Detect Compromise Software Dependencies and Development Tools in IBM QRadar
Adversaries manipulate software dependencies and development tools prior to receipt by a final consumer to compromise data or systems. This includes injecting malicious code into popular open source packages (npm, PyPI, RubyGems), registering typosquatted or abandoned package names, and poisoning CI/CD pipeline components such as GitHub Actions. Malicious packages commonly use preinstall/postinstall lifecycle hooks to execute arbitrary OS commands at install time, enabling immediate credential theft, reverse shell establishment, or persistent implant deployment. Detection focuses on package manager processes spawning unexpected child processes, outbound network connections from package manager child processes, CI/CD workflow file modifications, and installation from non-standard or suspicious registries.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1195 Supply Chain Compromise
- Sub-technique
- T1195.001 Compromise Software Dependencies and Development Tools
- Canonical reference
- https://attack.mitre.org/techniques/T1195/001/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
devicehostname AS Hostname,
username AS Username,
sourceip AS SourceIP,
"Process Name" AS ProcessName,
"Command" AS CommandLine,
"Parent Process Name" AS ParentProcessName,
"Parent Command" AS ParentCommandLine,
CASE
WHEN QIDNAME(qid) LIKE '%Process Create%'
AND (
"Parent Process Name" ILIKE '%npm%' OR "Parent Process Name" ILIKE '%node.exe%'
OR "Parent Process Name" ILIKE '%pip%' OR "Parent Process Name" ILIKE '%python%'
OR "Parent Process Name" ILIKE '%yarn%' OR "Parent Process Name" ILIKE '%pnpm%'
OR "Parent Process Name" ILIKE '%gem%' OR "Parent Process Name" ILIKE '%cargo%'
OR "Parent Process Name" ILIKE '%dotnet%' OR "Parent Process Name" ILIKE '%nuget%'
)
AND (
"Process Name" ILIKE '%powershell.exe%' OR "Process Name" ILIKE '%pwsh.exe%'
OR "Process Name" ILIKE '%cmd.exe%' OR "Process Name" ILIKE '%wscript.exe%'
OR "Process Name" ILIKE '%mshta.exe%' OR "Process Name" ILIKE '%certutil.exe%'
OR "Process Name" ILIKE '%rundll32.exe%' OR "Process Name" ILIKE '%bitsadmin.exe%'
OR "Command" ILIKE '%/dev/tcp%' OR "Command" ILIKE '%base64 -d%'
OR "Command" ILIKE '%bash -i%' OR "Command" ILIKE '%DownloadString%'
OR "Command" ILIKE '%Invoke-Expression%' OR "Command" ILIKE '%IEX(%'
OR "Command" ILIKE '%--registry http%'
)
THEN 'PackageManagerSpawnedSuspiciousChild'
WHEN QIDNAME(qid) LIKE '%Network Connect%'
AND (
"Process Name" ILIKE '%node.exe%' OR "Process Name" ILIKE '%npm%'
OR "Process Name" ILIKE '%pip%' OR "Process Name" ILIKE '%python%'
OR "Process Name" ILIKE '%yarn%' OR "Process Name" ILIKE '%gem%'
OR "Process Name" ILIKE '%cargo%' OR "Process Name" ILIKE '%go.exe%'
)
AND NOT (
"URL" ILIKE '%registry.npmjs.org%' OR "URL" ILIKE '%pypi.org%'
OR "URL" ILIKE '%files.pythonhosted.org%' OR "URL" ILIKE '%rubygems.org%'
OR "URL" ILIKE '%crates.io%' OR "URL" ILIKE '%nuget.org%'
OR "URL" ILIKE '%yarnpkg.com%' OR "URL" ILIKE '%pkg.go.dev%'
OR "URL" ILIKE '%proxy.golang.org%'
)
THEN 'PackageManagerUnexpectedExternalConnection'
WHEN (
"File Path" ILIKE '%.github/workflows%' OR "File Path" ILIKE '%.gitlab-ci%'
OR "File Path" ILIKE '%Jenkinsfile%' OR "File Path" ILIKE '%.circleci%'
OR "File Path" ILIKE '%azure-pipelines%' OR "File Path" ILIKE '%.travis%'
)
THEN 'CICDPipelineFileModified'
ELSE NULL
END AS DetectionArm
FROM events
WHERE
starttime > DATEADD('hours', -24, NOW())
AND (
(
QIDNAME(qid) LIKE '%Process Create%'
AND (
"Parent Process Name" ILIKE '%npm%' OR "Parent Process Name" ILIKE '%node.exe%'
OR "Parent Process Name" ILIKE '%pip%' OR "Parent Process Name" ILIKE '%python%'
OR "Parent Process Name" ILIKE '%yarn%' OR "Parent Process Name" ILIKE '%pnpm%'
OR "Parent Process Name" ILIKE '%gem%' OR "Parent Process Name" ILIKE '%cargo%'
OR "Parent Process Name" ILIKE '%dotnet%' OR "Parent Process Name" ILIKE '%nuget%'
OR "Parent Command" ILIKE '%postinstall%' OR "Parent Command" ILIKE '%preinstall%'
OR "Parent Command" ILIKE '%install.js%' OR "Parent Command" ILIKE '%node-pre-gyp%'
)
AND (
"Process Name" ILIKE '%powershell.exe%' OR "Process Name" ILIKE '%pwsh.exe%'
OR "Process Name" ILIKE '%cmd.exe%' OR "Process Name" ILIKE '%wscript.exe%'
OR "Process Name" ILIKE '%cscript.exe%' OR "Process Name" ILIKE '%mshta.exe%'
OR "Process Name" ILIKE '%rundll32.exe%' OR "Process Name" ILIKE '%regsvr32.exe%'
OR "Process Name" ILIKE '%certutil.exe%' OR "Process Name" ILIKE '%bitsadmin.exe%'
OR "Process Name" ILIKE '%curl.exe%' OR "Process Name" ILIKE '%wget.exe%'
OR "Command" ILIKE '%/dev/tcp%' OR "Command" ILIKE '%base64 -d%'
OR "Command" ILIKE '%bash -i%' OR "Command" ILIKE '%sh -i%'
OR "Command" ILIKE '%nc -e%' OR "Command" ILIKE '%python -c%'
OR "Command" ILIKE '%DownloadString%' OR "Command" ILIKE '%Invoke-Expression%'
OR "Command" ILIKE '%IEX(%' OR "Command" ILIKE '%--registry http%'
)
)
OR
(
QIDNAME(qid) LIKE '%Network Connect%'
AND (
"Process Name" ILIKE '%node.exe%' OR "Process Name" ILIKE '%npm%'
OR "Process Name" ILIKE '%pip%' OR "Process Name" ILIKE '%python%'
OR "Process Name" ILIKE '%yarn%' OR "Process Name" ILIKE '%gem%'
OR "Process Name" ILIKE '%cargo%' OR "Process Name" ILIKE '%go.exe%'
)
AND NOT (
"URL" ILIKE '%registry.npmjs.org%' OR "URL" ILIKE '%pypi.org%'
OR "URL" ILIKE '%files.pythonhosted.org%' OR "URL" ILIKE '%rubygems.org%'
OR "URL" ILIKE '%crates.io%' OR "URL" ILIKE '%nuget.org%'
OR "URL" ILIKE '%yarnpkg.com%' OR "URL" ILIKE '%pkg.go.dev%'
OR "URL" ILIKE '%proxy.golang.org%'
)
)
OR
(
"File Path" ILIKE '%.github/workflows%' OR "File Path" ILIKE '%.gitlab-ci%'
OR "File Path" ILIKE '%Jenkinsfile%' OR "File Path" ILIKE '%.circleci%'
OR "File Path" ILIKE '%azure-pipelines%' OR "File Path" ILIKE '%.travis%'
)
)
ORDER BY starttime DESC
LIMIT 500Detects T1195.001 supply chain compromise using IBM QRadar AQL across three detection arms correlated from Sysmon and Windows Security DSM events: (1) package manager processes (npm, pip, yarn, gem, cargo, dotnet, nuget) spawning suspicious OS-level child processes or executing commands associated with postinstall/preinstall lifecycle hook abuse; (2) package manager processes establishing outbound network connections to hosts outside the known-good package registry allowlist; (3) creation or modification of CI/CD pipeline configuration files including GitHub Actions, GitLab CI, Jenkinsfile, and Azure Pipelines. Uses QRadar CASE classification with QIDNAME correlation for event type resolution.
Data Sources
Required Tables
False Positives & Tuning
- Node.js packages using node-gyp or node-pre-gyp for native addon compilation will invoke cmd.exe or sh as a child of node.exe to run C/C++ compilers — common in packages like bcrypt, canvas, sharp on developer workstations with Visual Studio Build Tools or GCC installed
- Enterprise package mirrors (Artifactory, Nexus, Verdaccio) or proxy servers used to cache npm/pip/gem packages will generate outbound connections from package manager processes to internal proxy IPs not covered by the known-good public registry allowlist — add internal proxy FQDNs as exclusions
- Automated dependency management bots (Dependabot, Renovate Bot, Snyk) that regularly open PRs modifying workflow YAML files, package-lock.json, and build configuration files will trigger the CI/CD pipeline modification arm — correlate against known bot service account usernames
Other platforms for T1195.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulated Malicious npm postinstall Hook
Expected signal: Sysmon Event ID 1: npm.cmd spawning cmd.exe with CommandLine containing 'whoami'. Sysmon Event ID 11: file creation at %TEMP%\argus-npm-test.txt. DeviceProcessEvents: InitiatingProcessFileName=npm.cmd, FileName=cmd.exe.
- Test 2Malicious pip setup.py Simulating Credential Exfiltration Pattern
Expected signal: Sysmon for Linux (or auditd): process creation with ParentProcess=python3/pip, ChildProcess=id or sh. Auditd syscall execve with ppid of pip process. Syslog: process accounting entry for 'id' with parent pip.
- Test 3Simulated GitHub Actions Workflow Poisoning
Expected signal: Sysmon Event ID 11 (FileCreated): TargetFilename ending in .github\workflows\ci.yml, InitiatingProcessFileName=cmd.exe. DeviceFileEvents: FileName=ci.yml, FolderPath contains .github/workflows, ActionType=FileCreated.
- Test 4npm Package Install from Non-Standard Registry (Registry Confusion)
Expected signal: Sysmon EventCode=3 (Network Connection): Image=node, DestinationIp=127.0.0.1, DestinationPort=4873, DestinationHostname not in standard registry allowlist. DeviceNetworkEvents: InitiatingProcessFileName=node, RemotePort=4873.
References (12)
- https://attack.mitre.org/techniques/T1195/001/
- https://www.paloaltonetworks.com/blog/cloud-security/github-actions-worm-dependencies/
- https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack
- https://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama/
- https://thehackernews.com/2024/09/hackers-hijack-22000-removed-pypi.html
- https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution
- https://hackread.com/backdoors-python-npm-packages-windows-linux/
- https://www.bitdefender.com/en-gb/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack
- https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets
- https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
- https://cyberpress.org/malicious-npm-and-pypi-packages-disguised-as-dev-tools
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.001/T1195.001.md
Unlock Pro Content
Get the full detection package for T1195.001 including response playbook, investigation guide, and atomic red team tests.