MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Persistence/ T1554

T1554Compromise Host Software Binary

T1554 — Compromise Host Software Binary is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 23 detection use cases covering it and 14 threat-intel articles citing it.

Persistence

View on the matrix → Filter Detection Library MITRE official spec ↗

23Use cases

14Articles

0Sub-techniques

1Tactic

Use cases covering this technique (23)

Kubernetes admission webhook configuration modified Internal install · alerting DD Circle CI Disable Security Job ESCU actions · hunting P Circle CI Disable Security Step ESCU actions · hunting P GitHub Workflow File Creation or Modification ESCU actions · hunting P Shai-Hulud Workflow File Creation or Modification ESCU actions · alerting P [LLM] Velvet Ant PAM backdoor — unauthorized pam_unix.so / PAM module modification on Linux Bespoke install · alerting DSΣPDDCS [LLM] Velvet Ant trojanized OpenSSH — unauthorized sshd/ssh/scp binary replacement Bespoke install · alerting DSΣPDDCS [LLM] Unauthorized write to Linux PAM authentication module (pam_unix.so swap) Bespoke install · alerting DSΣPDDCS [LLM] Unauthorized modification of OpenSSH sshd or ssh client binary Bespoke install · alerting DSΣPDDCS [LLM] First-seen pam_unix.so / sshd / ssh binary hash in Linux fleet Bespoke install · hunting DSPDDCS [LLM] Malicious _hooks.py / _runtime.bin files created in Pythagora gpt-pilot checkout Bespoke delivery · alerting DSΣPDDCS [LLM] runC binary modified outside package manager (CVE-2019-5736 / CVE-2024-21626) Bespoke install · alerting DSΣPDDCS [LLM] Megalodon backdoor workflow file (SysDiag.yml / Optimize-Build.yml) written to .github/workflows/ Bespoke install · alerting DSΣPDDCS [LLM] Mini Shai-Hulud persistence hooks written into .vscode/ and .claude/ configs Bespoke install · hunting DSΣPDDCS [LLM] Shai-Hulud AI coding-agent persistence: .claude/settings.json + .vscode/tasks.json drops Bespoke install · alerting DSPDD [LLM] Mini Shai-Hulud post-compromise persistence artifacts in .claude/, .vscode/, .github/workflows/ Bespoke actions · alerting DSΣPDD [LLM] GitHub Actions workflow file referencing compromised xygeni/xygeni-action@v5 or backdoored commit 4bf1d4e Bespoke delivery · alerting DSΣPDDCS [LLM] npm postinstall: @kilocode/cli platform-binary directory (cli-{platform}-{arch}) write Bespoke install · hunting DSΣPDDCS [LLM] tj-actions/changed-files compromise: malicious commit SHA 0e58ed86... referenced on host (CVE-2025-30066) Bespoke install · hunting DSPDD [LLM] Sha1-Hulud self-hosted GitHub Actions runner deployed under ~/.dev-env (SHA1HULUD) Bespoke install · alerting DSΣPDDCS [LLM] Tag deletion/repointing on critical GitHub Action repositories (configure-aws-credentials v4.3.0 pattern) Bespoke weapon · alerting SΣPDD [LLM] Vulnerable xz / liblzma 5.6.0 or 5.6.1 in software inventory (CVE-2024-3094) Bespoke delivery · alerting DSP [LLM] sshd loads compromised liblzma.so.5.6.0 / 5.6.1 (CVE-2024-3094 runtime trigger) Bespoke install · alerting DSΣPDDCS

Articles citing this technique (14)

crit Chinese hackers hijack auth flow, spy on isolated network for a decade art-07

crit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade art-22

high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter art-78

crit Containers on fire: from container escapes to supply chain attacks art-158

high Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositories art-215

crit Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages art-267

crit Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Sco art-333

high "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages art-348

high xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning art-435

high StepSecurity Detects Early Supply Chain Risk Signals in kilocode npm art-553

high Harden-Runner detection: tj-actions/changed-files action is compromised art-556

high Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised art-653

high Suspicious Tag Movement in AWS’s GitHub Action: What Happened and Why It Matters art-814

crit The XZ backdoor CVE-2024-3094 art-1266