T1195.001

Compromise Software Dependencies and Development Tools

Adversaries manipulate software dependencies and development tools prior to receipt by a final consumer to compromise data or systems. This includes injecting malicious code into popular open source packages (npm, PyPI, RubyGems), registering typosquatted or abandoned package names, and poisoning CI/CD pipeline components such as GitHub Actions. Malicious packages commonly use preinstall/postinstall lifecycle hooks to execute arbitrary OS commands at install time, enabling immediate credential theft, reverse shell establishment, or persistent implant deployment. Detection focuses on package manager processes spawning unexpected child processes, outbound network connections from package manager child processes, CI/CD workflow file modifications, and installation from non-standard or suspicious registries.

Microsoft Sentinel / Defender

kusto

// T1195.001 — Compromised Software Dependencies: package manager spawning suspicious children + non-standard registry connections
let PackageManagerProcs = dynamic(["npm", "npm.cmd", "npm.exe", "node", "node.exe", "pip", "pip3", "pip.exe", "pip3.exe", "python", "python3", "python.exe", "python3.exe", "pipx", "yarn", "pnpm", "gem", "bundle", "cargo", "go", "nuget", "dotnet"]);
let SuspiciousChildProcs = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe"]);
let SuspiciousCommandPatterns = dynamic(["/dev/tcp", "base64 -d", "base64 --decode", "bash -i", "sh -i", "nc -e", "ncat -e", "python -c", "perl -e", "ruby -e", "DownloadString", "DownloadFile", "Invoke-Expression", "IEX(", "curl http", "wget http", "--registry http://", "--registry https://", "postinstall", "preinstall"]);
// Arm 1: Package managers spawning suspicious OS-level processes (postinstall/preinstall hook abuse)
let PackageManagerChildProc =
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where InitiatingProcessFileName has_any (PackageManagerProcs)
    | where FileName has_any (SuspiciousChildProcs)
          or ProcessCommandLine has_any (SuspiciousCommandPatterns)
    | extend DetectionArm = "PackageManagerSpawnedSuspiciousChild"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, InitiatingProcessCommandLine,
             InitiatingProcessFolderPath, FolderPath, DetectionArm;
// Arm 2: Network connections from package manager child processes to non-standard or public IPs
let PackageManagerNetworkAnomalies =
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where InitiatingProcessFileName has_any (PackageManagerProcs)
    | where RemoteIPType == "Public"
    | where not (RemoteUrl has_any ("registry.npmjs.org", "pypi.org", "files.pythonhosted.org", "rubygems.org", "crates.io", "nuget.org", "pkg.go.dev", "proxy.golang.org", "yarnpkg.com", "registry.yarnpkg.com"))
    | extend DetectionArm = "PackageManagerUnexpectedExternalConnection"
    | project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
             FileName = InitiatingProcessFileName, ProcessCommandLine = InitiatingProcessCommandLine,
             RemoteUrl, RemoteIP, RemotePort, RemoteIPType, DetectionArm;
// Arm 3: CI/CD workflow file modifications (GitHub Actions poisoning)
let CICDWorkflowModifications =
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where FolderPath has_any (".github/workflows", ".gitlab-ci", "Jenkinsfile", ".circleci", ".travis", "azure-pipelines")
          or FileName has_any ("Makefile", "CMakeLists.txt", "build.gradle", "pom.xml") and ActionType in ("FileModified", "FileCreated")
    | where ActionType in ("FileModified", "FileCreated", "FileRenamed")
    | extend DetectionArm = "CICDPipelineFileModified"
    | project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
             FileName, FolderPath, ActionType,
             InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionArm;
// Union all arms
PackageManagerChildProc
| union PackageManagerNetworkAnomalies
| union CICDWorkflowModifications
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation File: File Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents

False Positives

Legitimate npm packages with postinstall scripts that compile native binaries (node-gyp, esbuild, sharp) — these frequently spawn cmd.exe or bash
Developer tools that legitimately use non-standard registries (Artifactory, Nexus, Azure Artifacts, private npm mirrors) for corporate package management
CI/CD automation committing workflow file updates as part of normal GitOps or automated dependency update PRs (Dependabot, Renovate)
Python packages with C extensions running compiler toolchains (gcc, cl.exe, link.exe) via setup.py during installation
Security scanning tools (Snyk, FOSSA, Trivy) that inspect packages and may trigger file access patterns

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImageLower=lower(ParentImage)
| eval ImageLower=lower(Image)
| eval CommandLineLower=lower(CommandLine)
| eval ParentCommandLineLower=lower(ParentCommandLine)
// Check if parent is a package manager
| eval IsPackageManager=if(
    match(ParentImageLower, "(\\\\npm\.cmd$|\\\\npm\.exe$|\\\\node\.exe$|\\\\pip\.exe$|\\\\pip3\.exe$|\\\\python\.exe$|\\\\python3\.exe$|\\\\pipx\.exe$|\\\\yarn\.exe$|\\\\pnpm\.exe$|\\\\gem\.exe$|\\\\bundle\.exe$|\\\\cargo\.exe$|\\\\go\.exe$|\\\\nuget\.exe$|\\\\dotnet\.exe$)"),
    1, 0)
// Check if child is a suspicious process
| eval IsSuspiciousChild=if(
    match(ImageLower, "(\\\\powershell\.exe$|\\\\pwsh\.exe$|\\\\cmd\.exe$|\\\\wscript\.exe$|\\\\cscript\.exe$|\\\\mshta\.exe$|\\\\rundll32\.exe$|\\\\regsvr32\.exe$|\\\\certutil\.exe$|\\\\bitsadmin\.exe$|\\\\curl\.exe$|\\\\wget\.exe$)"),
    1, 0)
// Check for suspicious command line content
| eval SuspiciousCommandLine=if(
    match(CommandLineLower, "(/dev/tcp|base64 -d|bash -i|sh -i|nc -e|ncat -e|python -c|perl -e|ruby -e|downloadstring|downloadfile|invoke-expression|iex\\(|curl http|wget http|--registry http)"),
    1, 0)
// Flag postinstall/preinstall hook indicators in parent command
| eval HookAbuse=if(
    match(ParentCommandLineLower, "(postinstall|preinstall|install\.js|setup\.py|node-pre-gyp)"),
    1, 0)
| eval DetectionArm=case(
    IsPackageManager=1 AND IsSuspiciousChild=1, "PackageManagerSpawnedSuspiciousChild",
    IsPackageManager=1 AND SuspiciousCommandLine=1, "PackageManagerSuspiciousCommandLine",
    HookAbuse=1 AND IsSuspiciousChild=1, "LifecycleHookChildProcess",
    true(), null())
| where DetectionArm IS NOT NULL
| eval RiskScore=IsPackageManager + IsSuspiciousChild + SuspiciousCommandLine + HookAbuse
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DetectionArm, IsPackageManager, IsSuspiciousChild, SuspiciousCommandLine, HookAbuse, RiskScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

node-gyp compilation during native npm package installation spawning cmd.exe and compiler toolchain processes
Corporate Artifactory or Nexus private registries appearing as non-standard registry connections
Python packages with C extensions (numpy, scipy, cryptography) spawning gcc or cl.exe via setup.py
Automated dependency update workflows (Dependabot, Renovate) modifying package.json or requirements.txt and triggering CI re-runs
Security scanning integrations running pip audit or npm audit as part of build pipeline checks

Elastic Security (EQL)

eql

any where
  (
    // Arm 1: Package manager spawning suspicious child processes (postinstall/preinstall hook abuse)
    event.category == "process" and event.type == "start" and
    process.parent.name in~ ("npm", "npm.cmd", "node", "node.exe", "pip", "pip3", "pip.exe", "pip3.exe", "python", "python3", "python.exe", "python3.exe", "pipx", "yarn", "pnpm", "gem", "bundle", "cargo", "go", "nuget", "dotnet") and
    (
      process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe") or
      process.command_line like~ ("*/dev/tcp*", "*base64 -d*", "*base64 --decode*", "*bash -i*", "*sh -i*", "*nc -e*", "*ncat -e*", "*python -c*", "*perl -e*", "*DownloadString*", "*DownloadFile*", "*Invoke-Expression*", "*IEX(*", "*curl http*", "*wget http*", "*--registry http*", "*postinstall*", "*preinstall*")
    )
  )
  or
  (
    // Arm 1b: Lifecycle hook parent spawning suspicious process
    event.category == "process" and event.type == "start" and
    process.parent.command_line like~ ("*postinstall*", "*preinstall*", "*install.js*", "*setup.py*", "*node-pre-gyp*") and
    process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe")
  )
  or
  (
    // Arm 2: Package manager processes making unexpected external network connections
    event.category == "network" and event.type == "connection" and
    network.direction == "egress" and
    process.name in~ ("npm", "node", "node.exe", "pip", "pip3", "python", "python3", "yarn", "pnpm", "gem", "bundle", "cargo", "go") and
    not destination.domain in~ ("registry.npmjs.org", "pypi.org", "files.pythonhosted.org", "rubygems.org", "crates.io", "nuget.org", "pkg.go.dev", "proxy.golang.org", "yarnpkg.com", "registry.yarnpkg.com")
  )
  or
  (
    // Arm 3: CI/CD pipeline and build file creation or modification
    event.category == "file" and event.type in ("creation", "change") and
    (
      file.path like~ ("*/.github/workflows/*", "*/.gitlab-ci*", "*/Jenkinsfile*", "*/.circleci/*", "*/.travis*", "*/azure-pipelines*") or
      file.name in~ ("Makefile", "CMakeLists.txt", "build.gradle", "pom.xml")
    )
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent (endpoint integration) Auditbeat Winlogbeat with Sysmon module

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-*

False Positives

Legitimate postinstall scripts in well-known packages (e.g., node-gyp native module compilation for bcrypt, canvas, sharp) that invoke cmd.exe or sh to compile native C/C++ bindings — validate against package name, build directory path, and developer workstation context
Developer scaffolding tools (create-react-app, vue-cli, angular-cli) that legitimately spawn shell processes to scaffold project templates, run database migrations, or execute build steps during initial npm install on developer machines
Authorized CI/CD pipeline updates by DevOps engineers or automated bots (Dependabot, Renovate) modifying GitHub Actions workflow YAML files or Jenkinsfiles as part of normal release engineering — correlate with known automation service account identities and branch naming conventions

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  devicehostname AS Hostname,
  username AS Username,
  sourceip AS SourceIP,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcessName,
  "Parent Command" AS ParentCommandLine,
  CASE
    WHEN QIDNAME(qid) LIKE '%Process Create%'
         AND (
           "Parent Process Name" ILIKE '%npm%' OR "Parent Process Name" ILIKE '%node.exe%'
           OR "Parent Process Name" ILIKE '%pip%' OR "Parent Process Name" ILIKE '%python%'
           OR "Parent Process Name" ILIKE '%yarn%' OR "Parent Process Name" ILIKE '%pnpm%'
           OR "Parent Process Name" ILIKE '%gem%' OR "Parent Process Name" ILIKE '%cargo%'
           OR "Parent Process Name" ILIKE '%dotnet%' OR "Parent Process Name" ILIKE '%nuget%'
         )
         AND (
           "Process Name" ILIKE '%powershell.exe%' OR "Process Name" ILIKE '%pwsh.exe%'
           OR "Process Name" ILIKE '%cmd.exe%' OR "Process Name" ILIKE '%wscript.exe%'
           OR "Process Name" ILIKE '%mshta.exe%' OR "Process Name" ILIKE '%certutil.exe%'
           OR "Process Name" ILIKE '%rundll32.exe%' OR "Process Name" ILIKE '%bitsadmin.exe%'
           OR "Command" ILIKE '%/dev/tcp%' OR "Command" ILIKE '%base64 -d%'
           OR "Command" ILIKE '%bash -i%' OR "Command" ILIKE '%DownloadString%'
           OR "Command" ILIKE '%Invoke-Expression%' OR "Command" ILIKE '%IEX(%'
           OR "Command" ILIKE '%--registry http%'
         )
      THEN 'PackageManagerSpawnedSuspiciousChild'
    WHEN QIDNAME(qid) LIKE '%Network Connect%'
         AND (
           "Process Name" ILIKE '%node.exe%' OR "Process Name" ILIKE '%npm%'
           OR "Process Name" ILIKE '%pip%' OR "Process Name" ILIKE '%python%'
           OR "Process Name" ILIKE '%yarn%' OR "Process Name" ILIKE '%gem%'
           OR "Process Name" ILIKE '%cargo%' OR "Process Name" ILIKE '%go.exe%'
         )
         AND NOT (
           "URL" ILIKE '%registry.npmjs.org%' OR "URL" ILIKE '%pypi.org%'
           OR "URL" ILIKE '%files.pythonhosted.org%' OR "URL" ILIKE '%rubygems.org%'
           OR "URL" ILIKE '%crates.io%' OR "URL" ILIKE '%nuget.org%'
           OR "URL" ILIKE '%yarnpkg.com%' OR "URL" ILIKE '%pkg.go.dev%'
           OR "URL" ILIKE '%proxy.golang.org%'
         )
      THEN 'PackageManagerUnexpectedExternalConnection'
    WHEN (
           "File Path" ILIKE '%.github/workflows%' OR "File Path" ILIKE '%.gitlab-ci%'
           OR "File Path" ILIKE '%Jenkinsfile%' OR "File Path" ILIKE '%.circleci%'
           OR "File Path" ILIKE '%azure-pipelines%' OR "File Path" ILIKE '%.travis%'
         )
      THEN 'CICDPipelineFileModified'
    ELSE NULL
  END AS DetectionArm
FROM events
WHERE
  starttime > DATEADD('hours', -24, NOW())
  AND (
    (
      QIDNAME(qid) LIKE '%Process Create%'
      AND (
        "Parent Process Name" ILIKE '%npm%' OR "Parent Process Name" ILIKE '%node.exe%'
        OR "Parent Process Name" ILIKE '%pip%' OR "Parent Process Name" ILIKE '%python%'
        OR "Parent Process Name" ILIKE '%yarn%' OR "Parent Process Name" ILIKE '%pnpm%'
        OR "Parent Process Name" ILIKE '%gem%' OR "Parent Process Name" ILIKE '%cargo%'
        OR "Parent Process Name" ILIKE '%dotnet%' OR "Parent Process Name" ILIKE '%nuget%'
        OR "Parent Command" ILIKE '%postinstall%' OR "Parent Command" ILIKE '%preinstall%'
        OR "Parent Command" ILIKE '%install.js%' OR "Parent Command" ILIKE '%node-pre-gyp%'
      )
      AND (
        "Process Name" ILIKE '%powershell.exe%' OR "Process Name" ILIKE '%pwsh.exe%'
        OR "Process Name" ILIKE '%cmd.exe%' OR "Process Name" ILIKE '%wscript.exe%'
        OR "Process Name" ILIKE '%cscript.exe%' OR "Process Name" ILIKE '%mshta.exe%'
        OR "Process Name" ILIKE '%rundll32.exe%' OR "Process Name" ILIKE '%regsvr32.exe%'
        OR "Process Name" ILIKE '%certutil.exe%' OR "Process Name" ILIKE '%bitsadmin.exe%'
        OR "Process Name" ILIKE '%curl.exe%' OR "Process Name" ILIKE '%wget.exe%'
        OR "Command" ILIKE '%/dev/tcp%' OR "Command" ILIKE '%base64 -d%'
        OR "Command" ILIKE '%bash -i%' OR "Command" ILIKE '%sh -i%'
        OR "Command" ILIKE '%nc -e%' OR "Command" ILIKE '%python -c%'
        OR "Command" ILIKE '%DownloadString%' OR "Command" ILIKE '%Invoke-Expression%'
        OR "Command" ILIKE '%IEX(%' OR "Command" ILIKE '%--registry http%'
      )
    )
    OR
    (
      QIDNAME(qid) LIKE '%Network Connect%'
      AND (
        "Process Name" ILIKE '%node.exe%' OR "Process Name" ILIKE '%npm%'
        OR "Process Name" ILIKE '%pip%' OR "Process Name" ILIKE '%python%'
        OR "Process Name" ILIKE '%yarn%' OR "Process Name" ILIKE '%gem%'
        OR "Process Name" ILIKE '%cargo%' OR "Process Name" ILIKE '%go.exe%'
      )
      AND NOT (
        "URL" ILIKE '%registry.npmjs.org%' OR "URL" ILIKE '%pypi.org%'
        OR "URL" ILIKE '%files.pythonhosted.org%' OR "URL" ILIKE '%rubygems.org%'
        OR "URL" ILIKE '%crates.io%' OR "URL" ILIKE '%nuget.org%'
        OR "URL" ILIKE '%yarnpkg.com%' OR "URL" ILIKE '%pkg.go.dev%'
        OR "URL" ILIKE '%proxy.golang.org%'
      )
    )
    OR
    (
      "File Path" ILIKE '%.github/workflows%' OR "File Path" ILIKE '%.gitlab-ci%'
      OR "File Path" ILIKE '%Jenkinsfile%' OR "File Path" ILIKE '%.circleci%'
      OR "File Path" ILIKE '%azure-pipelines%' OR "File Path" ILIKE '%.travis%'
    )
  )
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log DSM Sysmon DSM for QRadar QRadar Network Activity flows

Required Tables

events

False Positives

Node.js packages using node-gyp or node-pre-gyp for native addon compilation will invoke cmd.exe or sh as a child of node.exe to run C/C++ compilers — common in packages like bcrypt, canvas, sharp on developer workstations with Visual Studio Build Tools or GCC installed
Enterprise package mirrors (Artifactory, Nexus, Verdaccio) or proxy servers used to cache npm/pip/gem packages will generate outbound connections from package manager processes to internal proxy IPs not covered by the known-good public registry allowlist — add internal proxy FQDNs as exclusions
Automated dependency management bots (Dependabot, Renovate Bot, Snyk) that regularly open PRs modifying workflow YAML files, package-lock.json, and build configuration files will trigger the CI/CD pipeline modification arm — correlate against known bot service account usernames

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| parse field=_raw "ParentImage=*" as parent_image nodrop
| parse field=_raw "Image=*" as process_image nodrop
| parse field=_raw "CommandLine=*" as command_line nodrop
| parse field=_raw "ParentCommandLine=*" as parent_command nodrop
| parse field=_raw "DestinationHostname=*" as dest_hostname nodrop
| parse field=_raw "TargetFilename=*" as target_file nodrop
| if (isNull(parent_image), "", toLowerCase(parent_image)) as parent_lower
| if (isNull(process_image), "", toLowerCase(process_image)) as process_lower
| if (isNull(command_line), "", toLowerCase(command_line)) as cmd_lower
| if (isNull(parent_command), "", toLowerCase(parent_command)) as parent_cmd_lower
// Arm 1: Flag package manager parent processes
| if (parent_lower matches /\\b(npm\.cmd|npm\.exe|node\.exe|pip\.exe|pip3\.exe|python\.exe|python3\.exe|pipx\.exe|yarn\.exe|pnpm\.exe|gem\.exe|bundle\.exe|cargo\.exe|go\.exe|nuget\.exe|dotnet\.exe)\b/, 1, 0) as is_pkg_manager
// Flag suspicious child processes
| if (process_lower matches /\\b(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)\b/, 1, 0) as is_suspicious_child
// Flag suspicious command line content
| if (cmd_lower matches /(\/dev\/tcp|base64 -d|bash -i|sh -i|nc -e|ncat -e|python -c|perl -e|ruby -e|downloadstring|downloadfile|invoke-expression|iex\(|curl http|wget http|--registry http)/, 1, 0) as has_suspicious_cmd
// Flag lifecycle hook indicators in parent command
| if (parent_cmd_lower matches /(postinstall|preinstall|install\.js|setup\.py|node-pre-gyp)/, 1, 0) as is_hook_abuse
// Arm 2: Package manager network anomalies
| if (is_pkg_manager = 1 AND !isNull(dest_hostname) AND !(dest_hostname matches /(registry\.npmjs\.org|pypi\.org|files\.pythonhosted\.org|rubygems\.org|crates\.io|nuget\.org|pkg\.go\.dev|proxy\.golang\.org|yarnpkg\.com|registry\.yarnpkg\.com)/), 1, 0) as is_net_anomaly
// Arm 3: CI/CD file creation or modification events
| if (!isNull(target_file) AND target_file matches /(\.github\/workflows|\.gitlab-ci|Jenkinsfile|\.circleci|\.travis|azure-pipelines|Makefile|CMakeLists\.txt|build\.gradle|pom\.xml)/, 1, 0) as is_cicd_mod
// Assign detection arm and calculate risk score
| if (is_pkg_manager = 1 AND (is_suspicious_child = 1 OR has_suspicious_cmd = 1), "PackageManagerSpawnedSuspiciousChild",
    if (is_hook_abuse = 1 AND is_suspicious_child = 1, "LifecycleHookChildProcess",
    if (is_net_anomaly = 1, "PackageManagerUnexpectedExternalConnection",
    if (is_cicd_mod = 1, "CICDPipelineFileModified", "")))) as detection_arm
| where detection_arm != ""
| is_pkg_manager + is_suspicious_child + has_suspicious_cmd + is_hook_abuse + is_net_anomaly + is_cicd_mod as risk_score
| fields _messageTime, %host, %user, process_image, command_line, parent_image, parent_command, dest_hostname, target_file, detection_arm, risk_score
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows Events Source) Sysmon operational log forwarding via Sumo Logic agent Sumo Logic Cloud SIEM Enterprise (CSE) normalized events

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*endpoint*

False Positives

Native module compilation during npm install via node-gyp invokes cmd.exe or sh to run C/C++ compiler toolchains — particularly common in packages like bcrypt, canvas, sharp, sqlite3 on developer workstations with build tools installed; validate by checking if the grandparent process is an IDE or terminal
Electron-based desktop application builds that use npm scripts to invoke Python for node-gyp or PowerShell for code signing and packaging steps will trigger Arm 1 on build servers; add known build agent hostnames to an allowlist
Security scanning and software composition analysis (SCA) tools such as Snyk CLI, npm audit, or pip-audit make outbound connections to vulnerability databases and advisory feeds not included in the standard package registry allowlist — these will trigger Arm 2 from pip/npm processes

Google Chronicle / SecOps

yaral

rule t1195_001_supply_chain_compromise {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1195.001 supply chain compromise: package manager hook abuse spawning suspicious processes, unexpected external registry connections, and CI/CD pipeline file modifications"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1195.001"
    mitre_attack_technique_name = "Compromise Software Dependencies and Development Tools"
    severity = "HIGH"
    confidence = "MEDIUM"
    platform = "Windows, Linux, macOS"
    data_sources = "EDR, Process Telemetry, File Monitoring, Network Telemetry"
    version = "1.0"

  events:
    (
      // Arm 1a: Package manager process spawning suspicious OS-level child process
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path,
          `(?i)(npm\.cmd|npm\.exe|node\.exe|pip\.exe|pip3\.exe|python\.exe|python3\.exe|pipx\.exe|yarn\.exe|pnpm\.exe|gem\.exe|bundle\.exe|cargo\.exe|go\.exe|nuget\.exe|dotnet\.exe)$`)
        or re.regex($e1.principal.process.command_line,
          `(?i)(postinstall|preinstall|install\.js|setup\.py|node-pre-gyp)`)
      )
      and (
        re.regex($e1.target.process.file.full_path,
          `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)$`)
        or re.regex($e1.target.process.command_line,
          `(?i)(/dev/tcp|base64 -d|base64 --decode|bash -i|sh -i|nc -e|ncat -e|python -c|perl -e|ruby -e|DownloadString|DownloadFile|Invoke-Expression|IEX\(|curl http|wget http|--registry http)`)
      )
    )
    or
    (
      // Arm 2: Package manager process making unexpected external network connection
      $e1.metadata.event_type = "NETWORK_CONNECTION"
      and re.regex($e1.principal.process.file.full_path,
        `(?i)(npm\.cmd|npm\.exe|node\.exe|pip\.exe|pip3\.exe|python\.exe|python3\.exe|yarn\.exe|pnpm\.exe|gem\.exe|bundle\.exe|cargo\.exe|go\.exe)$`)
      and $e1.network.direction = "OUTBOUND"
      and not re.regex($e1.target.hostname,
        `(?i)(registry\.npmjs\.org|pypi\.org|files\.pythonhosted\.org|rubygems\.org|crates\.io|nuget\.org|pkg\.go\.dev|proxy\.golang\.org|yarnpkg\.com|registry\.yarnpkg\.com)`)
    )
    or
    (
      // Arm 3: CI/CD pipeline configuration file creation or modification
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        re.regex($e1.target.file.full_path,
          `(?i)(\.github/workflows|\.gitlab-ci|Jenkinsfile|\.circleci|\.travis|azure-pipelines)`)
        or re.regex($e1.target.file.full_path,
          `(?i)(Makefile|CMakeLists\.txt|build\.gradle|pom\.xml)$`)
      )
    )

  condition:
    $e1
}

high severity medium confidence

Data Sources

Chronicle UDM Events (PROCESS_LAUNCH, NETWORK_CONNECTION, FILE_CREATION) Google Chronicle SIEM EDR telemetry ingested via Chronicle forwarder Sysmon via Chronicle Windows forwarder

Required Tables

UDM Events — PROCESS_LAUNCH UDM Events — NETWORK_CONNECTION UDM Events — FILE_CREATION

False Positives

Native npm package compilation via node-gyp will trigger Arm 1 when node.exe spawns cmd.exe or sh to invoke C/C++ compilers during postinstall — add known developer workstation hostnames or build agent principals to an exception list, or filter on process.command_line patterns matching known compiler invocations (cl.exe, gcc, make)
Trusted dependency management automation (Dependabot, Renovate Bot, GitHub Actions bot) regularly creates and modifies workflow YAML files and build configurations as part of automated dependency update PRs — correlate Arm 3 hits against known automation service account principal.user.userid values
Corporate package proxy servers (Artifactory, Nexus, Verdaccio) used as internal npm/pip/gem mirrors will generate Arm 2 hits when package manager processes connect to internal proxy hostnames not included in the external registry allowlist — extend the negative regex in Arm 2 with known internal proxy domain patterns

CrowdStrike LogScale (CQL)

cql

// T1195.001 — Supply Chain Compromise: Package Manager Hook Abuse + CI/CD Poisoning
// Arm 1: Package manager spawning suspicious child processes (postinstall/preinstall hook abuse)
#event_simpleName=ProcessRollup2
| test(
    (
      ParentBaseFileName = /^(npm\.cmd|npm\.exe|node\.exe|pip\.exe|pip3\.exe|python\.exe|python3\.exe|pipx\.exe|yarn\.exe|pnpm\.exe|gem\.exe|bundle\.exe|cargo\.exe|go\.exe|nuget\.exe|dotnet\.exe)$/i
      or ParentCommandLine = /(postinstall|preinstall|install\.js|setup\.py|node-pre-gyp)/i
    )
    and
    (
      FileName = /^(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)$/i
      or CommandLine = /(\/dev\/tcp|base64 -d|base64 --decode|bash -i|sh -i|nc -e|ncat -e|python -c|perl -e|ruby -e|DownloadString|DownloadFile|Invoke-Expression|IEX\(|curl http|wget http|--registry http)/i
    )
  )
| eval(
    DetectionArm="PackageManagerSpawnedSuspiciousChild",
    RiskScore=if(
      FileName = /^(powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe)$/i
        and CommandLine = /(DownloadString|DownloadFile|Invoke-Expression|IEX\(|base64 -d)/i,
      "critical",
      if(FileName = /^(certutil\.exe|bitsadmin\.exe|rundll32\.exe|regsvr32\.exe)$/i, "high", "medium")
    )
  )
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionArm, RiskScore])

// ─── Arm 2: Package manager unexpected external network connections (run as separate query) ───
// #event_simpleName=NetworkConnectIP4
// | test(
//     FileName = /^(node\.exe|npm\.cmd|pip\.exe|pip3\.exe|python\.exe|python3\.exe|yarn\.exe|pnpm\.exe|gem\.exe|cargo\.exe|go\.exe)$/i
//     and not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
//     and not DomainName = /(registry\.npmjs\.org|pypi\.org|files\.pythonhosted\.org|rubygems\.org|crates\.io|nuget\.org|pkg\.go\.dev|proxy\.golang\.org|yarnpkg\.com|registry\.yarnpkg\.com)/i
//   )
// | eval(DetectionArm="PackageManagerUnexpectedExternalConnection")
// | table([@timestamp, ComputerName, UserName, FileName, RemoteAddressIP4, DomainName, RemotePort, DetectionArm])

// ─── Arm 3: CI/CD pipeline file write events (requires Falcon FileVantage or custom IOA) ───
// #event_simpleName=PeFileWritten OR #event_simpleName=ScriptFileWritten
// | test(
//     TargetFileName = /(\.github\/workflows|\.gitlab-ci|Jenkinsfile|\.circleci|\.travis|azure-pipelines)/i
//     or TargetFileName = /(Makefile|CMakeLists\.txt|build\.gradle|pom\.xml)$/i
//   )
// | eval(DetectionArm="CICDPipelineFileModified")
// | table([@timestamp, ComputerName, UserName, TargetFileName, DetectionArm])

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2) CrowdStrike Falcon Network Telemetry (NetworkConnectIP4, NetworkConnectIP6) CrowdStrike Falcon FileVantage (PeFileWritten, ScriptFileWritten) Falcon Insight XDR

Required Tables

ProcessRollup2 NetworkConnectIP4 NetworkConnectIP6

False Positives

Legitimate native module compilation via node-gyp during npm install triggers node.exe spawning cmd.exe to run C/C++ compilers (cl.exe, gcc, make) — common in packages like bcrypt, canvas, sharp, sqlite3 on developer workstations with Visual Studio Build Tools or MinGW; add known developer endpoint ComputerName values or exclude CommandLine patterns matching known compiler binaries as grandchildren
Corporate software development environments where Python-based build systems (SCons, waf) or Rust build scripts (build.rs) invoke shell commands as part of standard compilation will generate Arm 1 hits from cargo.exe or python.exe spawning sh/bash on Linux build agents — filter by known CI build agent ComputerName
Authorized automated pipeline maintenance where GitHub Actions bots, Dependabot, or Renovate commit updated workflow YAML or Dockerfile content generates Arm 3 alerts — validate against known automation service account UserName values and scheduled change windows

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1195.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1195Supply Chain Compromise

Related Sub-techniques

T1195.002Compromise Software Supply Chain T1195.003Compromise Hardware Supply Chain

Compromise Software Dependencies and Development Tools

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Initial Access

Popular Detections