Detect Compromise Software Supply Chain in Microsoft Sentinel
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Real-world examples include SUNSPOT injecting SUNBURST into SolarWinds Orion builds, CCBkdr backdooring CCleaner 5.33, and Sandworm replacing M.E.Doc updates with NotPetya. Detection focuses on post-installation behavioral anomalies: legitimate software exhibiting unexpected child process execution, unusual outbound connectivity, suspicious DLL loading, and credential access patterns that should never originate from trusted update mechanisms.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1195 Supply Chain Compromise
- Sub-technique
- T1195.002 Compromise Software Supply Chain
- Canonical reference
- https://attack.mitre.org/techniques/T1195/002/
KQL Detection Query
let SoftwareInstallerProcesses = dynamic([
"msiexec.exe", "setup.exe", "install.exe", "installer.exe",
"update.exe", "updater.exe", "autoupdate.exe", "softwareupdate.exe",
"uninst.exe", "uninstall.exe", "patch.exe", "patchinstall.exe"
]);
let SuspiciousChildProcesses = dynamic([
"powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe",
"bitsadmin.exe", "wmic.exe", "msbuild.exe", "installutil.exe",
"regasm.exe", "cmstp.exe", "control.exe", "msiexec.exe"
]);
let KnownBuildTools = dynamic([
"msbuild.exe", "devenv.exe", "cl.exe", "link.exe",
"csc.exe", "vbc.exe", "dotnet.exe", "gradle", "maven"
]);
// Query 1: Installers/updaters spawning suspicious child processes
let InstallerChildProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (SoftwareInstallerProcesses)
| where FileName in~ (SuspiciousChildProcesses)
| extend DetectionType = "Installer_Spawned_Suspicious_Child"
| project Timestamp, DeviceName, AccountName, DetectionType,
FileName, ProcessCommandLine, SHA256,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName;
// Query 2: Trusted vendor update processes making outbound connections to non-standard destinations
let UpdateNetworkAnomalies = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (SoftwareInstallerProcesses)
| where RemoteIPType == "Public"
| where RemotePort !in (80, 443, 8080, 8443)
| extend DetectionType = "Updater_Nonstandard_Port_Outbound"
| project Timestamp, DeviceName, DetectionType,
RemoteIP, RemotePort, RemoteUrl,
InitiatingProcessFileName, InitiatingProcessCommandLine;
// Query 3: Executables written by update/install processes to suspicious paths then immediately executed
let SuspiciousDropAndExecute = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where InitiatingProcessFileName in~ (SoftwareInstallerProcesses)
| where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".ps1"
| where FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\Windows\\Temp\\")
| extend DetectionType = "Updater_Dropped_Executable_In_Temp"
| project Timestamp, DeviceName, DetectionType,
FolderPath, FileName, SHA256,
InitiatingProcessFileName, InitiatingProcessCommandLine;
// Query 4: Build system processes creating executables in unexpected locations (SUNSPOT-style)
let BuildToolAnomalies = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (KnownBuildTools)
| where FileName in~ (SuspiciousChildProcesses)
| where not(ProcessCommandLine has_any ("--help", "-help", "/?"))
| extend DetectionType = "BuildTool_Spawned_Suspicious_Process"
| project Timestamp, DeviceName, AccountName, DetectionType,
FileName, ProcessCommandLine, SHA256,
InitiatingProcessFileName, InitiatingProcessCommandLine;
// Combine all detections
InstallerChildProcesses
| union UpdateNetworkAnomalies
| union SuspiciousDropAndExecute
| union BuildToolAnomalies
| sort by Timestamp descDetects behavioral anomalies characteristic of compromised software supply chain attacks across four detection pillars: (1) software installers or updaters spawning suspicious child processes (PowerShell, cmd.exe, LOLBins), (2) update processes making outbound connections on non-standard ports, (3) installer processes dropping executables in temp directories, and (4) build toolchain processes (MSBuild, devenv) spawning unexpected children — a pattern observed in SUNSPOT-style build injection attacks. Uses Microsoft Defender for Endpoint DeviceProcessEvents, DeviceNetworkEvents, and DeviceFileEvents tables.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software updaters that use PowerShell or cmd.exe as part of their post-install configuration (e.g., some enterprise software uses PowerShell for environment setup after MSI installation)
- Build systems that invoke utility scripts via cmd.exe or PowerShell during compilation steps — common in CI/CD pipelines where MSBuild calls post-build scripts
- Software vendors using non-standard ports for update delivery (e.g., some enterprise patch management solutions use custom ports for update traffic)
- IT provisioning tools (SCCM, Intune, Chocolatey) that install software via msiexec.exe and then run PowerShell configuration scripts as part of normal deployment workflows
- Development workstations where build tools (devenv.exe, dotnet.exe) regularly invoke scripts during local builds
Other platforms for T1195.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Backdoored Installer Spawning PowerShell (Post-Install C2 Simulation)
Expected signal: Sysmon Event ID 1: Process Create with ParentImage=msiexec.exe, Image=powershell.exe, CommandLine containing '-WindowStyle Hidden' and 'Invoke-WebRequest'. Sysmon Event ID 3: Network Connection attempt from powershell.exe to 127.0.0.1:9999 (connection refused is acceptable). Security Event ID 4688 if command line auditing is enabled.
- Test 2Simulate Build Tool Spawning Unexpected Shell (SUNSPOT-Style Build Injection)
Expected signal: Sysmon Event ID 1: Process Create with ParentImage=msbuild.exe (or cmd.exe spawned from the test fallback), Image=cmd.exe, CommandLine containing 'whoami'. Security Event ID 4688 with NewProcessName=cmd.exe, CreatorProcessName=msbuild.exe. File creation event for the output file in %TEMP%.
- Test 3Simulate Supply Chain Malware Dropping Executable in Temp During Install
Expected signal: Sysmon Event ID 11: File Create with TargetFilename=%TEMP%\payload_stage2.exe, Image=powershell.exe. Sysmon Event ID 1: PowerShell spawning (parent chain visible). The file copy of calc.exe will have a known benign SHA256 but the file path in Temp will be flagged.
- Test 4Verify Code Signing Certificate on Installed Binary (Supply Chain Investigation Validation)
Expected signal: Sysmon Event ID 1: PowerShell process spawned. No file modification events. The command performs read-only certificate inspection. PowerShell ScriptBlock Log Event ID 4104 captures the script content. This is purely a verification/investigation command.
References (12)
- https://attack.mitre.org/techniques/T1195/002/
- https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
- https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/
- https://www.secureworks.com/research/revil-sodinokibi-ransomware
- https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-moss-plugin-attack/
- https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor/
- https://www.mandiant.com/resources/blog/fin7-reboot-quakbot
- https://www.cisa.gov/sites/default/files/publications/CISA_Insights-Mitigations_and_Hardening_Guidance_for_MSPs_and_Small-and-Mid-sized_Businesses.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.002/T1195.002.md
Unlock Pro Content
Get the full detection package for T1195.002 including response playbook, investigation guide, and atomic red team tests.