> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/persistence/t1554-compromise-client-software-binary.md). # T1554:Compromise Client Software Binary Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary ( or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this persistent access to the host. Examples: On this technique we can see it's a little self-explanatory we grab a legitimate binary from the workstation usually something widely use in the Company or Industry and we Inject our malicious code onto the legitimate binary without compromising it's normal functionality. There is a great tool out there a little bit outdated (as of writing there is a new one being developed for July 2021). Let us use this tool to create a backdoored compromised binary, in this example I will use the Ccleaner application very well known for tidying up our windows machines for speed or any unnecessary/left over files. I will focus on the 64bit version as this is what the shortcuts are currently running: ![](/files/-MRhJ1fqqDwdMQOEuCka) Let us grab this binary and take it to our Attacking machine. Here is the command-line example used to backdoor the application: ![](/files/-MRhJ2dBvxq2YacAsdgW) Once the tool is executing it will try and locate for free space to inject our shellcode that is available on the binary, if so it will ask us to choose from the variety of options on where to locate the code. ![](/files/-MRhJ3HDSS4kInwRtwr9) Once it is done, it will locate the newly created backdoored binary into a "backdoored" folder ![](/files/-MRhJ4648hcWOD9py0Ec) This new binary containing its original functionality will know give us persistence at a user level. We can replace the original with our backdoored one as we will gain a shell but the original execution of the binary will remain the same. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/persistence/t1554-compromise-client-software-binary.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.