overwriting the trojanized binary.

Microsoft Sentinel / Defender

kusto

let SystemBinaryPaths = dynamic([
  "C:\\Windows\\System32\\",
  "C:\\Windows\\SysWOW64\\",
  "C:\\Program Files\\OpenSSH\\",
  "C:\\Program Files (x86)\\"
]);
let CriticalBinaries = dynamic([
  "ssh.exe", "sshd.exe", "sftp.exe", "curl.exe", "wget.exe",
  "putty.exe", "winscp.exe", "filezilla.exe",
  "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
  "notepad.exe", "cmd.exe", "powershell.exe", "pwsh.exe",
  "taskmgr.exe", "regedit.exe", "mstsc.exe", "lsass.exe"
]);
let LegitUpdaters = dynamic([
  "msiexec.exe", "trustedinstaller.exe", "wusa.exe",
  "setup.exe", "install.exe", "update.exe", "windowsupdate.exe"
]);
let VersionLockPatterns = dynamic([
  "versionlock", "yum-versionlock", "apt-mark hold",
  "dpkg --set-selections", "apt-mark unhold"
]);
// Arm 1: File writes to critical system binary locations from non-updater processes
let BinaryModifications = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileModified", "FileCreated", "FileRenamed")
| where FolderPath has_any (SystemBinaryPaths)
| where FileName has_any (CriticalBinaries)
| where InitiatingProcessFileName !in~ (LegitUpdaters)
| extend AlertReason = "SystemBinaryModification"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         AlertReason, SHA256, MD5;
// Arm 2: Package manager version-lock commands (UNC3886 TTPs)
let VersionLockActivity = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (VersionLockPatterns)
| extend AlertReason = "VersionLockDetected"
| project Timestamp, DeviceName, AccountName, FileName,
         ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, AlertReason,
         SHA256 = "", MD5 = "";
union BinaryModifications, VersionLockActivity
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Modification File: File Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate software updates and patching via Windows Update (TrustedInstaller) or third-party application updaters that overwrite their own executables during upgrades
OpenSSH for Windows installation or upgrade via official installer (msiexec) replacing ssh.exe and sshd.exe in Program Files\OpenSSH
System administrators using apt-mark hold or yum-versionlock for legitimate dependency pinning during application deployments, with corresponding change tickets
AV/EDR product self-protection mechanisms that write modified copies of monitored binaries to staging locations as part of their own update pipeline

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval EventCode=coalesce(EventCode, event_id)
| where EventCode IN ("2", "11")
| eval isBinaryPath=if(
    match(lower(TargetFilename), "(c:\\\\windows\\\\system32\\\\|c:\\\\windows\\\\syswow64\\\\|c:\\\\program files\\\\openssh\\\\|c:\\\\program files.*\\\\bin\\\\)"),
    1, 0)
| eval isCriticalBinary=if(
    match(lower(TargetFilename), "(ssh\.exe|sshd\.exe|sftp\.exe|curl\.exe|wget\.exe|putty\.exe|winscp\.exe|chrome\.exe|firefox\.exe|msedge\.exe|notepad\.exe|cmd\.exe|powershell\.exe|pwsh\.exe|taskmgr\.exe|mstsc\.exe|lsass\.exe)"),
    1, 0)
| eval isLegitUpdater=if(
    match(lower(Image), "(msiexec\.exe|trustedinstaller\.exe|wusa\.exe|setup\.exe|install\.exe|windowsupdate|svchost\.exe)"),
    1, 0)
| where isBinaryPath=1 AND isCriticalBinary=1 AND isLegitUpdater=0
| eval ModificationType=case(
    EventCode="2", "FileCreationTimeChanged",
    EventCode="11", "FileCreated",
    true(), "Unknown")
| eval SuspicionNote=case(
    EventCode="2", "File creation time changed - common indicator of binary replacement to hide modification",
    EventCode="11", "New file created in critical binary directory from unexpected process",
    true(), "Binary path modification")
| table _time, host, User, TargetFilename, Image, CommandLine,
        ParentImage, ParentCommandLine, ModificationType, SuspicionNote, Hashes
| sort - _time

high severity medium confidence

Data Sources

File: File Modification File: File Creation Sysmon Event ID 2 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software updates via Windows Update or third-party application updaters that reset file timestamps during install
OpenSSH for Windows installation or reinstallation creating new executables in Program Files\OpenSSH
Antivirus/EDR products that write modified or instrumented copies of monitored binaries as part of their monitoring infrastructure
Build and deployment tools (Jenkins agents, Ansible) that deploy updated application binaries to managed paths

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS host,
  username,
  "File Path" AS target_file_path,
  "Process Name" AS initiating_process,
  "Command" AS process_commandline,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
  CATEGORYNAME(category) AS event_category
FROM events
WHERE
  LOGSOURCETYPEID IN (13, 14, 233, 352)
  AND (
    (
      -- Arm 1: Critical binary path file write events (Sysmon EventID 11 / 2)
      (qidname(qid) ILIKE '%FileCreate%' OR qidname(qid) ILIKE '%File Created%'
        OR qidname(qid) ILIKE '%FileCreationTimeChanged%'
        OR "Event ID" IN ('2', '11'))
      AND (
        LOWER("File Path") LIKE '%windows\\system32\\%'
        OR LOWER("File Path") LIKE '%windows\\syswow64\\%'
        OR LOWER("File Path") LIKE '%program files\\openssh\\%'
        OR LOWER("File Path") LIKE '%/usr/bin/%'
        OR LOWER("File Path") LIKE '%/usr/sbin/%'
        OR LOWER("File Path") LIKE '%/bin/%'
        OR LOWER("File Path") LIKE '%/sbin/%'
      )
      AND (
        LOWER("File Path") LIKE '%ssh.exe' OR LOWER("File Path") LIKE '%sshd.exe'
        OR LOWER("File Path") LIKE '%sftp.exe' OR LOWER("File Path") LIKE '%curl.exe'
        OR LOWER("File Path") LIKE '%wget.exe' OR LOWER("File Path") LIKE '%putty.exe'
        OR LOWER("File Path") LIKE '%winscp.exe' OR LOWER("File Path") LIKE '%chrome.exe'
        OR LOWER("File Path") LIKE '%firefox.exe' OR LOWER("File Path") LIKE '%msedge.exe'
        OR LOWER("File Path") LIKE '%notepad.exe' OR LOWER("File Path") LIKE '%cmd.exe'
        OR LOWER("File Path") LIKE '%powershell.exe' OR LOWER("File Path") LIKE '%pwsh.exe'
        OR LOWER("File Path") LIKE '%taskmgr.exe' OR LOWER("File Path") LIKE '%mstsc.exe'
        OR LOWER("File Path") LIKE '%lsass.exe'
        OR LOWER("File Path") LIKE '%/ssh' OR LOWER("File Path") LIKE '%/sshd'
        OR LOWER("File Path") LIKE '%/curl' OR LOWER("File Path") LIKE '%/wget'
        OR LOWER("File Path") LIKE '%/sudo' OR LOWER("File Path") LIKE '%/su'
      )
      AND NOT (
        LOWER("Process Name") LIKE '%msiexec.exe' OR LOWER("Process Name") LIKE '%trustedinstaller.exe'
        OR LOWER("Process Name") LIKE '%wusa.exe' OR LOWER("Process Name") LIKE '%windowsupdate%'
        OR LOWER("Process Name") LIKE '%dpkg' OR LOWER("Process Name") LIKE '%rpm'
        OR LOWER("Process Name") LIKE '%apt%' OR LOWER("Process Name") LIKE '%yum'
        OR LOWER("Process Name") LIKE '%packagekitd'
      )
    )
    OR
    (
      -- Arm 2: Version-lock commands (UNC3886 TTP)
      ("Command" ILIKE '%versionlock%' OR "Command" ILIKE '%yum-versionlock%'
        OR "Command" ILIKE '%apt-mark hold%' OR "Command" ILIKE '%dpkg --set-selections%'
        OR "Command" ILIKE '%apt-mark unhold%')
    )
  )
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LIMIT 500

critical severity medium confidence

Data Sources

QRadar DSM: Microsoft Windows Security Event Log QRadar DSM: Sysmon QRadar DSM: Linux OS QRadar DSM: Microsoft Windows Security Event Log (via WinCollect)

Required Tables

events

False Positives

Legitimate software deployments using automated tooling (Ansible, Puppet, Chef, SCCM) that write directly to system binary paths as part of sanctioned change management
Security tools or antivirus products that replace or patch system binaries as part of hooking or monitoring functionality
System administrators manually upgrading software (e.g., OpenSSH from source) without using the standard package manager, triggering the non-updater heuristic

Sumo Logic CSE

sql

// Arm 1: Critical Binary Modification (Windows via Sysmon)
(_sourceCategory="windows/sysmon" OR _sourceCategory="*sysmon*" OR _sourceCategory="*wineventlog*")
| json field=_raw "EventID" as event_id nodrop
| json field=_raw "TargetFilename" as target_filename nodrop
| json field=_raw "Image" as initiating_image nodrop
| json field=_raw "CommandLine" as command_line nodrop
| json field=_raw "Computer" as hostname nodrop
| json field=_raw "User" as username nodrop
| json field=_raw "Hashes" as hashes nodrop
| where event_id in ("2", "11")
| where (
    matches(toLowerCase(target_filename), "*windows\\system32\\*") OR
    matches(toLowerCase(target_filename), "*windows\\syswow64\\*") OR
    matches(toLowerCase(target_filename), "*program files\\openssh\\*") OR
    matches(toLowerCase(target_filename), "*program files*\\bin\\*")
  )
| where (
    matches(toLowerCase(target_filename), "*ssh.exe") OR
    matches(toLowerCase(target_filename), "*sshd.exe") OR
    matches(toLowerCase(target_filename), "*sftp.exe") OR
    matches(toLowerCase(target_filename), "*curl.exe") OR
    matches(toLowerCase(target_filename), "*wget.exe") OR
    matches(toLowerCase(target_filename), "*putty.exe") OR
    matches(toLowerCase(target_filename), "*winscp.exe") OR
    matches(toLowerCase(target_filename), "*chrome.exe") OR
    matches(toLowerCase(target_filename), "*firefox.exe") OR
    matches(toLowerCase(target_filename), "*msedge.exe") OR
    matches(toLowerCase(target_filename), "*notepad.exe") OR
    matches(toLowerCase(target_filename), "*cmd.exe") OR
    matches(toLowerCase(target_filename), "*powershell.exe") OR
    matches(toLowerCase(target_filename), "*pwsh.exe") OR
    matches(toLowerCase(target_filename), "*taskmgr.exe") OR
    matches(toLowerCase(target_filename), "*mstsc.exe") OR
    matches(toLowerCase(target_filename), "*lsass.exe")
  )
| where NOT (
    matches(toLowerCase(initiating_image), "*msiexec.exe") OR
    matches(toLowerCase(initiating_image), "*trustedinstaller.exe") OR
    matches(toLowerCase(initiating_image), "*wusa.exe") OR
    matches(toLowerCase(initiating_image), "*windowsupdate*") OR
    matches(toLowerCase(initiating_image), "*svchost.exe")
  )
| eval alert_reason = "CriticalBinaryModification"
| eval modification_type = if(event_id == "2", "FileCreationTimeChanged - possible binary replacement", "FileCreated in critical path from unexpected process")
// Union with Arm 2 — run as separate query and correlate in dashboard
// Arm 2: Version Lock Activity (Linux)
// (_sourceCategory="linux*" OR _sourceCategory="*syslog*")
// | where matches(_raw, "versionlock") OR matches(_raw, "apt-mark hold") OR matches(_raw, "dpkg --set-selections") OR matches(_raw, "apt-mark unhold")
// | eval alert_reason = "VersionLockDetected"
| fields _time, hostname, username, target_filename, initiating_image, command_line, hashes, alert_reason, modification_type
| sort by _time desc

critical severity high confidence

Data Sources

Sumo Logic Sysmon Source (Windows) Sumo Logic Linux Syslog Source Sumo Logic Cloud SIEM Enterprise (CSE) normalized records

Required Tables

Sysmon Windows Event Logs (_sourceCategory=windows/sysmon) Linux syslog (_sourceCategory=linux*)

False Positives

Patch management systems (WSUS, SCCM, Intune) that deploy binary updates through non-TrustedInstaller processes during maintenance windows
Security vendors (CrowdStrike, Carbon Black, SentinelOne) that patch or replace system binary hooks as part of kernel-level endpoint protection
Application deployment pipelines in developer environments where engineers compile and replace system utilities for testing (e.g., custom SSH builds)

Google Chronicle / SecOps

yaral

rule t1554_compromise_host_software_binary {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects modification of critical host software binaries by non-legitimate processes (T1554). Covers Windows system binary directories and Linux utility paths. Also detects version-lock commands used to persist trojanized binaries."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1554"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1554/"

  events:
    // Arm 1: File creation or modification in critical binary paths
    (
      $e.metadata.event_type = "FILE_CREATION" OR
      $e.metadata.event_type = "FILE_MODIFICATION" OR
      $e.metadata.event_type = "FILE_MOVE"
    ) and
    (
      re.regex($e.target.file.full_path, `(?i)(c:\\windows\\system32\\|c:\\windows\\syswow64\\|c:\\program files\\openssh\\|c:\\program files.*\\bin\\|/usr/bin/|/usr/sbin/|/bin/|/sbin/)`) OR
      re.regex($e.target.file.full_path, `(?i)(/usr/local/bin/|/usr/local/sbin/)`) 
    ) and
    re.regex($e.target.file.full_path, `(?i)(ssh\.exe|sshd\.exe|sftp\.exe|curl\.exe|wget\.exe|putty\.exe|winscp\.exe|filezilla\.exe|chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|notepad\.exe|cmd\.exe|powershell\.exe|pwsh\.exe|taskmgr\.exe|regedit\.exe|mstsc\.exe|lsass\.exe|/ssh$|/sshd$|/sftp$|/curl$|/wget$|/sudo$|/su$)`) and
    not re.regex($e.principal.process.file.full_path, `(?i)(msiexec\.exe|trustedinstaller\.exe|wusa\.exe|setup\.exe|install\.exe|windowsupdate|packagekitd|/dpkg$|/rpm$|/apt-get$|/apt$|/yum$|/dnf$|/zypper$)`) and
    $e.principal.hostname = $hostname

  OR

    // Arm 2: Version-lock commands
    $e.metadata.event_type = "PROCESS_LAUNCH" and
    (
      re.regex($e.target.process.command_line, `(?i)(versionlock|yum-versionlock|apt-mark\s+hold|dpkg\s+--set-selections|apt-mark\s+unhold)`) OR
      re.regex($e.principal.process.command_line, `(?i)(versionlock|yum-versionlock|apt-mark\s+hold|dpkg\s+--set-selections|apt-mark\s+unhold)`)
    ) and
    $e.principal.hostname = $hostname

  condition:
    $e
}

critical severity high confidence

Data Sources

Chronicle UDM: Sysmon (via Forwarder) Chronicle UDM: Windows Event Logs Chronicle UDM: Linux Auditd / Syslog Chronicle UDM: CrowdStrike Falcon Chronicle UDM: Carbon Black

Required Tables

UDM Events (FILE_CREATION, FILE_MODIFICATION, FILE_MOVE, PROCESS_LAUNCH)

False Positives

Enterprise software deployment tools (SCCM, Intune, Jamf) that write binaries to system paths using service accounts that don't match the TrustedInstaller exclusion pattern
Automated CI/CD pipelines on developer workstations that compile and install custom builds of open-source tools (OpenSSH, curl) directly into /usr/bin or Windows system directories
IT operations teams running scripts that invoke apt-mark hold to pin a specific working version of a system tool after a bad update — a legitimate operational practice

CrowdStrike LogScale (CQL)

cql

// Arm 1: Critical Binary File Write Events from Non-Updater Processes
#event_simpleName = "FileOpenInfo" OR #event_simpleName = "PeFileWritten"
| TargetFileName = /(?i)(\\Windows\\System32\\|\\Windows\\SysWOW64\\|\\Program Files\\OpenSSH\\|\\Program Files.*\\bin\\)/
| TargetFileName = /(?i)(ssh\.exe|sshd\.exe|sftp\.exe|curl\.exe|wget\.exe|putty\.exe|winscp\.exe|filezilla\.exe|chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|notepad\.exe|cmd\.exe|powershell\.exe|pwsh\.exe|taskmgr\.exe|regedit\.exe|mstsc\.exe|lsass\.exe)/
| ImageFileName != /(?i)(msiexec\.exe|TrustedInstaller\.exe|wusa\.exe|setup\.exe|install\.exe|WindowsUpdate|svchost\.exe)/
| case {
    TargetFileName = /\.exe$/i => AlertReason := "WindowsSystemBinaryModification";
    * => AlertReason := "SystemBinaryModification"
  }
| table([_time, ComputerName, UserName, TargetFileName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, AlertReason, SHA256HashData, MD5HashData])
| sort(field=_time, order=desc)

// Arm 2: Version-Lock Commands (run as separate hunt query)
// #event_simpleName = "ProcessRollup2"
// | CommandLine = /(?i)(versionlock|yum-versionlock|apt-mark\s+hold|dpkg\s+--set-selections|apt-mark\s+unhold)/
// | eval AlertReason := "VersionLockDetected"
// | table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, AlertReason])
// | sort(field=_time, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR) CrowdStrike Falcon for Linux CrowdStrike Falcon Data Replicator (FDR)

Required Tables

PeFileWritten FileOpenInfo ProcessRollup2

False Positives

CrowdStrike Falcon sensor updates that write sensor components to system paths — the sensor process itself may appear as a non-standard updater triggering this detection
Software vendors that bundle their own copies of curl.exe, wget.exe, or ssh.exe in Program Files subdirectories and update them via proprietary installer processes not matching the exclusion list
System administrators using Chocolatey, Scoop, or winget package managers which may write binaries to system directories under PowerShell or cmd.exe parent processes rather than TrustedInstaller

Last updated: 2026-04-20 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1554 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Compromise Host Software Binary

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Persistence

Popular Detections