Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0336: Detect Compromise of Host Software Binaries

DET0336 is a detection strategy for finding compromise of legitimate host software binaries, tied to ATT&CK technique T1554. The business issue is persiste...

EnterpriseDET0336Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0336 is a detection strategy for finding compromise of legitimate host software binaries, tied to ATT&CK technique T1554. The business issue is persistence: if a trusted executable, service binary, client, browser, library, or other application component is altered, normal operations may continue while the attacker retains access. This makes the behavior important for incident response scoping, system integrity assurance, and evidence that critical endpoints and servers can detect unauthorized binary changes.

Executive priority

Treat this as a control-validation priority for environments where Windows, Linux, macOS, or ESXi systems support important business services. Leaders should ask whether security teams can prove integrity of critical host binaries, identify unauthorized replacement or modification, and respond quickly enough to preserve business continuity. Because the ATT&CK object provides no official detection logic, priority should be based on local asset criticality, persistence risk, and whether audit/compliance programs require evidence of file integrity monitoring or change control.

Technical view

The supplied detection strategy has no official detection text, but it detects T1554: Compromise Host Software Binary, a persistence technique affecting ESXi, Linux, macOS, and Windows. SOC and IR teams should validate whether they can observe unexpected changes to trusted executables, libraries, and application binaries, especially for software that provides system commands, remote access, user applications, or server services. Detection engineering should focus on comparing observed binary changes against authorized patching, deployment, and maintenance activity rather than relying on a single alert type.

Likely telemetry

  • File creation, modification, replacement, and deletion events for executable and library paths
  • File integrity monitoring or cryptographic hash baselines for critical binaries
  • Endpoint detection and response telemetry showing process execution from modified or unusual binary locations
  • Operating system audit logs relevant to privileged file changes
  • Software deployment, patch management, and change-management records for allowlisting expected updates

Detection direction

  • Confirm which critical host software binaries are baselined and which are not; unbaselined systems are a major blind spot for this technique.
  • Correlate binary modification events with approved software updates, administrative maintenance, and deployment tooling to reduce false positives.
  • Prioritize alerting on changes to widely trusted binaries, remote access clients, server applications, and libraries supporting business-critical systems.
  • Validate coverage separately across Windows, Linux, macOS, and ESXi because telemetry sources and file integrity controls differ by platform.
  • During incidents, compare suspected binaries against known-good versions and review surrounding process, user, and privilege activity to determine whether persistence may have been established.

Mitigation priorities

  • Establish and maintain approved baselines for critical host software binaries on important systems.
  • Enforce formal change control for software updates and administrative replacement of binaries.
  • Use least privilege and administrative access governance to limit who or what can modify protected executable paths.
  • Deploy file integrity monitoring or equivalent host integrity controls where business risk justifies it.
  • Ensure incident response playbooks include binary validation, restoration from trusted media or packages, and review for persistence after suspected compromise.
Analyst notes and limits

This take is based on the DET0336 detection strategy metadata and its relationship to T1554, Compromise Host Software Binary. The ATT&CK record supplies no official description, no official detection content, and no direct platforms or tactics for DET0336; platform and tactic context comes from the related technique only.

Local implementation details are required to make this actionable: protected paths, approved software inventory, patch processes, endpoint telemetry, and integrity baselines vary by environment. This summary does not assert active exploitation, attribution, guaranteed detection, or customer exposure.

Official MITRE ATT&CK definition

Detect Compromise of Host Software Binaries

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1554 Compromise Host Software Binary This object detects Compromise Host Software Binary.
Relationship explorer

All related ATT&CK context

detects · Technique T1554: Compromise Host Software Binary Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
eaed574a72affb3b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle eaed574a72af…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0336
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use