title: Compromise Host Software Binary (T1554)
id: df00tech-t1554
status: experimental
description: "Adversaries may modify host software binaries to establish persistent access to systems. Common targets include SSH clients/servers, FTP clients, web browsers, VPN daemons, and other frequently-executed system utilities. Attackers may replace a legitimate binary entirely with a trojanized version containing credential harvesting or backdoor functionality, or patch an existing binary at its entry point to redirect execution to malicious code before resuming normal operation. After modification, adversaries may use version-lock mechanisms (e.g., yum-versionlock, apt-mark hold) to prevent legitimate updates from overwriting the trojanized binary."
references:
  - https://attack.mitre.org/techniques/T1554/
  - https://df00tech.com/detections/T1554
author: df00tech
date: 2026/04/20
tags:
  - attack.t1554
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software updates and patching via Windows Update (TrustedInstaller) or third-party application updaters that overwrite their own executables during upgrades
  - "OpenSSH for Windows installation or upgrade via official installer (msiexec) replacing ssh.exe and sshd.exe in Program Files\\OpenSSH"
  - "System administrators using apt-mark hold or yum-versionlock for legitimate dependency pinning during application deployments, with corresponding change tickets"
  - AV/EDR product self-protection mechanisms that write modified copies of monitored binaries to staging locations as part of their own update pipeline
level: high