name: AN-DET-01 End-user application binary integrity
details: |
  Detects tampering of end-user satellite-control applications (AST:SW:Software:08) and the mission-product
  display path (SVC:DP:Data Plane:02). Watches file-integrity-monitoring streams for unexpected hash changes
  to signed application binaries and for execution of unsigned binaries in user-application paths.
  Implements AN-DET:01.
author: ethicallyHackingSpace
severity: high
type: query
class: tampering
status: stable
date: 2026-06-07
mitre-attack:
  - T1565
  - T1574
references:
  - https://attack.mitre.org/techniques/T1565/
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
  - https://github.com/MISP/misp-taxonomies/tree/main/meteorstorm
tags:
  - meteorstorm.an-det.01
  - meteorstorm.tdm.ast-sw-software-08
  - meteorstorm.tdm.svc-dp-data-plane-02
  - attack.defense-evasion
logsource:
  product: file_integrity_monitoring
  category: file_event
detection:
  selection_target_path:
    file_path|contains:
      - "/opt/satcontrol/"
      - "C:\\Program Files\\SatControl\\"
  selection_hash_change:
    event_name: "hash_changed"
  selection_unsigned_exec:
    event_name: "process_start"
    signature_status: "unsigned"
  condition: selection_target_path and (selection_hash_change or selection_unsigned_exec)
falsepositives:
  - Approved vendor patch outside change-control window (requires CAB ticket cross-check)
