Detect Compromise Software Dependencies and Development Tools in Sumo Logic CSE
Adversaries manipulate software dependencies and development tools prior to receipt by a final consumer to compromise data or systems. This includes injecting malicious code into popular open source packages (npm, PyPI, RubyGems), registering typosquatted or abandoned package names, and poisoning CI/CD pipeline components such as GitHub Actions. Malicious packages commonly use preinstall/postinstall lifecycle hooks to execute arbitrary OS commands at install time, enabling immediate credential theft, reverse shell establishment, or persistent implant deployment. Detection focuses on package manager processes spawning unexpected child processes, outbound network connections from package manager child processes, CI/CD workflow file modifications, and installation from non-standard or suspicious registries.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1195 Supply Chain Compromise
- Sub-technique
- T1195.001 Compromise Software Dependencies and Development Tools
- Canonical reference
- https://attack.mitre.org/techniques/T1195/001/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| parse field=_raw "ParentImage=*" as parent_image nodrop
| parse field=_raw "Image=*" as process_image nodrop
| parse field=_raw "CommandLine=*" as command_line nodrop
| parse field=_raw "ParentCommandLine=*" as parent_command nodrop
| parse field=_raw "DestinationHostname=*" as dest_hostname nodrop
| parse field=_raw "TargetFilename=*" as target_file nodrop
| if (isNull(parent_image), "", toLowerCase(parent_image)) as parent_lower
| if (isNull(process_image), "", toLowerCase(process_image)) as process_lower
| if (isNull(command_line), "", toLowerCase(command_line)) as cmd_lower
| if (isNull(parent_command), "", toLowerCase(parent_command)) as parent_cmd_lower
// Arm 1: Flag package manager parent processes
| if (parent_lower matches /\\b(npm\.cmd|npm\.exe|node\.exe|pip\.exe|pip3\.exe|python\.exe|python3\.exe|pipx\.exe|yarn\.exe|pnpm\.exe|gem\.exe|bundle\.exe|cargo\.exe|go\.exe|nuget\.exe|dotnet\.exe)\b/, 1, 0) as is_pkg_manager
// Flag suspicious child processes
| if (process_lower matches /\\b(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)\b/, 1, 0) as is_suspicious_child
// Flag suspicious command line content
| if (cmd_lower matches /(\/dev\/tcp|base64 -d|bash -i|sh -i|nc -e|ncat -e|python -c|perl -e|ruby -e|downloadstring|downloadfile|invoke-expression|iex\(|curl http|wget http|--registry http)/, 1, 0) as has_suspicious_cmd
// Flag lifecycle hook indicators in parent command
| if (parent_cmd_lower matches /(postinstall|preinstall|install\.js|setup\.py|node-pre-gyp)/, 1, 0) as is_hook_abuse
// Arm 2: Package manager network anomalies
| if (is_pkg_manager = 1 AND !isNull(dest_hostname) AND !(dest_hostname matches /(registry\.npmjs\.org|pypi\.org|files\.pythonhosted\.org|rubygems\.org|crates\.io|nuget\.org|pkg\.go\.dev|proxy\.golang\.org|yarnpkg\.com|registry\.yarnpkg\.com)/), 1, 0) as is_net_anomaly
// Arm 3: CI/CD file creation or modification events
| if (!isNull(target_file) AND target_file matches /(\.github\/workflows|\.gitlab-ci|Jenkinsfile|\.circleci|\.travis|azure-pipelines|Makefile|CMakeLists\.txt|build\.gradle|pom\.xml)/, 1, 0) as is_cicd_mod
// Assign detection arm and calculate risk score
| if (is_pkg_manager = 1 AND (is_suspicious_child = 1 OR has_suspicious_cmd = 1), "PackageManagerSpawnedSuspiciousChild",
if (is_hook_abuse = 1 AND is_suspicious_child = 1, "LifecycleHookChildProcess",
if (is_net_anomaly = 1, "PackageManagerUnexpectedExternalConnection",
if (is_cicd_mod = 1, "CICDPipelineFileModified", "")))) as detection_arm
| where detection_arm != ""
| is_pkg_manager + is_suspicious_child + has_suspicious_cmd + is_hook_abuse + is_net_anomaly + is_cicd_mod as risk_score
| fields _messageTime, %host, %user, process_image, command_line, parent_image, parent_command, dest_hostname, target_file, detection_arm, risk_score
| sort by _messageTime descDetects T1195.001 supply chain compromise using Sumo Logic by parsing Sysmon operational log fields across four detection conditions: (1) package manager parent processes spawning suspicious OS-level child processes (PowerShell, cmd, wscript, certutil, bitsadmin) as indicators of lifecycle hook exploitation; (1b) lifecycle hook command patterns in parent command line spawning suspicious children; (2) package manager network connections to non-standard registries bypassing the known-good allowlist; (3) CI/CD pipeline file creation and modification events. Assigns a composite risk score (0–6) to prioritize highest-confidence detections. Requires Sysmon EventCode 1 (Process Create), 3 (Network Connect), and 11 (File Create) forwarded to Sumo Logic.
Data Sources
Required Tables
False Positives & Tuning
- Native module compilation during npm install via node-gyp invokes cmd.exe or sh to run C/C++ compiler toolchains — particularly common in packages like bcrypt, canvas, sharp, sqlite3 on developer workstations with build tools installed; validate by checking if the grandparent process is an IDE or terminal
- Electron-based desktop application builds that use npm scripts to invoke Python for node-gyp or PowerShell for code signing and packaging steps will trigger Arm 1 on build servers; add known build agent hostnames to an allowlist
- Security scanning and software composition analysis (SCA) tools such as Snyk CLI, npm audit, or pip-audit make outbound connections to vulnerability databases and advisory feeds not included in the standard package registry allowlist — these will trigger Arm 2 from pip/npm processes
Other platforms for T1195.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulated Malicious npm postinstall Hook
Expected signal: Sysmon Event ID 1: npm.cmd spawning cmd.exe with CommandLine containing 'whoami'. Sysmon Event ID 11: file creation at %TEMP%\argus-npm-test.txt. DeviceProcessEvents: InitiatingProcessFileName=npm.cmd, FileName=cmd.exe.
- Test 2Malicious pip setup.py Simulating Credential Exfiltration Pattern
Expected signal: Sysmon for Linux (or auditd): process creation with ParentProcess=python3/pip, ChildProcess=id or sh. Auditd syscall execve with ppid of pip process. Syslog: process accounting entry for 'id' with parent pip.
- Test 3Simulated GitHub Actions Workflow Poisoning
Expected signal: Sysmon Event ID 11 (FileCreated): TargetFilename ending in .github\workflows\ci.yml, InitiatingProcessFileName=cmd.exe. DeviceFileEvents: FileName=ci.yml, FolderPath contains .github/workflows, ActionType=FileCreated.
- Test 4npm Package Install from Non-Standard Registry (Registry Confusion)
Expected signal: Sysmon EventCode=3 (Network Connection): Image=node, DestinationIp=127.0.0.1, DestinationPort=4873, DestinationHostname not in standard registry allowlist. DeviceNetworkEvents: InitiatingProcessFileName=node, RemotePort=4873.
References (12)
- https://attack.mitre.org/techniques/T1195/001/
- https://www.paloaltonetworks.com/blog/cloud-security/github-actions-worm-dependencies/
- https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack
- https://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama/
- https://thehackernews.com/2024/09/hackers-hijack-22000-removed-pypi.html
- https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution
- https://hackread.com/backdoors-python-npm-packages-windows-linux/
- https://www.bitdefender.com/en-gb/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack
- https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets
- https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
- https://cyberpress.org/malicious-npm-and-pypi-packages-disguised-as-dev-tools
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.001/T1195.001.md
Unlock Pro Content
Get the full detection package for T1195.001 including response playbook, investigation guide, and atomic red team tests.