Tactic: Privilege Escalation

Technique: Modify Control Logic

Adversaries may modify or create control logic or system level services to repeatedly execute malicious payloads as part of their persistence.
Sometimes services may be created with administrator privileges but executed on startup under root/SYSTEM privileges. This functionality can be used to create or modify control logic in order to escalate privileges.

Technique in practice

Exaramel for linux is a backdoor written in the Go Programming Language for Linux based systems.
Exeramel for Windows is the version of this backdoor for targeting Windows based systems.

Mitigations

There are several ways to make sure your code can not be edited by third parties. First, the installation of software should only be happening from trusted repositories. This way only people with access to the repositories can edit software.
Secondly, file and directory permissions should be restricted. Only few trusted parties that have a legitimate need for them should have these permissions.
Lastly, code signing could be implemented. Registration and execution of code should be limited to legitimately signed software where possible.

Detections

Monitor for file changes.
Monitor for newly created services that do not correlate with the usual software.

Documented incidents with autonomous robots

No incidents known at the time of writing.

Documented incidents in other domains

No incidents known at the time of writing.