T1554 Google Chronicle · YARA-L

Detect Compromise Host Software Binary in Google Chronicle

Adversaries may modify host software binaries to establish persistent access to systems. Common targets include SSH clients/servers, FTP clients, web browsers, VPN daemons, and other frequently-executed system utilities. Attackers may replace a legitimate binary entirely with a trojanized version containing credential harvesting or backdoor functionality, or patch an existing binary at its entry point to redirect execution to malicious code before resuming normal operation. After modification, adversaries may use version-lock mechanisms (e.g., yum-versionlock, apt-mark hold) to prevent legitimate updates from overwriting the trojanized binary.

MITRE ATT&CK

Tactic
Persistence
Technique
T1554 Compromise Host Software Binary
Canonical reference
https://attack.mitre.org/techniques/T1554/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1554_compromise_host_software_binary {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects modification of critical host software binaries by non-legitimate processes (T1554). Covers Windows system binary directories and Linux utility paths. Also detects version-lock commands used to persist trojanized binaries."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1554"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1554/"

  events:
    // Arm 1: File creation or modification in critical binary paths
    (
      $e.metadata.event_type = "FILE_CREATION" OR
      $e.metadata.event_type = "FILE_MODIFICATION" OR
      $e.metadata.event_type = "FILE_MOVE"
    ) and
    (
      re.regex($e.target.file.full_path, `(?i)(c:\\windows\\system32\\|c:\\windows\\syswow64\\|c:\\program files\\openssh\\|c:\\program files.*\\bin\\|/usr/bin/|/usr/sbin/|/bin/|/sbin/)`) OR
      re.regex($e.target.file.full_path, `(?i)(/usr/local/bin/|/usr/local/sbin/)`) 
    ) and
    re.regex($e.target.file.full_path, `(?i)(ssh\.exe|sshd\.exe|sftp\.exe|curl\.exe|wget\.exe|putty\.exe|winscp\.exe|filezilla\.exe|chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|notepad\.exe|cmd\.exe|powershell\.exe|pwsh\.exe|taskmgr\.exe|regedit\.exe|mstsc\.exe|lsass\.exe|/ssh$|/sshd$|/sftp$|/curl$|/wget$|/sudo$|/su$)`) and
    not re.regex($e.principal.process.file.full_path, `(?i)(msiexec\.exe|trustedinstaller\.exe|wusa\.exe|setup\.exe|install\.exe|windowsupdate|packagekitd|/dpkg$|/rpm$|/apt-get$|/apt$|/yum$|/dnf$|/zypper$)`) and
    $e.principal.hostname = $hostname

  OR

    // Arm 2: Version-lock commands
    $e.metadata.event_type = "PROCESS_LAUNCH" and
    (
      re.regex($e.target.process.command_line, `(?i)(versionlock|yum-versionlock|apt-mark\s+hold|dpkg\s+--set-selections|apt-mark\s+unhold)`) OR
      re.regex($e.principal.process.command_line, `(?i)(versionlock|yum-versionlock|apt-mark\s+hold|dpkg\s+--set-selections|apt-mark\s+unhold)`)
    ) and
    $e.principal.hostname = $hostname

  condition:
    $e
}
critical severity high confidence

Chronicle YARA-L 2.0 rule detecting host software binary compromise via file creation/modification events in critical system binary directories from non-trusted processes, and version-lock commands used to prevent updates from restoring legitimate binaries (UNC3886 TTP).

Data Sources

Chronicle UDM: Sysmon (via Forwarder)Chronicle UDM: Windows Event LogsChronicle UDM: Linux Auditd / SyslogChronicle UDM: CrowdStrike FalconChronicle UDM: Carbon Black

Required Tables

UDM Events (FILE_CREATION, FILE_MODIFICATION, FILE_MOVE, PROCESS_LAUNCH)

False Positives & Tuning

  • Enterprise software deployment tools (SCCM, Intune, Jamf) that write binaries to system paths using service accounts that don't match the TrustedInstaller exclusion pattern
  • Automated CI/CD pipelines on developer workstations that compile and install custom builds of open-source tools (OpenSSH, curl) directly into /usr/bin or Windows system directories
  • IT operations teams running scripts that invoke apt-mark hold to pin a specific working version of a system tool after a bad update — a legitimate operational practice
Download portable Sigma rule (.yml)

Other platforms for T1554

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Replace System Binary with Modified Copy (Windows)

    Expected signal: Sysmon Event ID 11: FileCreate targeting C:\Windows\System32\notepad.exe with Image=powershell.exe. Sysmon Event ID 2: FileCreateTime change for notepad.exe if timestamps diverge. DeviceFileEvents ActionType=FileModified with FileName=notepad.exe in SystemBinaryPaths, InitiatingProcessFileName=powershell.exe. SHA256 will not match Microsoft-published hash.

  2. Test 2Hash Verification and Signature Check Workflow (Windows)

    Expected signal: DeviceProcessEvents: powershell.exe executing Get-FileHash and Get-AuthenticodeSignature. No file modification events — this is read-only. Output provides hashes for comparison against Microsoft Security Response Center published values or NSRL hash database.

  3. Test 3Trojanize SSH Client Binary (Linux)

    Expected signal: auditd: SYSCALL record for open(O_WRONLY) on /usr/bin/ssh by root/sudo, comm=cp. Linux syslog: sudo invocation logs showing binary replacement. 'rpm -V openssh-clients' reports 'S.5......' (size and hash mismatch). If MDE Linux agent deployed: DeviceFileEvents ActionType=FileModified for /usr/bin/ssh. After execution, /tmp/.t1554_harvest.log created (Sysmon Event ID 11 equivalent on Linux).

  4. Test 4Version Lock Compromised Package (Linux — UNC3886 TTP)

    Expected signal: Linux syslog/secure: sudo execution of 'yum versionlock openssh-clients' or 'apt-mark hold openssh-client' with effective UID=0. DeviceProcessEvents (MDE Linux): ProcessCommandLine containing 'versionlock' or 'apt-mark hold', AccountName=root or sudo-invoked user. Auditd: EXECVE record for yum/apt-mark with full argument list.

  5. Test 5Browser Binary Replacement Simulation (macOS — XCSSET TTP)

    Expected signal: macOS Unified Log: ES_EVENT_TYPE_NOTIFY_WRITE for /Applications/Firefox.app/Contents/MacOS/firefox from sudo/bash. macOS Gatekeeper: 'codesign --verify /Applications/Firefox.app' reports code signature invalid. If MDE macOS agent deployed: DeviceFileEvents ActionType=FileModified for browser binary path with initiating process=bash/sudo. macOS LaunchServices quarantine: application launch may trigger Gatekeeper alert when modified app is opened.

Last updated: 2026-04-20 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1554 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1556Modify Authentication ProcessT1556.003Pluggable Authentication ModulesT1562.001Disable or Modify ToolsT1070.006TimestompT1027Obfuscated Files or InformationT1195.002Compromise Software Supply ChainT1040Network SniffingT1003OS Credential DumpingT1543Create or Modify System ProcessT1574.001DLL

Same Tactic: Persistence

Popular Detections