Skip to content

DET0336 Detect Compromise of Host Software Binaries

Item Value
ID DET0336
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1554 (Compromise Host Software Binary)

Analytics

Windows

AN0949

Monitors for unexpected modifications of system or application binaries, particularly signed executables. Correlates file write events with subsequent unsigned or anomalously signed process execution, and checks for tampered binaries outside normal patch cycles.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Modification (DC0061) WinEventLog:Sysmon EventCode=2
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Mutable Elements
Field Description
MonitoredPaths Define critical directories (e.g., C:\Windows\System32, Program Files) for binary integrity checks
SignatureValidation Adjust enforcement level of digital signature verification based on enterprise risk appetite
TimeWindow Correlate file modification with subsequent process execution within a defined time window

Linux

AN0950

Detects modification of system or application binaries by monitoring /usr/bin, /bin, and other privileged directories. Correlates file integrity monitoring (FIM) events with unexpected process executions or service restarts.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL open, write
Process Creation (DC0032) auditd:EXECVE execve
Mutable Elements
Field Description
WatchedDirectories Customize monitored directories (e.g., /usr/bin, /usr/sbin, /opt/apps) for binary tampering
BaselineHashes Maintain golden file hashes for integrity validation

macOS

AN0951

Monitors binary modification in /Applications and system library paths. Detects unsigned or improperly signed binaries executed after modification. Tracks Gatekeeper or notarization bypass attempts tied to modified binaries.

Log Sources
Data Component Name Channel
File Modification (DC0061) macos:unifiedlog binary modified or replaced
Process Creation (DC0032) macos:unifiedlog execution of modified binary without valid signature
Mutable Elements
Field Description
ApplicationPaths Tune which application and library directories are monitored for tampering
SignatureVerificationDepth Define strictness of code-signing validation checks

ESXi

AN0952

Detects unauthorized modification of host binaries, modules, or services within ESXi. Correlates tampered files with subsequent unexpected service behavior or malicious module load attempts.

Log Sources
Data Component Name Channel
File Modification (DC0061) esxi:hostd binary or module replacement event
Module Load (DC0016) esxi:vmkernel unexpected module load
Mutable Elements
Field Description
MonitoredModules Define critical ESXi binaries and kernel modules requiring integrity validation
CorrelationWindow Adjust timing correlation between binary modification and module/service anomalies