T1195

Supply Chain Compromise

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can occur at any stage — from manipulation of development tools, source code repositories, open-source dependencies, software update/distribution mechanisms, system images, or physical hardware. Because the attack abuses trusted software distribution channels, defenders must focus on post-delivery behavioral indicators: trusted installer processes spawning shells, legitimate software making unexpected network connections, newly installed applications loading unsigned modules, and integrity failures in software binaries. High-profile incidents include SolarWinds Orion (Sunburst backdoor in update packages), CCleaner (backdoor distributed via official update), 3CX (second-order compromise via trojanized Electron app), and NotPetya (distributed via M.E.Doc accounting software update).

Microsoft Sentinel / Defender

kusto

let TrustedInstallerProcesses = dynamic([
    "msiexec.exe", "setup.exe", "install.exe", "installer.exe",
    "update.exe", "updater.exe", "autoupdate.exe", "squirrel.exe",
    "appinstaller.exe", "packageinstaller.exe", "softwareupdate.exe",
    "uninst.exe", "uninstall.exe", "patchinstaller.exe"
]);
let LOLBins = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe",
    "wmic.exe", "msbuild.exe", "csc.exe", "odbcconf.exe", "xwizard.exe",
    "installutil.exe", "regasm.exe", "regsvcs.exe", "schtasks.exe", "at.exe"
]);
// Part 1: Installer/updater processes spawning suspicious child processes
let InstallerSpawnsLOLBin = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (TrustedInstallerProcesses)
| where FileName in~ (LOLBins)
| extend DetectionSource = "InstallerSpawnedLOLBin"
| project Timestamp, DeviceName, AccountName,
         DetectionSource,
         ParentProcess = InitiatingProcessFileName,
         ParentCommandLine = InitiatingProcessCommandLine,
         ParentSHA1 = InitiatingProcessSHA1,
         ChildProcess = FileName,
         ChildCommandLine = ProcessCommandLine,
         ChildFolderPath = FolderPath;
// Part 2: Legitimate signed software spawning shells after a recent file write to its install directory
let SignedSoftwareSpawnsShell = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where InitiatingProcessFolderPath has_any ("Program Files", "Program Files (x86)", "ProgramData")
| where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe")
| where InitiatingProcessVersionInfoCompanyName != ""
// Exclude common known-good parent patterns
| where not (InitiatingProcessFileName in~ ("explorer.exe", "svchost.exe", "services.exe", "taskhostw.exe"))
| extend DetectionSource = "TrustedSoftwareSpawnedShell"
| project Timestamp, DeviceName, AccountName,
         DetectionSource,
         ParentProcess = InitiatingProcessFileName,
         ParentCommandLine = InitiatingProcessCommandLine,
         ParentSHA1 = InitiatingProcessSHA1,
         ParentFolderPath = InitiatingProcessFolderPath,
         ParentCompany = InitiatingProcessVersionInfoCompanyName,
         ChildProcess = FileName,
         ChildCommandLine = ProcessCommandLine,
         ChildFolderPath = FolderPath;
// Combine both detection paths
InstallerSpawnsLOLBin
| project Timestamp, DeviceName, AccountName, DetectionSource, ParentProcess, ParentCommandLine, ParentSHA1, ChildProcess, ChildCommandLine
| union (
    SignedSoftwareSpawnsShell
    | project Timestamp, DeviceName, AccountName, DetectionSource, ParentProcess, ParentCommandLine, ParentSHA1, ChildProcess, ChildCommandLine
)
| sort by Timestamp desc

critical severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software installers (especially older or enterprise software) that invoke cmd.exe or PowerShell as part of post-install configuration scripts or service registration
Software deployment platforms (SCCM, Intune, PDQ Deploy) that use msiexec.exe or setup.exe as wrappers that legitimately spawn PowerShell for configuration
Electron-based applications (VSCode, Slack, Teams) whose squirrel.exe updater spawns cmd.exe for delta patching operations
Development environment tools (Visual Studio, JetBrains, Eclipse) that run PowerShell or scripts as part of extension installation or project scaffolding
Third-party IT management agents (SolarWinds, ConnectWise, Kaseya) whose update mechanisms spawn child processes by design

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImageLower=lower(ParentImage)
| eval ImageLower=lower(Image)
// Part 1: Installer/updater spawning LOLBins
| eval InstallerParent=if(
    match(ParentImageLower, "(msiexec\.exe|setup\.exe|install(er)?\.exe|update(r)?\.exe|autoupdate\.exe|squirrel\.exe|appinstaller\.exe|packageinstaller\.exe|softwareupdate\.exe|uninst\.exe)"),
    1, 0
  )
| eval SpawnedLOLBin=if(
    match(ImageLower, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msbuild\.exe|csc\.exe|odbcconf\.exe|installutil\.exe|regasm\.exe|schtasks\.exe)"),
    1, 0
  )
// Part 2: Trusted software in Program Files spawning shells
| eval TrustedParentPath=if(
    match(ParentImageLower, "(program files|programdata)") AND
    match(ImageLower, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe)") AND
    NOT match(ParentImageLower, "(explorer\.exe|svchost\.exe|services\.exe|taskhostw\.exe|msiexec\.exe)"),
    1, 0
  )
| eval SupplyChainScore=InstallerParent*SpawnedLOLBin + TrustedParentPath
| where SupplyChainScore > 0
| eval DetectionReason=case(
    InstallerParent=1 AND SpawnedLOLBin=1, "Installer/updater spawned LOLBin",
    TrustedParentPath=1, "Trusted software in ProgramFiles spawned shell",
    true(), "Unknown"
  )
| table _time, host, User, ParentImage, ParentCommandLine, Image, CommandLine, Hashes, DetectionReason, SupplyChainScore
| sort - _time

critical severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate enterprise software installers that invoke PowerShell or cmd.exe for post-installation configuration tasks (SCCM packages, PDQ Deploy scripts)
Electron application updaters (squirrel.exe) that spawn cmd.exe as part of delta patching on Windows
Development IDEs (Visual Studio, JetBrains IDEs) that run shell scripts during extension or plugin installation
Security tools and monitoring agents that install via msiexec and invoke PowerShell for initial configuration and health checks
Software with embedded scripting engines (AutoIT, NSIS) that legitimately spawn cmd.exe as part of installation workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  "hostname",
  QIDNAME(qid) AS event_name,
  "processname" AS child_process,
  "parentprocessname" AS parent_process,
  "commandline" AS child_cmdline,
  CASE
    WHEN LOWER("parentprocessname") MATCHES '(msiexec\.exe|setup\.exe|install(er)?\.exe|update(r)?\.exe|autoupdate\.exe|squirrel\.exe|appinstaller\.exe|softwareupdate\.exe|uninst\.exe)'
      AND LOWER("processname") MATCHES '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msbuild\.exe|csc\.exe|odbcconf\.exe|installutil\.exe|regasm\.exe|schtasks\.exe)'
      THEN 'Installer/updater spawned LOLBin'
    WHEN LOWER("parentprocesspath") MATCHES '.*(program files|programdata).*'
      AND LOWER("processname") MATCHES '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe)'
      AND NOT LOWER("parentprocessname") MATCHES '(explorer\.exe|svchost\.exe|services\.exe|taskhostw\.exe|msiexec\.exe)'
      THEN 'Trusted software in ProgramFiles spawned shell'
    ELSE 'Unknown'
  END AS detection_reason
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 45)
  AND LONG(starttime) > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (
      LOWER("parentprocessname") MATCHES '(msiexec\.exe|setup\.exe|install(er)?\.exe|update(r)?\.exe|autoupdate\.exe|squirrel\.exe|appinstaller\.exe|softwareupdate\.exe|uninst\.exe)'
      AND LOWER("processname") MATCHES '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msbuild\.exe|csc\.exe|odbcconf\.exe|installutil\.exe|regasm\.exe|schtasks\.exe)'
    )
    OR
    (
      LOWER("parentprocesspath") MATCHES '.*(program files|programdata).*'
      AND LOWER("processname") MATCHES '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe)'
      AND NOT LOWER("parentprocessname") MATCHES '(explorer\.exe|svchost\.exe|services\.exe|taskhostw\.exe|msiexec\.exe)'
    )
  )
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Windows Sysmon (EventCode 1) Windows Security Event Log (EventCode 4688)

Required Tables

events

False Positives

Enterprise software deployment tools (SCCM, Intune, PDQ Deploy) that call installer processes and then launch scripts for configuration management
Security software (EDR agents, AV tools) residing in Program Files that spawn cmd.exe or PowerShell for update and quarantine operations
Developer environment installers (Visual Studio, JetBrains, Eclipse) that run post-install PowerShell scripts for environment setup or plugin installation

Sumo Logic CSE

sql

(_sourceCategory="endpoint/windows/sysmon" OR _sourceCategory="endpoint/windows/security")
| where EventID = "1" or EventCode = "1" or EventID = "4688"
| parse field=ParentImage "*\\*" as _discard, parent_exe nodrop
| parse field=Image "*\\*" as _discard, child_exe nodrop
| parse field=ParentCommandLine "*" as parent_cmdline nodrop
| parse field=CommandLine "*" as child_cmdline nodrop
| parse field=ParentImage "*" as parent_full_path nodrop
| eval parent_lower = toLowerCase(parent_exe)
| eval child_lower = toLowerCase(child_exe)
| eval parent_path_lower = toLowerCase(ParentImage)
// Branch 1: Installer spawning LOLBin
| eval is_installer_parent = if(matches(parent_lower, "msiexec\.exe|setup\.exe|install(er)?\.exe|update(r)?\.exe|autoupdate\.exe|squirrel\.exe|appinstaller\.exe|softwareupdate\.exe|uninst\.exe"), 1, 0)
| eval is_lolbin_child = if(matches(child_lower, "cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msbuild\.exe|csc\.exe|odbcconf\.exe|installutil\.exe|regasm\.exe|schtasks\.exe"), 1, 0)
// Branch 2: Trusted software in Program Files spawning shell
| eval is_trusted_path_parent = if(matches(parent_path_lower, "program files|programdata"), 1, 0)
| eval is_shell_child = if(matches(child_lower, "cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe"), 1, 0)
| eval is_excluded_parent = if(matches(parent_lower, "explorer\.exe|svchost\.exe|services\.exe|taskhostw\.exe|msiexec\.exe"), 1, 0)
| eval supply_chain_score = (is_installer_parent * is_lolbin_child) + (is_trusted_path_parent * is_shell_child * (1 - is_excluded_parent))
| where supply_chain_score > 0
| eval detection_reason = if(is_installer_parent = 1 and is_lolbin_child = 1, "Installer/updater spawned LOLBin",
    if(is_trusted_path_parent = 1 and is_shell_child = 1 and is_excluded_parent = 0, "Trusted software in ProgramFiles spawned shell", "Unknown"))
| fields _messageTime, Computer, host, User, ParentImage, parent_cmdline, Image, child_cmdline, Hashes, detection_reason, supply_chain_score
| sort by _messageTime desc

high severity medium confidence

Data Sources

Endpoint - Windows Sysmon Endpoint - Windows Security Event Log

Required Tables

Sysmon EventCode 1 Windows Security EventCode 4688

False Positives

Legitimate software update pipelines (e.g., Electron app self-updaters using Squirrel.Windows) that spawn PowerShell for pre/post-update scripting
IT management agents (ManageEngine, Kaseya, ConnectWise) that install via MSI and then invoke shell commands for asset configuration or remediation
Software development kits that install CLI tooling via setup.exe and subsequently launch cmd.exe to add directories to PATH or configure shell profiles

Google Chronicle / SecOps

yaral

rule supply_chain_compromise_t1195 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects post-delivery supply chain compromise indicators: installer/updater processes spawning LOLBins, or trusted signed software in standard install paths launching shell interpreters"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1195"
    mitre_attack_subtechniques = "T1195.001, T1195.002, T1195.003"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-18"
    platform = "Windows"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.vendor_name = "Microsoft"

    // Capture parent and child process names
    $parent = $e.principal.process.file.full_path
    $child = $e.target.process.file.full_path
    $child_name = $e.target.process.file.basename
    $parent_name = $e.principal.process.file.basename

    // Branch 1: Installer/updater spawning LOLBin
    // Branch 2: Trusted software in Program Files spawning shell
    (
      (
        re.regex($e.principal.process.file.basename, `(?i)(msiexec\.exe|setup\.exe|install(er)?\.exe|update(r)?\.exe|autoupdate\.exe|squirrel\.exe|appinstaller\.exe|packageinstaller\.exe|softwareupdate\.exe|uninst\.exe|uninstall\.exe|patchinstaller\.exe)`)
        and
        re.regex($e.target.process.file.basename, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msbuild\.exe|csc\.exe|odbcconf\.exe|xwizard\.exe|installutil\.exe|regasm\.exe|regsvcs\.exe|schtasks\.exe|at\.exe)`)
      )
      or
      (
        re.regex($e.principal.process.file.full_path, `(?i)(\\Program Files\\|\\Program Files \(x86\)\\|\\ProgramData\\)`)
        and
        re.regex($e.target.process.file.basename, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe)`)
        and
        not re.regex($e.principal.process.file.basename, `(?i)(explorer\.exe|svchost\.exe|services\.exe|taskhostw\.exe|msiexec\.exe|setup\.exe)`)
        and
        $e.principal.process.file.pe_file.company_name != ""
      )
    )

    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid
    $parent_cmd = $e.principal.process.command_line
    $child_cmd = $e.target.process.command_line

  condition:
    $e
}

high severity high confidence

Data Sources

Endpoint - Windows Process Events (via Chronicle forwarder or Sysmon-to-UDM ingestion)

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Software vendors that legitimately use Squirrel.Windows (Electron apps like Slack, Teams, Discord) whose squirrel.exe spawns PowerShell for installation hooks
Enterprise software (SAP, Oracle, Adobe) with complex install procedures that execute cmd.exe scripts from their Program Files directories during patching cycles
Security tools (CrowdStrike Falcon, SentinelOne, Carbon Black) that self-update from ProgramData paths and execute shell commands as part of sensor update processes

CrowdStrike LogScale (CQL)

cql

// Supply Chain Compromise - T1195
// Branch 1: Installer/updater spawning LOLBin
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)(msiexec\.exe|setup\.exe|install(er)?\.exe|update(r)?\.exe|autoupdate\.exe|squirrel\.exe|appinstaller\.exe|packageinstaller\.exe|softwareupdate\.exe|uninst\.exe|uninstall\.exe|patchinstaller\.exe)/
| ImageFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msbuild\.exe|csc\.exe|odbcconf\.exe|xwizard\.exe|installutil\.exe|regasm\.exe|regsvcs\.exe|schtasks\.exe|at\.exe)/
| DetectionReason := "Installer/updater spawned LOLBin"
| table([timestamp, ComputerName, UserName, ParentBaseFileName, ParentCommandLine, ImageFileName, CommandLine, SHA256HashData, DetectionReason])

UNION

// Branch 2: Trusted software in Program Files spawning shell
#event_simpleName=ProcessRollup2
| ParentImageFileName = /(?i)(\\Program Files\\|\\Program Files \(x86\)\\|\\ProgramData\\)/
| ImageFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe)/
| ParentBaseFileName != /(?i)(explorer\.exe|svchost\.exe|services\.exe|taskhostw\.exe|msiexec\.exe|setup\.exe)/
| DetectionReason := "Trusted software in ProgramFiles spawned shell"
| table([timestamp, ComputerName, UserName, ParentBaseFileName, ParentCommandLine, ImageFileName, CommandLine, SHA256HashData, DetectionReason])

// Combine and sort
| groupBy([timestamp, ComputerName, UserName, ParentBaseFileName, ParentCommandLine, ImageFileName, CommandLine, SHA256HashData, DetectionReason], function=count(as=EventCount))
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint - ProcessRollup2

Required Tables

ProcessRollup2

False Positives

Legitimate Electron application updaters (Slack, VS Code, GitHub Desktop) that use Squirrel.Windows and spawn PowerShell for delta patching and shortcut management
Software packaging and configuration management tools (Chef, Puppet agents, Ansible runner) installed under ProgramData that invoke cmd.exe or PowerShell for policy enforcement
Anti-malware and EDR products (residing in Program Files) that spawn shell processes during remediation, quarantine, or automated response playbook execution

Last updated: 2026-04-18 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1195 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Supply Chain Compromise

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Initial Access

Popular Detections