Binary Planting & Execution Hijacking

Detects techniques for replacing or shadowing legitimate system binaries with malicious versions

7 rules in binary_planting.yml

CRITICAL: 2 | HIGH: 5

Rule ID	Severity	Title	Description	Refs
`binary_replace_system_path`	CRITICAL	System Binary Replacement	Copies or writes a file to system binary directories, potentially replacing a legitimate binary	CWE-506 T1036.005 V5.3.1 AC-3 CIS-2.3
`path_trojan_binary`	CRITICAL	Trojan Binary in Early PATH Directory	Places a binary in a directory that appears before system paths, shadowing legitimate commands	CWE-426 T1036.005 A08:2021 SI-3 CIS-2.3
`alias_command_hijack`	HIGH	Shell Alias Command Hijacking	Creates shell aliases that override system commands, potentially intercepting sensitive input	CWE-506 T1546.004 CM-6 CIS-4.1
`function_command_hijack`	HIGH	Shell Function Command Hijacking	Defines a shell function that shadows a system binary (sudo/su/ssh/docker/kubectl/aws/gcloud/az). A planted function intercepts privileged commands and is a classic persistence trick on shared shells.	CWE-506 T1546.004 CM-6 CIS-4.1
`git_hook_injection`	HIGH	Git Hook Injection	Writes to git hook directories, which auto-execute on git operations	CWE-506 T1546 A08:2021 CM-11 CIS-16.1
`npm_global_install_untrusted`	HIGH	Global npm Install from Untrusted Source	Installs npm packages globally from URLs or local paths instead of the registry	CWE-494 T1059.007 A08:2021 V15.2.4 CM-5 CIS-Supply-Chain
`pip_install_editable_path`	HIGH	pip Install from Local Editable Path	Installs a Python package in editable mode from a suspicious local path	CWE-494 T1059.006 A08:2021 V15.2.4 CM-5 CIS-Supply-Chain