T1195.002 IBM QRadar · QRadar

Detect Compromise Software Supply Chain in IBM QRadar

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Real-world examples include SUNSPOT injecting SUNBURST into SolarWinds Orion builds, CCBkdr backdooring CCleaner 5.33, and Sandworm replacing M.E.Doc updates with NotPetya. Detection focuses on post-installation behavioral anomalies: legitimate software exhibiting unexpected child process execution, unusual outbound connectivity, suspicious DLL loading, and credential access patterns that should never originate from trusted update mechanisms.

MITRE ATT&CK

Tactic
Initial Access
Technique
T1195 Supply Chain Compromise
Sub-technique
T1195.002 Compromise Software Supply Chain
Canonical reference
https://attack.mitre.org/techniques/T1195/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  destinationip,
  destinationport,
  LOWER("ParentProcessPath") AS parent_process,
  LOWER("ProcessPath") AS child_process,
  "CommandLine" AS command_line,
  "TargetFilePath" AS target_file,
  CASE
    WHEN LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe'
     AND LOWER(MATCHREGEX("ProcessPath", '[^\\/]+$')) SIMILAR TO '(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|msbuild|installutil|regasm|cmstp|control)\.exe'
    THEN 'Installer_Spawned_Suspicious_Child'
    WHEN LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msbuild|devenv|cl|link|csc|vbc|dotnet)\.exe'
     AND LOWER(MATCHREGEX("ProcessPath", '[^\\/]+$')) SIMILAR TO '(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|msbuild|installutil|regasm|cmstp|control)\.exe'
    THEN 'BuildTool_Spawned_Suspicious_Process'
    WHEN LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe'
     AND LOWER("TargetFilePath") SIMILAR TO '%(\\temp\\|\\appdata\\local\\temp\\|\\windows\\temp\\)%'
     AND LOWER("TargetFilePath") SIMILAR TO '%(exe|dll|ps1|bat|vbs|js)'
    THEN 'Updater_Dropped_Executable_In_Temp'
    WHEN LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe'
     AND destinationport NOT IN (80, 443, 8080, 8443)
     AND NOT (destinationip BETWEEN '10.0.0.0' AND '10.255.255.255'
         OR destinationip BETWEEN '172.16.0.0' AND '172.31.255.255'
         OR destinationip BETWEEN '192.168.0.0' AND '192.168.255.255')
    THEN 'Updater_Nonstandard_Port_Outbound'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 15, 143, 352)
  AND starttime > NOW() - 1 DAYS
  AND (
    (LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe'
     AND LOWER(MATCHREGEX("ProcessPath", '[^\\/]+$')) SIMILAR TO '(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic|msbuild|installutil|regasm|cmstp|control)\.exe')
    OR
    (LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msbuild|devenv|cl|link|csc|vbc|dotnet)\.exe'
     AND LOWER(MATCHREGEX("ProcessPath", '[^\\/]+$')) SIMILAR TO '(powershell|pwsh|cmd|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|wmic)\.exe')
    OR
    (LOWER(MATCHREGEX("ParentProcessPath", '[^\\/]+$')) SIMILAR TO '(msiexec|setup|install|installer|update|updater|autoupdate|softwareupdate|uninst|uninstall|patch|patchinstall)\.exe'
     AND LOWER("TargetFilePath") SIMILAR TO '%(\\temp\\|\\windows\\temp\\|\\appdata\\local\\temp\\)%'
     AND LOWER("TargetFilePath") SIMILAR TO '%(exe|dll|ps1)')
  )
ORDER BY starttime DESC
critical severity medium confidence

QRadar AQL detection for T1195.002 supply chain compromise behavioral indicators. Queries Windows Security, Sysmon, and EDR log sources for installer/updater processes spawning suspicious child processes, build tools spawning LOLBins, update processes dropping executables in temp paths, and updater processes making outbound connections on non-standard ports.

Data Sources

IBM QRadar SIEMWindows Security Event LogSysmonMicrosoft Defender for Endpoint

Required Tables

events

False Positives & Tuning

  • Enterprise patch management solutions (WSUS, SCCM) invoking PowerShell for post-patch configuration on managed endpoints — correlate with change management tickets
  • Software vendors whose legitimate updaters use non-standard ports (e.g., some game launchers, creative software update services) — maintain an allowlist of known-good update endpoint IP/port pairs
  • CI/CD agents on developer workstations where msbuild.exe or dotnet.exe legitimately spawn cmd.exe/PowerShell for build scripts — scope detections to non-developer endpoint OUs
Download portable Sigma rule (.yml)

Other platforms for T1195.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Backdoored Installer Spawning PowerShell (Post-Install C2 Simulation)

    Expected signal: Sysmon Event ID 1: Process Create with ParentImage=msiexec.exe, Image=powershell.exe, CommandLine containing '-WindowStyle Hidden' and 'Invoke-WebRequest'. Sysmon Event ID 3: Network Connection attempt from powershell.exe to 127.0.0.1:9999 (connection refused is acceptable). Security Event ID 4688 if command line auditing is enabled.

  2. Test 2Simulate Build Tool Spawning Unexpected Shell (SUNSPOT-Style Build Injection)

    Expected signal: Sysmon Event ID 1: Process Create with ParentImage=msbuild.exe (or cmd.exe spawned from the test fallback), Image=cmd.exe, CommandLine containing 'whoami'. Security Event ID 4688 with NewProcessName=cmd.exe, CreatorProcessName=msbuild.exe. File creation event for the output file in %TEMP%.

  3. Test 3Simulate Supply Chain Malware Dropping Executable in Temp During Install

    Expected signal: Sysmon Event ID 11: File Create with TargetFilename=%TEMP%\payload_stage2.exe, Image=powershell.exe. Sysmon Event ID 1: PowerShell spawning (parent chain visible). The file copy of calc.exe will have a known benign SHA256 but the file path in Temp will be flagged.

  4. Test 4Verify Code Signing Certificate on Installed Binary (Supply Chain Investigation Validation)

    Expected signal: Sysmon Event ID 1: PowerShell process spawned. No file modification events. The command performs read-only certificate inspection. PowerShell ScriptBlock Log Event ID 4104 captures the script content. This is purely a verification/investigation command.

Last updated: 2026-04-18 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1195.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1195Supply Chain Compromise

Related Sub-techniques

T1195.001Compromise Software Dependencies and Development ToolsT1195.003Compromise Hardware Supply Chain

Related Techniques

T1195Supply Chain CompromiseT1195.001Compromise Software Dependencies and Development ToolsT1195.003Compromise Hardware Supply ChainT1036MasqueradingT1036.001Invalid Code SignatureT1553.002Code SigningT1071.001Web ProtocolsT1027Obfuscated Files or InformationT1053.005Scheduled TaskT1543.003Windows ServiceT1140Deobfuscate/Decode Files or Information

Same Tactic: Initial Access

Popular Detections