T1195.002

Compromise Software Supply Chain

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Real-world examples include SUNSPOT injecting SUNBURST into SolarWinds Orion builds, CCBkdr backdooring CCleaner 5.33, and Sandworm replacing M.E.Doc updates with NotPetya. Detection focuses on post-installation behavioral anomalies: legitimate software exhibiting unexpected child process execution, unusual outbound connectivity, suspicious DLL loading, and credential access patterns that should never originate from trusted update mechanisms.

Microsoft Sentinel / Defender

kusto

let SoftwareInstallerProcesses = dynamic([
  "msiexec.exe", "setup.exe", "install.exe", "installer.exe",
  "update.exe", "updater.exe", "autoupdate.exe", "softwareupdate.exe",
  "uninst.exe", "uninstall.exe", "patch.exe", "patchinstall.exe"
]);
let SuspiciousChildProcesses = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe",
  "bitsadmin.exe", "wmic.exe", "msbuild.exe", "installutil.exe",
  "regasm.exe", "cmstp.exe", "control.exe", "msiexec.exe"
]);
let KnownBuildTools = dynamic([
  "msbuild.exe", "devenv.exe", "cl.exe", "link.exe",
  "csc.exe", "vbc.exe", "dotnet.exe", "gradle", "maven"
]);
// Query 1: Installers/updaters spawning suspicious child processes
let InstallerChildProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (SoftwareInstallerProcesses)
| where FileName in~ (SuspiciousChildProcesses)
| extend DetectionType = "Installer_Spawned_Suspicious_Child"
| project Timestamp, DeviceName, AccountName, DetectionType,
         FileName, ProcessCommandLine, SHA256,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName;
// Query 2: Trusted vendor update processes making outbound connections to non-standard destinations
let UpdateNetworkAnomalies = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (SoftwareInstallerProcesses)
| where RemoteIPType == "Public"
| where RemotePort !in (80, 443, 8080, 8443)
| extend DetectionType = "Updater_Nonstandard_Port_Outbound"
| project Timestamp, DeviceName, DetectionType,
         RemoteIP, RemotePort, RemoteUrl,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
// Query 3: Executables written by update/install processes to suspicious paths then immediately executed
let SuspiciousDropAndExecute = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where InitiatingProcessFileName in~ (SoftwareInstallerProcesses)
| where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".ps1"
| where FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\Windows\\Temp\\")
| extend DetectionType = "Updater_Dropped_Executable_In_Temp"
| project Timestamp, DeviceName, DetectionType,
         FolderPath, FileName, SHA256,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
// Query 4: Build system processes creating executables in unexpected locations (SUNSPOT-style)
let BuildToolAnomalies = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (KnownBuildTools)
| where FileName in~ (SuspiciousChildProcesses)
| where not(ProcessCommandLine has_any ("--help", "-help", "/?"))
| extend DetectionType = "BuildTool_Spawned_Suspicious_Process"
| project Timestamp, DeviceName, AccountName, DetectionType,
         FileName, ProcessCommandLine, SHA256,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
// Combine all detections
InstallerChildProcesses
| union UpdateNetworkAnomalies
| union SuspiciousDropAndExecute
| union BuildToolAnomalies
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents

False Positives

Legitimate software updaters that use PowerShell or cmd.exe as part of their post-install configuration (e.g., some enterprise software uses PowerShell for environment setup after MSI installation)
Build systems that invoke utility scripts via cmd.exe or PowerShell during compilation steps — common in CI/CD pipelines where MSBuild calls post-build scripts
Software vendors using non-standard ports for update delivery (e.g., some enterprise patch management solutions use custom ports for update traffic)
IT provisioning tools (SCCM, Intune, Chocolatey) that install software via msiexec.exe and then run PowerShell configuration scripts as part of normal deployment workflows
Development workstations where build tools (devenv.exe, dotnet.exe) regularly invoke scripts during local builds

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(EventCode=1 OR EventCode=3 OR EventCode=11 OR EventCode=4688)
| eval ParentProcess=lower(coalesce(ParentImage, InitiatingProcessFileName, ""))
| eval ChildProcess=lower(coalesce(Image, NewProcessName, ""))
| eval CmdLine=lower(coalesce(CommandLine, ProcessCommandLine, ""))
| eval ParentCmdLine=lower(coalesce(ParentCommandLine, ""))
```
// Normalize process name from full path
| eval ParentProcessName=mvindex(split(ParentProcess, "\\"), -1)
| eval ChildProcessName=mvindex(split(ChildProcess, "\\"), -1)
```
| eval IsInstallerParent=if(match(ParentProcessName, "^(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe$"), 1, 0)
| eval IsSuspiciousChild=if(match(ChildProcessName, "^(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|msbuild|installutil|regasm|cmstp|control)\.exe$"), 1, 0)
| eval IsBuildToolParent=if(match(ParentProcessName, "^(msbuild|devenv|cl|link|csc|vbc|dotnet)\.exe$"), 1, 0)
| eval DroppedInTemp=if(EventCode=11 AND match(TargetFilename, "(?i)(\\temp\\|\\appdata\\local\\temp\\|\\windows\\temp\\)") AND match(TargetFilename, "(?i)\.(exe|dll|ps1|bat|vbs|js)$") AND IsInstallerParent=1, 1, 0)
| eval EncodedInCmd=if(match(CmdLine, "(-encodedcommand|-enc\s|-e\s|-ec\s|base64)"), 1, 0)
| eval NetworkOnNonstandardPort=if(EventCode=3 AND IsInstallerParent=1 AND NOT match(DestinationPort, "^(80|443|8080|8443)$") AND NOT match(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"), 1, 0)
| eval DetectionType=case(
    IsInstallerParent=1 AND IsSuspiciousChild=1, "Installer_Spawned_Suspicious_Child",
    IsBuildToolParent=1 AND IsSuspiciousChild=1, "BuildTool_Spawned_Suspicious_Process",
    DroppedInTemp=1, "Updater_Dropped_Executable_In_Temp",
    NetworkOnNonstandardPort=1, "Updater_Nonstandard_Port_Outbound",
    true(), null()
  )
| where isnotnull(DetectionType)
| eval SuspicionScore=IsInstallerParent + IsSuspiciousChild + IsBuildToolParent + DroppedInTemp + EncodedInCmd + NetworkOnNonstandardPort
| table _time, host, User, DetectionType, SuspicionScore, ParentProcessName, ChildProcessName, CmdLine, ParentCmdLine, DestinationIp, DestinationPort, TargetFilename
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 3 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate post-install scripts: enterprise software (Oracle, SAP, Adobe) frequently launches PowerShell or cmd.exe from msiexec.exe for environment configuration after installation
CI/CD pipelines: MSBuild, devenv, and dotnet regularly invoke PowerShell scripts for post-build steps on developer workstations and build servers
Patch management platforms (SCCM, PDQ Deploy, Chocolatey) that orchestrate installs via msiexec and follow up with configuration scripts
Software distributed via enterprise tools that stage payloads in %TEMP% before final installation — this is a common pattern for self-extracting archives
Legitimate update servers for enterprise software (Symantec, CrowdStrike, Splunk forwarders) that use non-443 ports for update delivery

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start"
    and process.parent.name in~ ("msiexec.exe", "setup.exe", "install.exe", "installer.exe", "update.exe", "updater.exe", "autoupdate.exe", "softwareupdate.exe", "uninst.exe", "uninstall.exe", "patch.exe", "patchinstall.exe")
    and process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "msbuild.exe", "installutil.exe", "regasm.exe", "cmstp.exe", "control.exe")]
  [any where true]

sequence by host.id with maxspan=2m
  [file where event.type == "creation"
    and process.name in~ ("msiexec.exe", "setup.exe", "install.exe", "installer.exe", "update.exe", "updater.exe", "autoupdate.exe", "softwareupdate.exe", "uninst.exe", "uninstall.exe", "patch.exe", "patchinstall.exe")
    and file.extension in ("exe", "dll", "ps1", "bat", "vbs", "js")
    and (file.path like~ "*\\Temp\\*" or file.path like~ "*\\AppData\\Local\\Temp\\*" or file.path like~ "*\\Windows\\Temp\\*")]
  [process where event.type == "start"
    and process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe")]

critical severity high confidence

Data Sources

Elastic Endpoint Security Windows Event Logs Sysmon

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-windows.sysmon_operational-*

False Positives

Legitimate enterprise software installers (e.g., Microsoft Office, Adobe) that invoke PowerShell or cmd.exe post-install for configuration tasks — validate SHA256 hash and certificate chain of installer
IT management tooling (SCCM, Intune, Ansible) that uses update.exe or install.exe wrappers to orchestrate post-install configuration scripts via PowerShell
Developer workstations running build pipelines where msiexec is invoked programmatically and legitimately spawns shell processes for packaging tasks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  destinationip,
  destinationport,
  LOWER("ParentProcessPath") AS parent_process,
  LOWER("ProcessPath") AS child_process,
  "CommandLine" AS command_line,
  "TargetFilePath" AS target_file,
  CASE
    WHEN LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe'
     AND LOWER(MATCHREGEX("ProcessPath", '[^\\/]+$')) SIMILAR TO '(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|msbuild|installutil|regasm|cmstp|control)\.exe'
    THEN 'Installer_Spawned_Suspicious_Child'
    WHEN LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msbuild|devenv|cl|link|csc|vbc|dotnet)\.exe'
     AND LOWER(MATCHREGEX("ProcessPath", '[^\\/]+$')) SIMILAR TO '(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|msbuild|installutil|regasm|cmstp|control)\.exe'
    THEN 'BuildTool_Spawned_Suspicious_Process'
    WHEN LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe'
     AND LOWER("TargetFilePath") SIMILAR TO '%(\\temp\\|\\appdata\\local\\temp\\|\\windows\\temp\\)%'
     AND LOWER("TargetFilePath") SIMILAR TO '%(exe|dll|ps1|bat|vbs|js)'
    THEN 'Updater_Dropped_Executable_In_Temp'
    WHEN LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe'
     AND destinationport NOT IN (80, 443, 8080, 8443)
     AND NOT (destinationip BETWEEN '10.0.0.0' AND '10.255.255.255'
         OR destinationip BETWEEN '172.16.0.0' AND '172.31.255.255'
         OR destinationip BETWEEN '192.168.0.0' AND '192.168.255.255')
    THEN 'Updater_Nonstandard_Port_Outbound'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 15, 143, 352)
  AND starttime > NOW() - 1 DAYS
  AND (
    (LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe'
     AND LOWER(MATCHREGEX("ProcessPath", '[^\\/]+$')) SIMILAR TO '(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|msbuild|installutil|regasm|cmstp|control)\.exe')
    OR
    (LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msbuild|devenv|cl|link|csc|vbc|dotnet)\.exe'
     AND LOWER(MATCHREGEX("ProcessPath", '[^\\/]+$')) SIMILAR TO '(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic)\.exe')
    OR
    (LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe'
     AND LOWER("TargetFilePath") SIMILAR TO '%(\\temp\\|\\windows\\temp\\|\\appdata\\local\\temp\\)%'
     AND LOWER("TargetFilePath") SIMILAR TO '%(exe|dll|ps1)')
  )
ORDER BY starttime DESC

critical severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log Sysmon Microsoft Defender for Endpoint

Required Tables

events

False Positives

Enterprise patch management solutions (WSUS, SCCM) invoking PowerShell for post-patch configuration on managed endpoints — correlate with change management tickets
Software vendors whose legitimate updaters use non-standard ports (e.g., some game launchers, creative software update services) — maintain an allowlist of known-good update endpoint IP/port pairs
CI/CD agents on developer workstations where msbuild.exe or dotnet.exe legitimately spawn cmd.exe/PowerShell for build scripts — scope detections to non-developer endpoint OUs

Sumo Logic CSE

sql

_sourceCategory=windows* AND ("EventCode=1" OR "EventCode=3" OR "EventCode=11" OR "EventCode=4688")
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as ParentImageRaw nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as ChildImageRaw nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| parse field=_raw "<Data Name='DestinationIp'>*</Data>" as DestinationIp nodrop
| parse field=_raw "<Data Name='DestinationPort'>*</Data>" as DestinationPort nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as User nodrop
| parse field=_raw "EventCode=*" as EventCode nodrop
| eval ParentProcessName = replace(ParentImageRaw, "(.+\\\\)", "")
| eval ChildProcessName = replace(ChildImageRaw, "(.+\\\\)", "")
| eval ParentLower = toLowerCase(ParentProcessName)
| eval ChildLower = toLowerCase(ChildProcessName)
| eval CmdLineLower = toLowerCase(CommandLine)
| eval TargetLower = toLowerCase(TargetFilename)
| eval IsInstallerParent = if(ParentLower matches "msiexec.exe" or ParentLower matches "setup.exe" or ParentLower matches "install.exe" or ParentLower matches "installer.exe" or ParentLower matches "update.exe" or ParentLower matches "updater.exe" or ParentLower matches "autoupdate.exe" or ParentLower matches "softwareupdate.exe" or ParentLower matches "uninst.exe" or ParentLower matches "uninstall.exe" or ParentLower matches "patch.exe" or ParentLower matches "patchinstall.exe", 1, 0)
| eval IsBuildToolParent = if(ParentLower matches "msbuild.exe" or ParentLower matches "devenv.exe" or ParentLower matches "cl.exe" or ParentLower matches "link.exe" or ParentLower matches "csc.exe" or ParentLower matches "vbc.exe" or ParentLower matches "dotnet.exe", 1, 0)
| eval IsSuspiciousChild = if(ChildLower matches "powershell.exe" or ChildLower matches "pwsh.exe" or ChildLower matches "cmd.exe" or ChildLower matches "wscript.exe" or ChildLower matches "cscript.exe" or ChildLower matches "mshta.exe" or ChildLower matches "regsvr32.exe" or ChildLower matches "rundll32.exe" or ChildLower matches "certutil.exe" or ChildLower matches "bitsadmin.exe" or ChildLower matches "wmic.exe" or ChildLower matches "installutil.exe" or ChildLower matches "regasm.exe" or ChildLower matches "cmstp.exe", 1, 0)
| eval DroppedInTemp = if(EventCode = "11" and (TargetLower contains "\\temp\\" or TargetLower contains "\\appdata\\local\\temp\\" or TargetLower contains "\\windows\\temp\\") and (TargetLower matches "*.exe" or TargetLower matches "*.dll" or TargetLower matches "*.ps1" or TargetLower matches "*.bat") and IsInstallerParent = 1, 1, 0)
| eval IsEncodedCmd = if(CmdLineLower contains "-encodedcommand" or CmdLineLower contains "-enc " or CmdLineLower contains "-e " or CmdLineLower contains "base64", 1, 0)
| eval NonStandardPortOutbound = if(EventCode = "3" and IsInstallerParent = 1 and DestinationPort != "80" and DestinationPort != "443" and DestinationPort != "8080" and DestinationPort != "8443" and !DestinationIp matches "10.*" and !DestinationIp matches "192.168.*" and !DestinationIp matches "172.1[6-9].*" and !DestinationIp matches "172.2[0-9].*" and !DestinationIp matches "172.3[01].*", 1, 0)
| eval DetectionType = if(IsInstallerParent = 1 and IsSuspiciousChild = 1, "Installer_Spawned_Suspicious_Child",
    if(IsBuildToolParent = 1 and IsSuspiciousChild = 1, "BuildTool_Spawned_Suspicious_Process",
      if(DroppedInTemp = 1, "Updater_Dropped_Executable_In_Temp",
        if(NonStandardPortOutbound = 1, "Updater_Nonstandard_Port_Outbound", null))))
| where !isNull(DetectionType)
| eval SuspicionScore = IsInstallerParent + IsSuspiciousChild + IsBuildToolParent + DroppedInTemp + IsEncodedCmd + NonStandardPortOutbound
| fields _messageTime, Computer, User, DetectionType, SuspicionScore, ParentProcessName, ChildProcessName, CommandLine, DestinationIp, DestinationPort, TargetFilename
| sort by _messageTime desc

critical severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon Windows Security Event Log

Required Tables

_sourceCategory=windows*

False Positives

Third-party software distribution platforms (e.g., Chocolatey, Scoop, Ninite) that wrap installer processes in PowerShell or cmd.exe scripts as part of their normal packaging workflow
Antivirus or endpoint protection update mechanisms that write signature files or update components to temp directories as part of legitimate update processes
Enterprise application packaging tools (e.g., InstallShield, NSIS, WiX) that use build tool chains including msbuild.exe that legitimately invoke PowerShell for post-build actions during development

Google Chronicle / SecOps

yaral

rule T1195_002_Supply_Chain_Compromise_Behavioral {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1195.002 supply chain compromise post-delivery behavioral indicators: installer/updater processes spawning suspicious child processes, build tools spawning LOLBins (SUNSPOT-style), update processes dropping executables in temp directories, and updaters making outbound connections on non-standard ports."
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1195.002"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1195/002/"
    created = "2026-04-18"
    version = "1.0"

  events:
    // Branch 1: Installer/updater spawning suspicious LOLBin child process
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.principal.process.file.full_path != ""
    re.regex($e1.target.process.file.full_path, `(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|msbuild|installutil|regasm|cmstp|control)\.exe$`)
    re.regex($e1.principal.process.file.full_path, `(?i)(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe$`)
    $e1.principal.hostname = $hostname
    $e1.metadata.event_timestamp.seconds > 0

  match:
    $hostname over 5m

  outcome:
    $risk_score = max(
      if($e1.target.process.command_line = /(-encodedcommand|-enc\s|-e\s|-ec\s|base64)/i, 90, 70)
    )
    $detection_type = "Installer_Spawned_Suspicious_Child"
    $parent_process = $e1.principal.process.file.full_path
    $child_process = $e1.target.process.file.full_path
    $command_line = $e1.target.process.command_line
    $device = $hostname
    $user = $e1.principal.user.userid

  condition:
    $e1
}

rule T1195_002_Supply_Chain_BuildTool_Anomaly {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects SUNSPOT-style supply chain compromise where build tools (MSBuild, devenv, cl.exe) spawn suspicious shell or LOLBin processes — a hallmark of build system injection attacks."
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1195.002"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1195/002/"
    created = "2026-04-18"
    version = "1.0"

  events:
    $e2.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e2.principal.process.file.full_path, `(?i)(msbuild|devenv|cl|link|csc|vbc|dotnet)\.exe$`)
    re.regex($e2.target.process.file.full_path, `(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|installutil|regasm|cmstp)\.exe$`)
    not re.regex($e2.target.process.command_line, `(?i)(--help|-help|/\?)`)
    $e2.principal.hostname = $host2

  match:
    $host2 over 2m

  outcome:
    $risk_score = 85
    $detection_type = "BuildTool_Spawned_Suspicious_Process"
    $parent_proc = $e2.principal.process.file.full_path
    $child_proc = $e2.target.process.file.full_path
    $cmd = $e2.target.process.command_line

  condition:
    $e2
}

rule T1195_002_Supply_Chain_TempDropAndExecute {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects supply chain compromise where installer/update processes drop executables or scripts into Windows temp directories — a common post-compromise staging behavior."
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1195.002"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1195/002/"
    created = "2026-04-18"
    version = "1.0"

  events:
    $e3.metadata.event_type = "FILE_CREATION"
    re.regex($e3.principal.process.file.full_path, `(?i)(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe$`)
    re.regex($e3.target.file.full_path, `(?i)(\\temp\\|\\appdata\\local\\temp\\|\\windows\\temp\\)`)
    re.regex($e3.target.file.full_path, `(?i)\.(exe|dll|ps1|bat|vbs|js)$`)
    $e3.principal.hostname = $host3
    $e4.metadata.event_type = "PROCESS_LAUNCH"
    $e4.principal.hostname = $host3
    re.regex($e4.target.process.file.full_path, `(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32)\.exe$`)

  match:
    $host3 over 3m

  outcome:
    $risk_score = 80
    $detection_type = "Updater_Dropped_And_Executed_In_Temp"
    $dropped_file = $e3.target.file.full_path
    $installer = $e3.principal.process.file.full_path

  condition:
    $e3 and $e4
}

critical severity high confidence

Data Sources

Google Chronicle SIEM Google Security Operations Windows Endpoint Telemetry Sysmon via Chronicle forwarder

Required Tables

UDM Events (PROCESS_LAUNCH, FILE_CREATION, NETWORK_CONNECTION)

False Positives

Software deployment automation frameworks like Puppet or Chef that legitimately invoke installer wrapper scripts which then call PowerShell for configuration management tasks on managed nodes
Microsoft Visual Studio and .NET SDK toolchains where msbuild.exe or dotnet.exe invoke cmd.exe or PowerShell for legitimate test runner invocations, code generation, or project scaffolding
Custom enterprise software update clients (e.g., internal update frameworks for line-of-business apps) that write updated components to temp directories before moving them to their final install path

CrowdStrike LogScale (CQL)

cql

// Branch 1: Installer/updater spawning suspicious child processes
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe$/
| FileName = /(?i)^(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|msbuild|installutil|regasm|cmstp|control)\.exe$/
| DetectionType := "Installer_Spawned_Suspicious_Child"
| SuspicionScore := 2
| CommandLineHasEncoding := if(CommandLine = /(?i)(-encodedcommand|-enc\s|-e\s|-ec\s|base64)/, "true", "false")
| SuspicionScore := if(CommandLineHasEncoding = "true", SuspicionScore + 2, SuspicionScore)
| select([timestamp, ComputerName, UserName, DetectionType, SuspicionScore, ParentBaseFileName, FileName, CommandLine, ParentCommandLine, SHA256HashData])
| sort(timestamp, order=desc)

// Branch 2: Build tool spawning suspicious child processes (SUNSPOT-style)
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(msbuild|devenv|cl|link|csc|vbc|dotnet)\.exe$/
| FileName = /(?i)^(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|installutil|regasm|cmstp)\.exe$/
| CommandLine != /(?i)(--help|-help|\/\?)/
| DetectionType := "BuildTool_Spawned_Suspicious_Process"
| SuspicionScore := 3
| SuspicionScore := if(CommandLine = /(?i)(-encodedcommand|-enc\s|base64)/, SuspicionScore + 2, SuspicionScore)
| select([timestamp, ComputerName, UserName, DetectionType, SuspicionScore, ParentBaseFileName, FileName, CommandLine, SHA256HashData])
| sort(timestamp, order=desc)

// Branch 3: Updater dropping executable in temp directory
#event_simpleName=AsepValueUpdate OR #event_simpleName=PeFileWritten
| ContextBaseFileName = /(?i)^(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe$/
| TargetFileName = /(?i)(\\Temp\\|\\AppData\\Local\\Temp\\|\\Windows\\Temp\\)/
| TargetFileName = /(?i)\.(exe|dll|ps1|bat|vbs|js)$/
| DetectionType := "Updater_Dropped_Executable_In_Temp"
| SuspicionScore := 3
| select([timestamp, ComputerName, DetectionType, SuspicionScore, ContextBaseFileName, TargetFileName, SHA256HashData])
| sort(timestamp, order=desc)

// Branch 4: Installer process making outbound connection on non-standard port to public IP
#event_simpleName=NetworkConnectIP4
| ImageFileName = /(?i)(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe$/
| RemotePort != 80
| RemotePort != 443
| RemotePort != 8080
| RemotePort != 8443
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
| DetectionType := "Updater_Nonstandard_Port_Outbound"
| SuspicionScore := 2
| groupBy([ComputerName, ImageFileName, RemoteAddressIP4, RemotePort, DetectionType], function=count(as=EventCount))
| EventCount >= 1
| sort(ComputerName, order=asc)

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon Platform Falcon Sensor Telemetry

Required Tables

ProcessRollup2 NetworkConnectIP4 PeFileWritten AsepValueUpdate

False Positives

CrowdStrike Falcon sensor updates or other endpoint security product updates that use updater.exe processes and may make outbound connections on non-standard ports to vendor update infrastructure — add known EDR update process hashes to an exclusion list
Package managers and developer tooling (npm, pip, cargo, go modules) invoked during CI pipeline execution on developer or build endpoints where dotnet.exe or msbuild.exe legitimately shells out for dependency resolution
Custom LOB application updaters in enterprise environments that write DLLs or EXEs to temp directories as part of a staged update process before moving files to their final install path — validate against software deployment change records

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1195.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1195Supply Chain Compromise

Related Sub-techniques

T1195.001Compromise Software Dependencies and Development Tools T1195.003Compromise Hardware Supply Chain

Compromise Software Supply Chain

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Initial Access

Popular Detections