Which SIEM platforms have a T1195 detection rule?

df00tech provides T1195 (Supply Chain Compromise) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Supply Chain Compromise (T1195)?

Detecting Supply Chain Compromise requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1195 detection?

The T1195 detection is rated critical severity with medium confidence.

What are common false positives for T1195?

Common false positives for T1195 include: Legitimate software installers (especially older or enterprise software) that invoke cmd.exe or PowerShell as part of post-install configuration scripts or service registration; Software deployment platforms (SCCM, Intune, PDQ Deploy) that use msiexec.exe or setup.exe as wrappers that legitimately spawn PowerShell for configuration; Electron-based applications (VSCode, Slack, Teams) whose squirrel.exe updater spawns cmd.exe for delta patching operations.

T1195

Supply Chain Compromise

Initial Access Last updated: April 18, 2026

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can occur at any stage — from manipulation of development tools, source code repositories, open-source dependencies, software update/distribution mechanisms, system images, or physical hardware. Because the attack abuses trusted software distribution channels, defenders must focus on post-delivery behavioral indicators: trusted installer processes spawning shells, legitimate software making unexpected network connections, newly installed applications loading unsigned modules, and integrity failures in software binaries. High-profile incidents include SolarWinds Orion (Sunburst backdoor in update packages), CCleaner (backdoor distributed via official update), 3CX (second-order compromise via trojanized Electron app), and NotPetya (distributed via M.E.Doc accounting software update).

What is T1195 Supply Chain Compromise?

Supply Chain Compromise (T1195) maps to the Initial Access tactic — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Supply Chain Compromise, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Initial Access
Technique: T1195 Supply Chain Compromise
Canonical reference: https://attack.mitre.org/techniques/T1195/

Microsoft Sentinel / Defender

kusto

let TrustedInstallerProcesses = dynamic([
    "msiexec.exe", "setup.exe", "install.exe", "installer.exe",
    "update.exe", "updater.exe", "autoupdate.exe", "squirrel.exe",
    "appinstaller.exe", "packageinstaller.exe", "softwareupdate.exe",
    "uninst.exe", "uninstall.exe", "patchinstaller.exe"
]);
let LOLBins = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe",
    "wmic.exe", "msbuild.exe", "csc.exe", "odbcconf.exe", "xwizard.exe",
    "installutil.exe", "regasm.exe", "regsvcs.exe", "schtasks.exe", "at.exe"
]);
// Part 1: Installer/updater processes spawning suspicious child processes
let InstallerSpawnsLOLBin = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (TrustedInstallerProcesses)
| where FileName in~ (LOLBins)
| extend DetectionSource = "InstallerSpawnedLOLBin"
| project Timestamp, DeviceName, AccountName,
         DetectionSource,
         ParentProcess = InitiatingProcessFileName,
         ParentCommandLine = InitiatingProcessCommandLine,
         ParentSHA1 = InitiatingProcessSHA1,
         ChildProcess = FileName,
         ChildCommandLine = ProcessCommandLine,
         ChildFolderPath = FolderPath;
// Part 2: Legitimate signed software spawning shells after a recent file write to its install directory
let SignedSoftwareSpawnsShell = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where InitiatingProcessFolderPath has_any ("Program Files", "Program Files (x86)", "ProgramData")
| where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe")
| where InitiatingProcessVersionInfoCompanyName != ""
// Exclude common known-good parent patterns
| where not (InitiatingProcessFileName in~ ("explorer.exe", "svchost.exe", "services.exe", "taskhostw.exe"))
| extend DetectionSource = "TrustedSoftwareSpawnedShell"
| project Timestamp, DeviceName, AccountName,
         DetectionSource,
         ParentProcess = InitiatingProcessFileName,
         ParentCommandLine = InitiatingProcessCommandLine,
         ParentSHA1 = InitiatingProcessSHA1,
         ParentFolderPath = InitiatingProcessFolderPath,
         ParentCompany = InitiatingProcessVersionInfoCompanyName,
         ChildProcess = FileName,
         ChildCommandLine = ProcessCommandLine,
         ChildFolderPath = FolderPath;
// Combine both detection paths
InstallerSpawnsLOLBin
| project Timestamp, DeviceName, AccountName, DetectionSource, ParentProcess, ParentCommandLine, ParentSHA1, ChildProcess, ChildCommandLine
| union (
    SignedSoftwareSpawnsShell
    | project Timestamp, DeviceName, AccountName, DetectionSource, ParentProcess, ParentCommandLine, ParentSHA1, ChildProcess, ChildCommandLine
)
| sort by Timestamp desc

Detects supply chain compromise indicators by monitoring two key behavioral patterns: (1) software installer and updater processes (msiexec.exe, setup.exe, updater.exe, squirrel.exe, etc.) spawning LOLBins (cmd.exe, PowerShell, regsvr32.exe, etc.) — a strong indicator of trojanized installers executing embedded payloads; (2) legitimate signed software installed in Program Files directories spawning interactive shells unexpectedly, which may indicate a compromised software binary or DLL sideloading attack delivered via supply chain. Uses DeviceProcessEvents parent-child relationship analysis. Coverage spans Windows endpoints enrolled in Microsoft Defender for Endpoint.

critical severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software installers (especially older or enterprise software) that invoke cmd.exe or PowerShell as part of post-install configuration scripts or service registration
Software deployment platforms (SCCM, Intune, PDQ Deploy) that use msiexec.exe or setup.exe as wrappers that legitimately spawn PowerShell for configuration
Electron-based applications (VSCode, Slack, Teams) whose squirrel.exe updater spawns cmd.exe for delta patching operations
Development environment tools (Visual Studio, JetBrains, Eclipse) that run PowerShell or scripts as part of extension installation or project scaffolding
Third-party IT management agents (SolarWinds, ConnectWise, Kaseya) whose update mechanisms spawn child processes by design

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImageLower=lower(ParentImage)
| eval ImageLower=lower(Image)
// Part 1: Installer/updater spawning LOLBins
| eval InstallerParent=if(
    match(ParentImageLower, "(msiexec\.exe|setup\.exe|install(er)?\.exe|update(r)?\.exe|autoupdate\.exe|squirrel\.exe|appinstaller\.exe|packageinstaller\.exe|softwareupdate\.exe|uninst\.exe)"),
    1, 0
  )
| eval SpawnedLOLBin=if(
    match(ImageLower, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msbuild\.exe|csc\.exe|odbcconf\.exe|installutil\.exe|regasm\.exe|schtasks\.exe)"),
    1, 0
  )
// Part 2: Trusted software in Program Files spawning shells
| eval TrustedParentPath=if(
    match(ParentImageLower, "(program files|programdata)") AND
    match(ImageLower, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe)") AND
    NOT match(ParentImageLower, "(explorer\.exe|svchost\.exe|services\.exe|taskhostw\.exe|msiexec\.exe)"),
    1, 0
  )
| eval SupplyChainScore=InstallerParent*SpawnedLOLBin + TrustedParentPath
| where SupplyChainScore > 0
| eval DetectionReason=case(
    InstallerParent=1 AND SpawnedLOLBin=1, "Installer/updater spawned LOLBin",
    TrustedParentPath=1, "Trusted software in ProgramFiles spawned shell",
    true(), "Unknown"
  )
| table _time, host, User, ParentImage, ParentCommandLine, Image, CommandLine, Hashes, DetectionReason, SupplyChainScore
| sort - _time

Detects supply chain compromise indicators using Sysmon Event ID 1 (Process Creation). Evaluates two behavioral patterns: (1) software installer and updater processes spawning LOLBins (Living Off The Land Binaries) as a signal of trojanized installer payloads, and (2) legitimate applications installed in Program Files or ProgramData directories spawning interactive shells. A SupplyChainScore is computed — higher scores indicate more suspicious behavior. Field extraction uses case-insensitive regex matching against ParentImage and Image fields.

critical severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate enterprise software installers that invoke PowerShell or cmd.exe for post-installation configuration tasks (SCCM packages, PDQ Deploy scripts)
Electron application updaters (squirrel.exe) that spawn cmd.exe as part of delta patching on Windows
Development IDEs (Visual Studio, JetBrains IDEs) that run shell scripts during extension or plugin installation
Security tools and monitoring agents that install via msiexec and invoke PowerShell for initial configuration and health checks
Software with embedded scripting engines (AutoIT, NSIS) that legitimately spawn cmd.exe as part of installation workflows

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   process.parent.name : ("msiexec.exe", "setup.exe", "install.exe", "installer.exe",
     "update.exe", "updater.exe", "autoupdate.exe", "squirrel.exe",
     "appinstaller.exe", "packageinstaller.exe", "softwareupdate.exe",
     "uninst.exe", "uninstall.exe", "patchinstaller.exe") and
   process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
     "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe",
     "wmic.exe", "msbuild.exe", "csc.exe", "odbcconf.exe", "xwizard.exe",
     "installutil.exe", "regasm.exe", "regsvcs.exe", "schtasks.exe", "at.exe")
  ] by process.parent.entity_id

OR

process where event.type == "start" and
  process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe") and
  process.parent.executable : ("*\\Program Files\\*", "*\\Program Files (x86)\\*", "*\\ProgramData\\*") and
  not process.parent.name : ("explorer.exe", "svchost.exe", "services.exe", "taskhostw.exe", "msiexec.exe", "setup.exe") and
  process.parent.code_signature.exists == true

Detects supply chain compromise post-delivery indicators: (1) trusted installer/updater processes spawning LOLBins as child processes, and (2) signed software resident in Program Files directories spawning shell interpreters. Both patterns are high-fidelity indicators of trojanized software executing a payload after installation via a trusted distribution mechanism.

high severity high confidence

Data Sources

Endpoint - Process Events (Elastic Agent / Auditbeat)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate software installers that launch PowerShell post-install scripts for configuration (e.g., some enterprise security tools, developer SDKs)
Update mechanisms for developer tools (Node.js, Python, Visual Studio Code) that legitimately invoke cmd.exe or PowerShell as part of install/post-install hooks
Software packaging systems (Chocolatey, Scoop, Winget) whose wrappers are resident in Program Files and legitimately invoke shell processes

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  "hostname",
  QIDNAME(qid) AS event_name,
  "processname" AS child_process,
  "parentprocessname" AS parent_process,
  "commandline" AS child_cmdline,
  CASE
    WHEN LOWER("parentprocessname") MATCHES '(msiexec\.exe|setup\.exe|install(er)?\.exe|update(r)?\.exe|autoupdate\.exe|squirrel\.exe|appinstaller\.exe|softwareupdate\.exe|uninst\.exe)'
      AND LOWER("processname") MATCHES '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msbuild\.exe|csc\.exe|odbcconf\.exe|installutil\.exe|regasm\.exe|schtasks\.exe)'
      THEN 'Installer/updater spawned LOLBin'
    WHEN LOWER("parentprocesspath") MATCHES '.*(program files|programdata).*'
      AND LOWER("processname") MATCHES '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe)'
      AND NOT LOWER("parentprocessname") MATCHES '(explorer\.exe|svchost\.exe|services\.exe|taskhostw\.exe|msiexec\.exe)'
      THEN 'Trusted software in ProgramFiles spawned shell'
    ELSE 'Unknown'
  END AS detection_reason
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 45)
  AND LONG(starttime) > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (
      LOWER("parentprocessname") MATCHES '(msiexec\.exe|setup\.exe|install(er)?\.exe|update(r)?\.exe|autoupdate\.exe|squirrel\.exe|appinstaller\.exe|softwareupdate\.exe|uninst\.exe)'
      AND LOWER("processname") MATCHES '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msbuild\.exe|csc\.exe|odbcconf\.exe|installutil\.exe|regasm\.exe|schtasks\.exe)'
    )
    OR
    (
      LOWER("parentprocesspath") MATCHES '.*(program files|programdata).*'
      AND LOWER("processname") MATCHES '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe)'
      AND NOT LOWER("parentprocessname") MATCHES '(explorer\.exe|svchost\.exe|services\.exe|taskhostw\.exe|msiexec\.exe)'
    )
  )
ORDER BY starttime DESC
LIMIT 500

AQL query detecting supply chain compromise post-delivery indicators by correlating Sysmon/Windows Security process creation events. Identifies installer/updater processes spawning LOLBins and signed software resident in Program Files directories launching shell interpreters. Uses LOGSOURCETYPEID filtering for Windows Sysmon (12) and Security Event Log (13/45) sources.

high severity medium confidence

Data Sources

Windows Sysmon (EventCode 1) Windows Security Event Log (EventCode 4688)

Required Tables

events

False Positives

Enterprise software deployment tools (SCCM, Intune, PDQ Deploy) that call installer processes and then launch scripts for configuration management
Security software (EDR agents, AV tools) residing in Program Files that spawn cmd.exe or PowerShell for update and quarantine operations
Developer environment installers (Visual Studio, JetBrains, Eclipse) that run post-install PowerShell scripts for environment setup or plugin installation

Sumo Logic CSE

sql

(_sourceCategory="endpoint/windows/sysmon" OR _sourceCategory="endpoint/windows/security")
| where EventID = "1" or EventCode = "1" or EventID = "4688"
| parse field=ParentImage "*\\*" as _discard, parent_exe nodrop
| parse field=Image "*\\*" as _discard, child_exe nodrop
| parse field=ParentCommandLine "*" as parent_cmdline nodrop
| parse field=CommandLine "*" as child_cmdline nodrop
| parse field=ParentImage "*" as parent_full_path nodrop
| eval parent_lower = toLowerCase(parent_exe)
| eval child_lower = toLowerCase(child_exe)
| eval parent_path_lower = toLowerCase(ParentImage)
// Branch 1: Installer spawning LOLBin
| eval is_installer_parent = if(matches(parent_lower, "msiexec\.exe|setup\.exe|install(er)?\.exe|update(r)?\.exe|autoupdate\.exe|squirrel\.exe|appinstaller\.exe|softwareupdate\.exe|uninst\.exe"), 1, 0)
| eval is_lolbin_child = if(matches(child_lower, "cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msbuild\.exe|csc\.exe|odbcconf\.exe|installutil\.exe|regasm\.exe|schtasks\.exe"), 1, 0)
// Branch 2: Trusted software in Program Files spawning shell
| eval is_trusted_path_parent = if(matches(parent_path_lower, "program files|programdata"), 1, 0)
| eval is_shell_child = if(matches(child_lower, "cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe"), 1, 0)
| eval is_excluded_parent = if(matches(parent_lower, "explorer\.exe|svchost\.exe|services\.exe|taskhostw\.exe|msiexec\.exe"), 1, 0)
| eval supply_chain_score = (is_installer_parent * is_lolbin_child) + (is_trusted_path_parent * is_shell_child * (1 - is_excluded_parent))
| where supply_chain_score > 0
| eval detection_reason = if(is_installer_parent = 1 and is_lolbin_child = 1, "Installer/updater spawned LOLBin",
    if(is_trusted_path_parent = 1 and is_shell_child = 1 and is_excluded_parent = 0, "Trusted software in ProgramFiles spawned shell", "Unknown"))
| fields _messageTime, Computer, host, User, ParentImage, parent_cmdline, Image, child_cmdline, Hashes, detection_reason, supply_chain_score
| sort by _messageTime desc

Sumo Logic CSE query detecting supply chain compromise through two behavioral patterns: installer/updater processes (msiexec, setup, update wrappers) spawning LOLBins, and signed/legitimate software resident in Program Files directories spawning shell interpreters. A risk score is computed from both patterns to reduce alert noise while maintaining coverage of both attack vectors.

high severity medium confidence

Data Sources

Endpoint - Windows Sysmon Endpoint - Windows Security Event Log

Required Tables

Sysmon EventCode 1 Windows Security EventCode 4688

False Positives

Legitimate software update pipelines (e.g., Electron app self-updaters using Squirrel.Windows) that spawn PowerShell for pre/post-update scripting
IT management agents (ManageEngine, Kaseya, ConnectWise) that install via MSI and then invoke shell commands for asset configuration or remediation
Software development kits that install CLI tooling via setup.exe and subsequently launch cmd.exe to add directories to PATH or configure shell profiles

Google Chronicle / SecOps

yaral

rule supply_chain_compromise_t1195 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects post-delivery supply chain compromise indicators: installer/updater processes spawning LOLBins, or trusted signed software in standard install paths launching shell interpreters"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1195"
    mitre_attack_subtechniques = "T1195.001, T1195.002, T1195.003"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-18"
    platform = "Windows"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.vendor_name = "Microsoft"

    // Capture parent and child process names
    $parent = $e.principal.process.file.full_path
    $child = $e.target.process.file.full_path
    $child_name = $e.target.process.file.basename
    $parent_name = $e.principal.process.file.basename

    // Branch 1: Installer/updater spawning LOLBin
    // Branch 2: Trusted software in Program Files spawning shell
    (
      (
        re.regex($e.principal.process.file.basename, `(?i)(msiexec\.exe|setup\.exe|install(er)?\.exe|update(r)?\.exe|autoupdate\.exe|squirrel\.exe|appinstaller\.exe|packageinstaller\.exe|softwareupdate\.exe|uninst\.exe|uninstall\.exe|patchinstaller\.exe)`)
        and
        re.regex($e.target.process.file.basename, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msbuild\.exe|csc\.exe|odbcconf\.exe|xwizard\.exe|installutil\.exe|regasm\.exe|regsvcs\.exe|schtasks\.exe|at\.exe)`)
      )
      or
      (
        re.regex($e.principal.process.file.full_path, `(?i)(\\Program Files\\|\\Program Files \(x86\)\\|\\ProgramData\\)`)
        and
        re.regex($e.target.process.file.basename, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe)`)
        and
        not re.regex($e.principal.process.file.basename, `(?i)(explorer\.exe|svchost\.exe|services\.exe|taskhostw\.exe|msiexec\.exe|setup\.exe)`)
        and
        $e.principal.process.file.pe_file.company_name != ""
      )
    )

    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid
    $parent_cmd = $e.principal.process.command_line
    $child_cmd = $e.target.process.command_line

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting supply chain compromise post-delivery behavioral indicators. Matches on two event patterns within process launch telemetry: trusted installer/updater binaries spawning LOLBins, and vendor-signed software resident in standard installation directories launching shell interpreters. Leverages UDM process launch event type with principal (parent) and target (child) process fields.

high severity high confidence

Data Sources

Endpoint - Windows Process Events (via Chronicle forwarder or Sysmon-to-UDM ingestion)

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Software vendors that legitimately use Squirrel.Windows (Electron apps like Slack, Teams, Discord) whose squirrel.exe spawns PowerShell for installation hooks
Enterprise software (SAP, Oracle, Adobe) with complex install procedures that execute cmd.exe scripts from their Program Files directories during patching cycles
Security tools (CrowdStrike Falcon, SentinelOne, Carbon Black) that self-update from ProgramData paths and execute shell commands as part of sensor update processes

CrowdStrike LogScale (CQL)

cql

// Supply Chain Compromise - T1195
// Branch 1: Installer/updater spawning LOLBin
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)(msiexec\.exe|setup\.exe|install(er)?\.exe|update(r)?\.exe|autoupdate\.exe|squirrel\.exe|appinstaller\.exe|packageinstaller\.exe|softwareupdate\.exe|uninst\.exe|uninstall\.exe|patchinstaller\.exe)/
| ImageFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msbuild\.exe|csc\.exe|odbcconf\.exe|xwizard\.exe|installutil\.exe|regasm\.exe|regsvcs\.exe|schtasks\.exe|at\.exe)/
| DetectionReason := "Installer/updater spawned LOLBin"
| table([timestamp, ComputerName, UserName, ParentBaseFileName, ParentCommandLine, ImageFileName, CommandLine, SHA256HashData, DetectionReason])

UNION

// Branch 2: Trusted software in Program Files spawning shell
#event_simpleName=ProcessRollup2
| ParentImageFileName = /(?i)(\\Program Files\\|\\Program Files \(x86\)\\|\\ProgramData\\)/
| ImageFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe)/
| ParentBaseFileName != /(?i)(explorer\.exe|svchost\.exe|services\.exe|taskhostw\.exe|msiexec\.exe|setup\.exe)/
| DetectionReason := "Trusted software in ProgramFiles spawned shell"
| table([timestamp, ComputerName, UserName, ParentBaseFileName, ParentCommandLine, ImageFileName, CommandLine, SHA256HashData, DetectionReason])

// Combine and sort
| groupBy([timestamp, ComputerName, UserName, ParentBaseFileName, ParentCommandLine, ImageFileName, CommandLine, SHA256HashData, DetectionReason], function=count(as=EventCount))
| sort(timestamp, order=desc)

CrowdStrike LogScale (CQL) detection for supply chain compromise using Falcon ProcessRollup2 events. Two branches are unioned: (1) installer and updater processes (msiexec, setup, squirrel, etc.) spawning LOLBins, and (2) vendor software resident in Program Files or ProgramData paths spawning shell interpreters. Both patterns indicate trojanized software executing attacker payloads via trusted delivery mechanisms.

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint - ProcessRollup2

Required Tables

ProcessRollup2

False Positives

Legitimate Electron application updaters (Slack, VS Code, GitHub Desktop) that use Squirrel.Windows and spawn PowerShell for delta patching and shortcut management
Software packaging and configuration management tools (Chef, Puppet agents, Ansible runner) installed under ProgramData that invoke cmd.exe or PowerShell for policy enforcement
Anti-malware and EDR products (residing in Program Files) that spawn shell processes during remediation, quarantine, or automated response playbook execution

Sigma rule & cross-platform mapping

The detection logic for Supply Chain Compromise (T1195) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1195 Sigma rules on detection.fyi

Platform-specific guides for T1195

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-18 Research depth: deep

References (9)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Simulate Trojanized Installer Spawning PowerShell (Windows)
Expected signal: Sysmon Event ID 1: Two process creation events — first for %TEMP%\setup.exe (Image matches 'setup.exe'), then for powershell.exe with ParentImage pointing to %TEMP%\setup.exe. Security Event ID 4688 (if command line auditing enabled) with same parent-child details. Sysmon Event ID 11: File creation for t1195_installer_test.txt.
Test 2Malicious npm Package Postinstall Script (Windows)
Expected signal: Sysmon Event ID 1: Process chain: npm.cmd (or node.exe) spawning cmd.exe with the postinstall command. The CommandLine will contain the postinstall script command. Sysmon Event ID 11: File creation for postinstall_output.txt in %TEMP%\t1195-npm\. Windows Event ID 4688 (process creation) for each spawned process.
Test 3Malicious Python Package setup.py Executing Shell Command (Linux/macOS)
Expected signal: Linux auditd: syscall execve events for python3 spawning subprocess (id command). Syslog/auditd EXECVE records showing python3 as parent process and id as child. If Falco is deployed, process_spawned_by_pip_or_python rules will fire. File creation event for /tmp/t1195-pip/pip_payload_output.txt.
Test 4Software Binary Hash Integrity Verification Failure Simulation (Windows)
Expected signal: Process creation events for certutil.exe (Sysmon Event ID 1) with -hashfile arguments. The fc command will show or report mismatches between the two hash files, demonstrating the hash divergence that would indicate a tampered supply chain binary. No network activity expected. This test validates the analyst investigation workflow rather than triggering a real-time detection rule.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1195 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hub

TA0001Initial Access

Supply Chain Compromise

What is T1195 Supply Chain Compromise?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1195

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Initial Access

Popular Detections

What is T1195 Supply Chain Compromise?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1195

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox