Detect Compromise Software Supply Chain in Google Chronicle
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Real-world examples include SUNSPOT injecting SUNBURST into SolarWinds Orion builds, CCBkdr backdooring CCleaner 5.33, and Sandworm replacing M.E.Doc updates with NotPetya. Detection focuses on post-installation behavioral anomalies: legitimate software exhibiting unexpected child process execution, unusual outbound connectivity, suspicious DLL loading, and credential access patterns that should never originate from trusted update mechanisms.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1195 Supply Chain Compromise
- Sub-technique
- T1195.002 Compromise Software Supply Chain
- Canonical reference
- https://attack.mitre.org/techniques/T1195/002/
YARA-L Detection Query
rule T1195_002_Supply_Chain_Compromise_Behavioral {
meta:
author = "Argus Detection Engineering"
description = "Detects T1195.002 supply chain compromise post-delivery behavioral indicators: installer/updater processes spawning suspicious child processes, build tools spawning LOLBins (SUNSPOT-style), update processes dropping executables in temp directories, and updaters making outbound connections on non-standard ports."
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "T1195.002"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://attack.mitre.org/techniques/T1195/002/"
created = "2026-04-18"
version = "1.0"
events:
// Branch 1: Installer/updater spawning suspicious LOLBin child process
$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.principal.process.file.full_path != ""
re.regex($e1.target.process.file.full_path, `(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|msbuild|installutil|regasm|cmstp|control)\.exe$`)
re.regex($e1.principal.process.file.full_path, `(?i)(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe$`)
$e1.principal.hostname = $hostname
$e1.metadata.event_timestamp.seconds > 0
match:
$hostname over 5m
outcome:
$risk_score = max(
if($e1.target.process.command_line = /(-encodedcommand|-enc\s|-e\s|-ec\s|base64)/i, 90, 70)
)
$detection_type = "Installer_Spawned_Suspicious_Child"
$parent_process = $e1.principal.process.file.full_path
$child_process = $e1.target.process.file.full_path
$command_line = $e1.target.process.command_line
$device = $hostname
$user = $e1.principal.user.userid
condition:
$e1
}
rule T1195_002_Supply_Chain_BuildTool_Anomaly {
meta:
author = "Argus Detection Engineering"
description = "Detects SUNSPOT-style supply chain compromise where build tools (MSBuild, devenv, cl.exe) spawn suspicious shell or LOLBin processes — a hallmark of build system injection attacks."
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "T1195.002"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://attack.mitre.org/techniques/T1195/002/"
created = "2026-04-18"
version = "1.0"
events:
$e2.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e2.principal.process.file.full_path, `(?i)(msbuild|devenv|cl|link|csc|vbc|dotnet)\.exe$`)
re.regex($e2.target.process.file.full_path, `(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|installutil|regasm|cmstp)\.exe$`)
not re.regex($e2.target.process.command_line, `(?i)(--help|-help|/\?)`)
$e2.principal.hostname = $host2
match:
$host2 over 2m
outcome:
$risk_score = 85
$detection_type = "BuildTool_Spawned_Suspicious_Process"
$parent_proc = $e2.principal.process.file.full_path
$child_proc = $e2.target.process.file.full_path
$cmd = $e2.target.process.command_line
condition:
$e2
}
rule T1195_002_Supply_Chain_TempDropAndExecute {
meta:
author = "Argus Detection Engineering"
description = "Detects supply chain compromise where installer/update processes drop executables or scripts into Windows temp directories — a common post-compromise staging behavior."
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "T1195.002"
severity = "HIGH"
priority = "HIGH"
reference = "https://attack.mitre.org/techniques/T1195/002/"
created = "2026-04-18"
version = "1.0"
events:
$e3.metadata.event_type = "FILE_CREATION"
re.regex($e3.principal.process.file.full_path, `(?i)(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe$`)
re.regex($e3.target.file.full_path, `(?i)(\\temp\\|\\appdata\\local\\temp\\|\\windows\\temp\\)`)
re.regex($e3.target.file.full_path, `(?i)\.(exe|dll|ps1|bat|vbs|js)$`)
$e3.principal.hostname = $host3
$e4.metadata.event_type = "PROCESS_LAUNCH"
$e4.principal.hostname = $host3
re.regex($e4.target.process.file.full_path, `(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32)\.exe$`)
match:
$host3 over 3m
outcome:
$risk_score = 80
$detection_type = "Updater_Dropped_And_Executed_In_Temp"
$dropped_file = $e3.target.file.full_path
$installer = $e3.principal.process.file.full_path
condition:
$e3 and $e4
}Three YARA-L 2.0 rules for Chronicle SIEM covering T1195.002 supply chain compromise behavioral patterns: (1) installer/updater spawning suspicious LOLBin child processes with optional encoded command scoring, (2) build tool spawning unexpected shell processes (SUNSPOT-style build injection), and (3) update processes dropping executables in temp directories followed by execution. Uses UDM PROCESS_LAUNCH and FILE_CREATION event types with regex matching on process paths.
Data Sources
Required Tables
False Positives & Tuning
- Software deployment automation frameworks like Puppet or Chef that legitimately invoke installer wrapper scripts which then call PowerShell for configuration management tasks on managed nodes
- Microsoft Visual Studio and .NET SDK toolchains where msbuild.exe or dotnet.exe invoke cmd.exe or PowerShell for legitimate test runner invocations, code generation, or project scaffolding
- Custom enterprise software update clients (e.g., internal update frameworks for line-of-business apps) that write updated components to temp directories before moving them to their final install path
Other platforms for T1195.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Backdoored Installer Spawning PowerShell (Post-Install C2 Simulation)
Expected signal: Sysmon Event ID 1: Process Create with ParentImage=msiexec.exe, Image=powershell.exe, CommandLine containing '-WindowStyle Hidden' and 'Invoke-WebRequest'. Sysmon Event ID 3: Network Connection attempt from powershell.exe to 127.0.0.1:9999 (connection refused is acceptable). Security Event ID 4688 if command line auditing is enabled.
- Test 2Simulate Build Tool Spawning Unexpected Shell (SUNSPOT-Style Build Injection)
Expected signal: Sysmon Event ID 1: Process Create with ParentImage=msbuild.exe (or cmd.exe spawned from the test fallback), Image=cmd.exe, CommandLine containing 'whoami'. Security Event ID 4688 with NewProcessName=cmd.exe, CreatorProcessName=msbuild.exe. File creation event for the output file in %TEMP%.
- Test 3Simulate Supply Chain Malware Dropping Executable in Temp During Install
Expected signal: Sysmon Event ID 11: File Create with TargetFilename=%TEMP%\payload_stage2.exe, Image=powershell.exe. Sysmon Event ID 1: PowerShell spawning (parent chain visible). The file copy of calc.exe will have a known benign SHA256 but the file path in Temp will be flagged.
- Test 4Verify Code Signing Certificate on Installed Binary (Supply Chain Investigation Validation)
Expected signal: Sysmon Event ID 1: PowerShell process spawned. No file modification events. The command performs read-only certificate inspection. PowerShell ScriptBlock Log Event ID 4104 captures the script content. This is purely a verification/investigation command.
References (12)
- https://attack.mitre.org/techniques/T1195/002/
- https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
- https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/
- https://www.secureworks.com/research/revil-sodinokibi-ransomware
- https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-moss-plugin-attack/
- https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor/
- https://www.mandiant.com/resources/blog/fin7-reboot-quakbot
- https://www.cisa.gov/sites/default/files/publications/CISA_Insights-Mitigations_and_Hardening_Guidance_for_MSPs_and_Small-and-Mid-sized_Businesses.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.002/T1195.002.md
Unlock Pro Content
Get the full detection package for T1195.002 including response playbook, investigation guide, and atomic red team tests.