T1195 Sumo Logic CSE · Sumo

Detect Supply Chain Compromise in Sumo Logic CSE

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can occur at any stage — from manipulation of development tools, source code repositories, open-source dependencies, software update/distribution mechanisms, system images, or physical hardware. Because the attack abuses trusted software distribution channels, defenders must focus on post-delivery behavioral indicators: trusted installer processes spawning shells, legitimate software making unexpected network connections, newly installed applications loading unsigned modules, and integrity failures in software binaries. High-profile incidents include SolarWinds Orion (Sunburst backdoor in update packages), CCleaner (backdoor distributed via official update), 3CX (second-order compromise via trojanized Electron app), and NotPetya (distributed via M.E.Doc accounting software update).

MITRE ATT&CK

Tactic
Initial Access
Technique
T1195 Supply Chain Compromise
Canonical reference
https://attack.mitre.org/techniques/T1195/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="endpoint/windows/sysmon" OR _sourceCategory="endpoint/windows/security")
| where EventID = "1" or EventCode = "1" or EventID = "4688"
| parse field=ParentImage "*\\*" as _discard, parent_exe nodrop
| parse field=Image "*\\*" as _discard, child_exe nodrop
| parse field=ParentCommandLine "*" as parent_cmdline nodrop
| parse field=CommandLine "*" as child_cmdline nodrop
| parse field=ParentImage "*" as parent_full_path nodrop
| eval parent_lower = toLowerCase(parent_exe)
| eval child_lower = toLowerCase(child_exe)
| eval parent_path_lower = toLowerCase(ParentImage)
// Branch 1: Installer spawning LOLBin
| eval is_installer_parent = if(matches(parent_lower, "msiexec\.exe|setup\.exe|install(er)?\.exe|update(r)?\.exe|autoupdate\.exe|squirrel\.exe|appinstaller\.exe|softwareupdate\.exe|uninst\.exe"), 1, 0)
| eval is_lolbin_child = if(matches(child_lower, "cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msbuild\.exe|csc\.exe|odbcconf\.exe|installutil\.exe|regasm\.exe|schtasks\.exe"), 1, 0)
// Branch 2: Trusted software in Program Files spawning shell
| eval is_trusted_path_parent = if(matches(parent_path_lower, "program files|programdata"), 1, 0)
| eval is_shell_child = if(matches(child_lower, "cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe"), 1, 0)
| eval is_excluded_parent = if(matches(parent_lower, "explorer\.exe|svchost\.exe|services\.exe|taskhostw\.exe|msiexec\.exe"), 1, 0)
| eval supply_chain_score = (is_installer_parent * is_lolbin_child) + (is_trusted_path_parent * is_shell_child * (1 - is_excluded_parent))
| where supply_chain_score > 0
| eval detection_reason = if(is_installer_parent = 1 and is_lolbin_child = 1, "Installer/updater spawned LOLBin",
    if(is_trusted_path_parent = 1 and is_shell_child = 1 and is_excluded_parent = 0, "Trusted software in ProgramFiles spawned shell", "Unknown"))
| fields _messageTime, Computer, host, User, ParentImage, parent_cmdline, Image, child_cmdline, Hashes, detection_reason, supply_chain_score
| sort by _messageTime desc
high severity medium confidence

Sumo Logic CSE query detecting supply chain compromise through two behavioral patterns: installer/updater processes (msiexec, setup, update wrappers) spawning LOLBins, and signed/legitimate software resident in Program Files directories spawning shell interpreters. A risk score is computed from both patterns to reduce alert noise while maintaining coverage of both attack vectors.

Data Sources

Endpoint - Windows SysmonEndpoint - Windows Security Event Log

Required Tables

Sysmon EventCode 1Windows Security EventCode 4688

False Positives & Tuning

  • Legitimate software update pipelines (e.g., Electron app self-updaters using Squirrel.Windows) that spawn PowerShell for pre/post-update scripting
  • IT management agents (ManageEngine, Kaseya, ConnectWise) that install via MSI and then invoke shell commands for asset configuration or remediation
  • Software development kits that install CLI tooling via setup.exe and subsequently launch cmd.exe to add directories to PATH or configure shell profiles
Download portable Sigma rule (.yml)

Other platforms for T1195

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Trojanized Installer Spawning PowerShell (Windows)

    Expected signal: Sysmon Event ID 1: Two process creation events — first for %TEMP%\setup.exe (Image matches 'setup.exe'), then for powershell.exe with ParentImage pointing to %TEMP%\setup.exe. Security Event ID 4688 (if command line auditing enabled) with same parent-child details. Sysmon Event ID 11: File creation for t1195_installer_test.txt.

  2. Test 2Malicious npm Package Postinstall Script (Windows)

    Expected signal: Sysmon Event ID 1: Process chain: npm.cmd (or node.exe) spawning cmd.exe with the postinstall command. The CommandLine will contain the postinstall script command. Sysmon Event ID 11: File creation for postinstall_output.txt in %TEMP%\t1195-npm\. Windows Event ID 4688 (process creation) for each spawned process.

  3. Test 3Malicious Python Package setup.py Executing Shell Command (Linux/macOS)

    Expected signal: Linux auditd: syscall execve events for python3 spawning subprocess (id command). Syslog/auditd EXECVE records showing python3 as parent process and id as child. If Falco is deployed, process_spawned_by_pip_or_python rules will fire. File creation event for /tmp/t1195-pip/pip_payload_output.txt.

  4. Test 4Software Binary Hash Integrity Verification Failure Simulation (Windows)

    Expected signal: Process creation events for certutil.exe (Sysmon Event ID 1) with -hashfile arguments. The fc command will show or report mismatches between the two hash files, demonstrating the hash divergence that would indicate a tampered supply chain binary. No network activity expected. This test validates the analyst investigation workflow rather than triggering a real-time detection rule.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1195 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1195.001Compromise Software Dependencies and Development ToolsT1195.002Compromise Software Supply ChainT1195.003Compromise Hardware Supply ChainT1553.002Code SigningT1036.001Invalid Code SignatureT1072Software Deployment ToolsT1199Trusted RelationshipT1027Obfuscated Files or InformationT1574.001DLLT1059.001PowerShell

Same Tactic: Initial Access

Popular Detections