Detect Compromise Host Software Binary in Sumo Logic CSE
Adversaries may modify host software binaries to establish persistent access to systems. Common targets include SSH clients/servers, FTP clients, web browsers, VPN daemons, and other frequently-executed system utilities. Attackers may replace a legitimate binary entirely with a trojanized version containing credential harvesting or backdoor functionality, or patch an existing binary at its entry point to redirect execution to malicious code before resuming normal operation. After modification, adversaries may use version-lock mechanisms (e.g., yum-versionlock, apt-mark hold) to prevent legitimate updates from overwriting the trojanized binary.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1554 Compromise Host Software Binary
- Canonical reference
- https://attack.mitre.org/techniques/T1554/
Sumo Detection Query
// Arm 1: Critical Binary Modification (Windows via Sysmon)
(_sourceCategory="windows/sysmon" OR _sourceCategory="*sysmon*" OR _sourceCategory="*wineventlog*")
| json field=_raw "EventID" as event_id nodrop
| json field=_raw "TargetFilename" as target_filename nodrop
| json field=_raw "Image" as initiating_image nodrop
| json field=_raw "CommandLine" as command_line nodrop
| json field=_raw "Computer" as hostname nodrop
| json field=_raw "User" as username nodrop
| json field=_raw "Hashes" as hashes nodrop
| where event_id in ("2", "11")
| where (
matches(toLowerCase(target_filename), "*windows\\system32\\*") OR
matches(toLowerCase(target_filename), "*windows\\syswow64\\*") OR
matches(toLowerCase(target_filename), "*program files\\openssh\\*") OR
matches(toLowerCase(target_filename), "*program files*\\bin\\*")
)
| where (
matches(toLowerCase(target_filename), "*ssh.exe") OR
matches(toLowerCase(target_filename), "*sshd.exe") OR
matches(toLowerCase(target_filename), "*sftp.exe") OR
matches(toLowerCase(target_filename), "*curl.exe") OR
matches(toLowerCase(target_filename), "*wget.exe") OR
matches(toLowerCase(target_filename), "*putty.exe") OR
matches(toLowerCase(target_filename), "*winscp.exe") OR
matches(toLowerCase(target_filename), "*chrome.exe") OR
matches(toLowerCase(target_filename), "*firefox.exe") OR
matches(toLowerCase(target_filename), "*msedge.exe") OR
matches(toLowerCase(target_filename), "*notepad.exe") OR
matches(toLowerCase(target_filename), "*cmd.exe") OR
matches(toLowerCase(target_filename), "*powershell.exe") OR
matches(toLowerCase(target_filename), "*pwsh.exe") OR
matches(toLowerCase(target_filename), "*taskmgr.exe") OR
matches(toLowerCase(target_filename), "*mstsc.exe") OR
matches(toLowerCase(target_filename), "*lsass.exe")
)
| where NOT (
matches(toLowerCase(initiating_image), "*msiexec.exe") OR
matches(toLowerCase(initiating_image), "*trustedinstaller.exe") OR
matches(toLowerCase(initiating_image), "*wusa.exe") OR
matches(toLowerCase(initiating_image), "*windowsupdate*") OR
matches(toLowerCase(initiating_image), "*svchost.exe")
)
| eval alert_reason = "CriticalBinaryModification"
| eval modification_type = if(event_id == "2", "FileCreationTimeChanged - possible binary replacement", "FileCreated in critical path from unexpected process")
// Union with Arm 2 — run as separate query and correlate in dashboard
// Arm 2: Version Lock Activity (Linux)
// (_sourceCategory="linux*" OR _sourceCategory="*syslog*")
// | where matches(_raw, "versionlock") OR matches(_raw, "apt-mark hold") OR matches(_raw, "dpkg --set-selections") OR matches(_raw, "apt-mark unhold")
// | eval alert_reason = "VersionLockDetected"
| fields _time, hostname, username, target_filename, initiating_image, command_line, hashes, alert_reason, modification_type
| sort by _time descSumo Logic CSE query detecting trojanized system binary installation via Sysmon file creation events (EventID 2/11) in critical Windows binary directories. Identifies writes from non-legitimate update processes and flags version-lock commands used to persist trojanized binaries across patch cycles.
Data Sources
Required Tables
False Positives & Tuning
- Patch management systems (WSUS, SCCM, Intune) that deploy binary updates through non-TrustedInstaller processes during maintenance windows
- Security vendors (CrowdStrike, Carbon Black, SentinelOne) that patch or replace system binary hooks as part of kernel-level endpoint protection
- Application deployment pipelines in developer environments where engineers compile and replace system utilities for testing (e.g., custom SSH builds)
Other platforms for T1554
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Replace System Binary with Modified Copy (Windows)
Expected signal: Sysmon Event ID 11: FileCreate targeting C:\Windows\System32\notepad.exe with Image=powershell.exe. Sysmon Event ID 2: FileCreateTime change for notepad.exe if timestamps diverge. DeviceFileEvents ActionType=FileModified with FileName=notepad.exe in SystemBinaryPaths, InitiatingProcessFileName=powershell.exe. SHA256 will not match Microsoft-published hash.
- Test 2Hash Verification and Signature Check Workflow (Windows)
Expected signal: DeviceProcessEvents: powershell.exe executing Get-FileHash and Get-AuthenticodeSignature. No file modification events — this is read-only. Output provides hashes for comparison against Microsoft Security Response Center published values or NSRL hash database.
- Test 3Trojanize SSH Client Binary (Linux)
Expected signal: auditd: SYSCALL record for open(O_WRONLY) on /usr/bin/ssh by root/sudo, comm=cp. Linux syslog: sudo invocation logs showing binary replacement. 'rpm -V openssh-clients' reports 'S.5......' (size and hash mismatch). If MDE Linux agent deployed: DeviceFileEvents ActionType=FileModified for /usr/bin/ssh. After execution, /tmp/.t1554_harvest.log created (Sysmon Event ID 11 equivalent on Linux).
- Test 4Version Lock Compromised Package (Linux — UNC3886 TTP)
Expected signal: Linux syslog/secure: sudo execution of 'yum versionlock openssh-clients' or 'apt-mark hold openssh-client' with effective UID=0. DeviceProcessEvents (MDE Linux): ProcessCommandLine containing 'versionlock' or 'apt-mark hold', AccountName=root or sudo-invoked user. Auditd: EXECVE record for yum/apt-mark with full argument list.
- Test 5Browser Binary Replacement Simulation (macOS — XCSSET TTP)
Expected signal: macOS Unified Log: ES_EVENT_TYPE_NOTIFY_WRITE for /Applications/Firefox.app/Contents/MacOS/firefox from sudo/bash. macOS Gatekeeper: 'codesign --verify /Applications/Firefox.app' reports code signature invalid. If MDE macOS agent deployed: DeviceFileEvents ActionType=FileModified for browser binary path with initiating process=bash/sudo. macOS LaunchServices quarantine: application launch may trigger Gatekeeper alert when modified app is opened.
References (10)
- https://attack.mitre.org/techniques/T1554/
- https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
- https://www.welivesecurity.com/2021/01/26/kobalos-complex-linux-threat-high-performance-computing-infrastructure/
- https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
- https://www.mandiant.com/resources/blog/cutting-edge-suspected-apt-targets-ivanti-connect-secure-vpn-zero-day-exploits
- https://web-assets.esetstatic.com/wls/2021/10/eset_fontonlake.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1554/T1554.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/sigcheck
- https://man7.org/linux/man-pages/man8/auditd.8.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1554 including response playbook, investigation guide, and atomic red team tests.