Detect Supply Chain Compromise in Microsoft Sentinel
Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can occur at any stage — from manipulation of development tools, source code repositories, open-source dependencies, software update/distribution mechanisms, system images, or physical hardware. Because the attack abuses trusted software distribution channels, defenders must focus on post-delivery behavioral indicators: trusted installer processes spawning shells, legitimate software making unexpected network connections, newly installed applications loading unsigned modules, and integrity failures in software binaries. High-profile incidents include SolarWinds Orion (Sunburst backdoor in update packages), CCleaner (backdoor distributed via official update), 3CX (second-order compromise via trojanized Electron app), and NotPetya (distributed via M.E.Doc accounting software update).
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1195 Supply Chain Compromise
- Canonical reference
- https://attack.mitre.org/techniques/T1195/
KQL Detection Query
let TrustedInstallerProcesses = dynamic([
"msiexec.exe", "setup.exe", "install.exe", "installer.exe",
"update.exe", "updater.exe", "autoupdate.exe", "squirrel.exe",
"appinstaller.exe", "packageinstaller.exe", "softwareupdate.exe",
"uninst.exe", "uninstall.exe", "patchinstaller.exe"
]);
let LOLBins = dynamic([
"cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe",
"wmic.exe", "msbuild.exe", "csc.exe", "odbcconf.exe", "xwizard.exe",
"installutil.exe", "regasm.exe", "regsvcs.exe", "schtasks.exe", "at.exe"
]);
// Part 1: Installer/updater processes spawning suspicious child processes
let InstallerSpawnsLOLBin = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (TrustedInstallerProcesses)
| where FileName in~ (LOLBins)
| extend DetectionSource = "InstallerSpawnedLOLBin"
| project Timestamp, DeviceName, AccountName,
DetectionSource,
ParentProcess = InitiatingProcessFileName,
ParentCommandLine = InitiatingProcessCommandLine,
ParentSHA1 = InitiatingProcessSHA1,
ChildProcess = FileName,
ChildCommandLine = ProcessCommandLine,
ChildFolderPath = FolderPath;
// Part 2: Legitimate signed software spawning shells after a recent file write to its install directory
let SignedSoftwareSpawnsShell = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where InitiatingProcessFolderPath has_any ("Program Files", "Program Files (x86)", "ProgramData")
| where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe")
| where InitiatingProcessVersionInfoCompanyName != ""
// Exclude common known-good parent patterns
| where not (InitiatingProcessFileName in~ ("explorer.exe", "svchost.exe", "services.exe", "taskhostw.exe"))
| extend DetectionSource = "TrustedSoftwareSpawnedShell"
| project Timestamp, DeviceName, AccountName,
DetectionSource,
ParentProcess = InitiatingProcessFileName,
ParentCommandLine = InitiatingProcessCommandLine,
ParentSHA1 = InitiatingProcessSHA1,
ParentFolderPath = InitiatingProcessFolderPath,
ParentCompany = InitiatingProcessVersionInfoCompanyName,
ChildProcess = FileName,
ChildCommandLine = ProcessCommandLine,
ChildFolderPath = FolderPath;
// Combine both detection paths
InstallerSpawnsLOLBin
| project Timestamp, DeviceName, AccountName, DetectionSource, ParentProcess, ParentCommandLine, ParentSHA1, ChildProcess, ChildCommandLine
| union (
SignedSoftwareSpawnsShell
| project Timestamp, DeviceName, AccountName, DetectionSource, ParentProcess, ParentCommandLine, ParentSHA1, ChildProcess, ChildCommandLine
)
| sort by Timestamp descDetects supply chain compromise indicators by monitoring two key behavioral patterns: (1) software installer and updater processes (msiexec.exe, setup.exe, updater.exe, squirrel.exe, etc.) spawning LOLBins (cmd.exe, PowerShell, regsvr32.exe, etc.) — a strong indicator of trojanized installers executing embedded payloads; (2) legitimate signed software installed in Program Files directories spawning interactive shells unexpectedly, which may indicate a compromised software binary or DLL sideloading attack delivered via supply chain. Uses DeviceProcessEvents parent-child relationship analysis. Coverage spans Windows endpoints enrolled in Microsoft Defender for Endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers (especially older or enterprise software) that invoke cmd.exe or PowerShell as part of post-install configuration scripts or service registration
- Software deployment platforms (SCCM, Intune, PDQ Deploy) that use msiexec.exe or setup.exe as wrappers that legitimately spawn PowerShell for configuration
- Electron-based applications (VSCode, Slack, Teams) whose squirrel.exe updater spawns cmd.exe for delta patching operations
- Development environment tools (Visual Studio, JetBrains, Eclipse) that run PowerShell or scripts as part of extension installation or project scaffolding
- Third-party IT management agents (SolarWinds, ConnectWise, Kaseya) whose update mechanisms spawn child processes by design
Other platforms for T1195
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Trojanized Installer Spawning PowerShell (Windows)
Expected signal: Sysmon Event ID 1: Two process creation events — first for %TEMP%\setup.exe (Image matches 'setup.exe'), then for powershell.exe with ParentImage pointing to %TEMP%\setup.exe. Security Event ID 4688 (if command line auditing enabled) with same parent-child details. Sysmon Event ID 11: File creation for t1195_installer_test.txt.
- Test 2Malicious npm Package Postinstall Script (Windows)
Expected signal: Sysmon Event ID 1: Process chain: npm.cmd (or node.exe) spawning cmd.exe with the postinstall command. The CommandLine will contain the postinstall script command. Sysmon Event ID 11: File creation for postinstall_output.txt in %TEMP%\t1195-npm\. Windows Event ID 4688 (process creation) for each spawned process.
- Test 3Malicious Python Package setup.py Executing Shell Command (Linux/macOS)
Expected signal: Linux auditd: syscall execve events for python3 spawning subprocess (id command). Syslog/auditd EXECVE records showing python3 as parent process and id as child. If Falco is deployed, process_spawned_by_pip_or_python rules will fire. File creation event for /tmp/t1195-pip/pip_payload_output.txt.
- Test 4Software Binary Hash Integrity Verification Failure Simulation (Windows)
Expected signal: Process creation events for certutil.exe (Sysmon Event ID 1) with -hashfile arguments. The fc command will show or report mismatches between the two hash files, demonstrating the hash divergence that would indicate a tampered supply chain binary. No network activity expected. This test validates the analyst investigation workflow rather than triggering a real-time detection rule.
References (10)
- https://attack.mitre.org/techniques/T1195/
- https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
- https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities
- https://krebsonsecurity.com/2023/04/3cx-breach-was-a-double-supply-chain-compromise/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-008a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceimageloadevents-table
- https://learn.microsoft.com/en-us/sysinternals/downloads/sigcheck
- https://www.ncsc.gov.uk/collection/supply-chain-security
Unlock Pro Content
Get the full detection package for T1195 including response playbook, investigation guide, and atomic red team tests.