T1204.005

Malicious Library

Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors upload malware to package managers such as NPM and PyPI, or backdoor existing popular libraries through supply chain compromise. Users install these libraries without realizing they are malicious, bypassing initial access controls. Execution occurs via setup.py install-time scripts (Python), postinstall/preinstall lifecycle hooks (NPM/yarn), or malicious code embedded in library modules that executes on import. Common delivery vectors include typosquatting (e.g., 'reqeusts' vs 'requests'), dependency confusion attacks, compromised maintainer accounts, and first-use namespace squatting. Threat actors including Contagious Interview have leveraged malicious NPM and Python packages published to public registries to deliver infostealers, remote access tools, and BeaverTail/InvisibleFerret malware targeting software developers.

Microsoft Sentinel / Defender

kusto

let TrustedPackageHosts = dynamic(["pypi.org", "files.pythonhosted.org", "npmjs.com", "registry.npmjs.org", "github.com", "raw.githubusercontent.com", "yarnpkg.com", "registry.yarnpkg.com", "anaconda.com", "conda.anaconda.org", "rubygems.org", "pkg.go.dev"]);
let SuspiciousChildProcs = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "msiexec.exe", "schtasks.exe", "at.exe", "sc.exe", "reg.exe", "net.exe", "netsh.exe"]);
let PackageRuntimes = dynamic(["python.exe", "python3.exe", "node.exe", "pip.exe", "pip3.exe"]);
// Branch 1: Package manager or Python/Node spawning suspicious child processes (setup.py/postinstall hook abuse)
let Branch1 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (InitiatingProcessFileName has_any (PackageRuntimes)
        or InitiatingProcessCommandLine has_any ("pip install", "pip3 install", "npm install", "npm ci", "yarn add", "setup.py install", "setup.py build", "python setup.py"))
| where FileName has_any (SuspiciousChildProcs)
| extend DetectionBranch = "PackageInstallSpawnedSuspiciousProcess"
| project Timestamp, DeviceName, AccountName, DetectionBranch,
          SubjectProcess = FileName, SubjectCmdLine = ProcessCommandLine,
          ParentProcess = InitiatingProcessFileName, ParentCmdLine = InitiatingProcessCommandLine;
// Branch 2: Python or Node making external connections on non-HTTP ports (C2 callback from malicious library code)
let Branch2 = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("python.exe", "python3.exe", "node.exe")
| where RemoteIPType == "Public"
| where not(RemoteUrl has_any (TrustedPackageHosts))
| where RemotePort !in (80, 443, 8080, 8443)
| extend DetectionBranch = "MaliciousLibraryC2Callback"
| project Timestamp, DeviceName,
          AccountName = InitiatingProcessAccountName, DetectionBranch,
          SubjectProcess = strcat(InitiatingProcessFileName, " -> ", tostring(RemoteIP), ":", tostring(RemotePort)),
          SubjectCmdLine = InitiatingProcessCommandLine,
          ParentProcess = InitiatingProcessParentFileName,
          ParentCmdLine = "";
// Branch 3: Package installers dropping executable or script files in persistence-relevant locations
let Branch3 = DeviceFileEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (PackageRuntimes)
        or InitiatingProcessParentFileName has_any (PackageRuntimes)
| where FileName endswith ".exe" or FileName endswith ".dll"
        or FileName endswith ".bat" or FileName endswith ".ps1"
        or FileName endswith ".vbs" or FileName endswith ".scr"
| where FolderPath has_any ("\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
                             "C:\\Windows\\Temp\\", "\\AppData\\Local\\Temp\\",
                             "C:\\Windows\\System32\\", "C:\\Windows\\SysWOW64\\",
                             "\\ProgramData\\")
| extend DetectionBranch = "PackageInstallerDroppedExecutable"
| project Timestamp, DeviceName,
          AccountName = InitiatingProcessAccountName, DetectionBranch,
          SubjectProcess = strcat(FileName, " in ", FolderPath),
          SubjectCmdLine = InitiatingProcessCommandLine,
          ParentProcess = InitiatingProcessFileName,
          ParentCmdLine = InitiatingProcessCommandLine;
Branch1
| union Branch2
| union Branch3
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents

False Positives

Legitimate Python packages with compiled extensions (e.g., numpy, scipy, cryptography) invoke MSVC toolchain processes (cl.exe, link.exe) during build — these are not LOLBins but may cause noise if broad parent-process filters are used
NPM packages with native addons use node-gyp, which spawns cmd.exe and Python — filter by known build tools in the postinstall command line
Developer environments where Python or Node scripts make legitimate API calls to internal services on non-standard ports — baseline expected outbound destinations and ports for developer workstations
CI/CD pipeline agents (Jenkins, GitHub Actions self-hosted runners) routinely run pip/npm installs that produce process trees with build tooling — apply host-based allowlists for known build agent hostnames
Package manager updates of setuptools or pip itself may write executables to site-packages — the FolderPath filter excludes site-packages paths but confirm in your environment

Splunk

spl

(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (ParentImage="*\\pip.exe" OR ParentImage="*\\pip3.exe" OR ParentImage="*\\python.exe" OR ParentImage="*\\python3.exe" OR ParentImage="*\\node.exe" OR ParentImage="*\\npm.cmd"
   OR ParentCommandLine="*pip install*" OR ParentCommandLine="*pip3 install*" OR ParentCommandLine="*npm install*" OR ParentCommandLine="*npm ci*" OR ParentCommandLine="*yarn add*" OR ParentCommandLine="*setup.py*")
  (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\mshta.exe" OR Image="*\\rundll32.exe"
   OR Image="*\\certutil.exe" OR Image="*\\bitsadmin.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\regsvr32.exe"
   OR Image="*\\msiexec.exe" OR Image="*\\schtasks.exe" OR Image="*\\sc.exe" OR Image="*\\reg.exe")
| eval DetectionBranch="PackageInstallSpawnedSuspiciousProcess"
| eval NetworkDest="", DroppedFile="")

| append [
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    (Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\node.exe")
    NOT (DestinationPort=80 OR DestinationPort=443 OR DestinationPort=8080 OR DestinationPort=8443)
    NOT (cidrmatch("10.0.0.0/8", DestinationIp) OR cidrmatch("172.16.0.0/12", DestinationIp) OR cidrmatch("192.168.0.0/16", DestinationIp) OR cidrmatch("127.0.0.0/8", DestinationIp))
    NOT (DestinationHostname="*pypi.org" OR DestinationHostname="*pythonhosted.org" OR DestinationHostname="*npmjs.com" OR DestinationHostname="*github.com" OR DestinationHostname="*githubusercontent.com" OR DestinationHostname="*anaconda.com")
  | eval DetectionBranch="MaliciousLibraryC2Callback"
  | eval NetworkDest=DestinationIp . ":" . DestinationPort, DroppedFile="", ParentImage="", ParentCommandLine=""]

| append [
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    (Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\node.exe" OR Image="*\\pip.exe" OR Image="*\\pip3.exe")
    (TargetFilename="*.exe" OR TargetFilename="*.dll" OR TargetFilename="*.bat" OR TargetFilename="*.ps1" OR TargetFilename="*.vbs" OR TargetFilename="*.scr")
    (TargetFilename="*\\Startup\\*" OR TargetFilename="*AppData\\Local\\Temp\\*" OR TargetFilename="*Windows\\Temp\\*" OR TargetFilename="*System32\\*" OR TargetFilename="*SysWOW64\\*" OR TargetFilename="*ProgramData\\*")
  | eval DetectionBranch="PackageInstallerDroppedExecutable"
  | eval DroppedFile=TargetFilename, NetworkDest="", ParentImage="", ParentCommandLine=""]

| eval SubjectProcess=coalesce(Image, TargetFilename)
| table _time, host, User, SubjectProcess, CommandLine, ParentImage, ParentCommandLine, NetworkDest, DroppedFile, DetectionBranch
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation File: File Creation Sysmon Event IDs 1, 3, 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Native extension builds (numpy, cryptography, lxml) spawn MSVC or GCC toolchain binaries — typically from a build environment parent; baseline known build hosts
node-gyp compiles native addons during npm install and spawns Python and cmd.exe — filter by node-gyp in ParentCommandLine or DroppedFile paths in node_modules build directories
Legitimate Python scripts making API calls to internal microservices on non-standard ports — apply host-based allowlists for known developer workstations or service accounts
CI/CD runner hosts executing pip/npm installs as part of build pipelines — apply host-based suppression for known build agent hostnames

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [
    process where event.type == "start" and
    (
      process.parent.name in ("python.exe", "python3.exe", "python3", "node", "node.exe", "pip", "pip.exe", "pip3", "pip3.exe") or
      process.parent.command_line like~ "*pip install*" or
      process.parent.command_line like~ "*pip3 install*" or
      process.parent.command_line like~ "*npm install*" or
      process.parent.command_line like~ "*npm ci*" or
      process.parent.command_line like~ "*yarn add*" or
      process.parent.command_line like~ "*setup.py*"
    ) and
    process.name in (
      "cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "rundll32.exe",
      "certutil.exe", "bitsadmin.exe", "wscript.exe", "cscript.exe", "regsvr32.exe",
      "msiexec.exe", "schtasks.exe", "at.exe", "sc.exe", "reg.exe", "net.exe", "netsh.exe"
    )
  ] by process.entity_id

union

sequence by host.id with maxspan=10m
  [
    network where event.type == "connection" and
    process.name in ("python.exe", "python3.exe", "python3", "node", "node.exe") and
    not destination.ip in ("127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16") and
    not (
      destination.domain like~ "*pypi.org" or
      destination.domain like~ "*pythonhosted.org" or
      destination.domain like~ "*npmjs.com" or
      destination.domain like~ "*github.com" or
      destination.domain like~ "*githubusercontent.com" or
      destination.domain like~ "*anaconda.com" or
      destination.domain like~ "*yarnpkg.com"
    ) and
    destination.port not in (80, 443, 8080, 8443)
  ] by process.entity_id

union

sequence by host.id with maxspan=5m
  [
    file where event.type == "creation" and
    process.name in ("python.exe", "python3.exe", "python3", "node", "node.exe", "pip", "pip.exe", "pip3", "pip3.exe") and
    (
      file.name like~ "*.exe" or file.name like~ "*.dll" or
      file.name like~ "*.bat" or file.name like~ "*.ps1" or
      file.name like~ "*.vbs" or file.name like~ "*.scr"
    ) and
    (
      file.path like~ "*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup*" or
      file.path like~ "*\\AppData\\Local\\Temp\\*" or
      file.path like~ "*\\Windows\\Temp\\*" or
      file.path like~ "*\\Windows\\System32\\*" or
      file.path like~ "*\\Windows\\SysWOW64\\*" or
      file.path like~ "*\\ProgramData\\*"
    )
  ] by process.entity_id

high severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.process) Elastic Endpoint Security (endpoint.events.network) Elastic Endpoint Security (endpoint.events.file) Winlogbeat with Sysmon Elastic Agent with system integration

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-* logs-system.security-*

False Positives

Legitimate developer build tools or CI/CD pipelines that invoke shell scripts via setup.py or postinstall hooks (e.g., compiling native extensions with CFFI, running pytest, building C extensions with cmake). Tune by adding known-good build pipeline hostnames or process hashes.
Data science environments (Jupyter, Anaconda) where Python spawns cmd.exe or PowerShell as part of legitimate environment management, conda package hooks, or notebook operations. Whitelist by user identity and machine context.
Python or Node applications with intentional non-standard port outbound connections for legitimate services (IRC bots, game servers, IoT device management APIs). Suppress by destination IP/domain allowlist per environment.
Legitimate test automation frameworks that install packages and subsequently run PowerShell or cmd scripts as part of the test harness (e.g., tox, nox, Makefile integration tests on Windows).

IBM QRadar (AQL)

sql

-- Branch 1: Package manager spawning suspicious child processes
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  'PackageInstallSpawnedSuspiciousProcess' AS detection_branch,
  logsourceid,
  "username" AS account_name,
  "hostname" AS device_name,
  QIDNAME(qid) AS event_name,
  "sourceip",
  UTF8(payload) AS raw_payload
FROM events
WHERE LOGSOURCETYPEID = 12 -- Microsoft Windows
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND eventid = 1  -- Sysmon Process Create
  AND (
    LOWER("ParentImage") LIKE '%\pip.exe'
    OR LOWER("ParentImage") LIKE '%\pip3.exe'
    OR LOWER("ParentImage") LIKE '%\python.exe'
    OR LOWER("ParentImage") LIKE '%\python3.exe'
    OR LOWER("ParentImage") LIKE '%\node.exe'
    OR LOWER("ParentImage") LIKE '%\npm.cmd'
    OR LOWER("ParentCommandLine") LIKE '%pip install%'
    OR LOWER("ParentCommandLine") LIKE '%pip3 install%'
    OR LOWER("ParentCommandLine") LIKE '%npm install%'
    OR LOWER("ParentCommandLine") LIKE '%npm ci%'
    OR LOWER("ParentCommandLine") LIKE '%yarn add%'
    OR LOWER("ParentCommandLine") LIKE '%setup.py%'
  )
  AND (
    LOWER("Image") LIKE '%\cmd.exe'
    OR LOWER("Image") LIKE '%\powershell.exe'
    OR LOWER("Image") LIKE '%\pwsh.exe'
    OR LOWER("Image") LIKE '%\mshta.exe'
    OR LOWER("Image") LIKE '%\rundll32.exe'
    OR LOWER("Image") LIKE '%\certutil.exe'
    OR LOWER("Image") LIKE '%\bitsadmin.exe'
    OR LOWER("Image") LIKE '%\wscript.exe'
    OR LOWER("Image") LIKE '%\cscript.exe'
    OR LOWER("Image") LIKE '%\regsvr32.exe'
    OR LOWER("Image") LIKE '%\msiexec.exe'
    OR LOWER("Image") LIKE '%\schtasks.exe'
    OR LOWER("Image") LIKE '%\sc.exe'
    OR LOWER("Image") LIKE '%\reg.exe'
  )

UNION ALL

-- Branch 2: Python/Node C2 callback on non-standard ports
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  'MaliciousLibraryC2Callback' AS detection_branch,
  logsourceid,
  "username" AS account_name,
  "hostname" AS device_name,
  QIDNAME(qid) AS event_name,
  "sourceip",
  UTF8(payload) AS raw_payload
FROM events
WHERE LOGSOURCETYPEID = 12
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND eventid = 3  -- Sysmon Network Connect
  AND (
    LOWER("Image") LIKE '%\python.exe'
    OR LOWER("Image") LIKE '%\python3.exe'
    OR LOWER("Image") LIKE '%\node.exe'
  )
  AND destinationport NOT IN (80, 443, 8080, 8443)
  AND NOT INCIDR(destinationip, '10.0.0.0/8')
  AND NOT INCIDR(destinationip, '172.16.0.0/12')
  AND NOT INCIDR(destinationip, '192.168.0.0/16')
  AND NOT INCIDR(destinationip, '127.0.0.0/8')
  AND NOT (
    LOWER("DestinationHostname") LIKE '%pypi.org'
    OR LOWER("DestinationHostname") LIKE '%pythonhosted.org'
    OR LOWER("DestinationHostname") LIKE '%npmjs.com'
    OR LOWER("DestinationHostname") LIKE '%github.com'
    OR LOWER("DestinationHostname") LIKE '%githubusercontent.com'
    OR LOWER("DestinationHostname") LIKE '%anaconda.com'
    OR LOWER("DestinationHostname") LIKE '%yarnpkg.com'
  )

UNION ALL

-- Branch 3: Package installer dropping executables in sensitive locations
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  'PackageInstallerDroppedExecutable' AS detection_branch,
  logsourceid,
  "username" AS account_name,
  "hostname" AS device_name,
  QIDNAME(qid) AS event_name,
  "sourceip",
  UTF8(payload) AS raw_payload
FROM events
WHERE LOGSOURCETYPEID = 12
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND eventid = 11  -- Sysmon File Create
  AND (
    LOWER("Image") LIKE '%\python.exe'
    OR LOWER("Image") LIKE '%\python3.exe'
    OR LOWER("Image") LIKE '%\node.exe'
    OR LOWER("Image") LIKE '%\pip.exe'
    OR LOWER("Image") LIKE '%\pip3.exe'
  )
  AND (
    LOWER("TargetFilename") LIKE '%.exe'
    OR LOWER("TargetFilename") LIKE '%.dll'
    OR LOWER("TargetFilename") LIKE '%.bat'
    OR LOWER("TargetFilename") LIKE '%.ps1'
    OR LOWER("TargetFilename") LIKE '%.vbs'
    OR LOWER("TargetFilename") LIKE '%.scr'
  )
  AND (
    LOWER("TargetFilename") LIKE '%\startup\%'
    OR LOWER("TargetFilename") LIKE '%appdata\local\temp\%'
    OR LOWER("TargetFilename") LIKE '%windows\temp\%'
    OR LOWER("TargetFilename") LIKE '%system32\%'
    OR LOWER("TargetFilename") LIKE '%syswow64\%'
    OR LOWER("TargetFilename") LIKE '%\programdata\%'
  )
ORDER BY event_time DESC

high severity high confidence

Data Sources

Sysmon via Microsoft Windows log source (LOGSOURCETYPEID=12) QRadar DSM for Microsoft Windows Security Event Log Windows Sysmon operational log forwarded via WEF or QRadar WinCollect agent

Required Tables

events (QRadar normalized event pipeline) Sysmon EventID 1 (Process Create) Sysmon EventID 3 (Network Connect) Sysmon EventID 11 (File Create)

False Positives

Native Python extension compilation during legitimate package installation (e.g., numpy, scipy, cryptography) may invoke cmd.exe or MSVC build tools. These will trigger Branch 1. Whitelist by adding known compiler binaries to an exclusion reference set.
Node.js desktop applications or Electron apps making non-standard port outbound connections to vendor APIs or telemetry services will trigger Branch 2. Suppress by creating a QRadar reference set of approved application process hashes.
Legitimate Python-based deployment tools (Ansible, SaltStack, Fabric) may drop .ps1 or .bat files into temp directories as part of legitimate automation workflows. Tune by correlating with known service account identities.
Development workstations running comprehensive npm test suites that invoke powershell.exe for Windows-specific integration tests will generate Branch 1 false positives. Consider excluding devices tagged as dev machines in the asset database.

Sumo Logic CSE

sql

// Branch 1: Package manager spawning suspicious child processes
(_sourceCategory="windows/sysmon" OR _sourceCategory="*sysmon*")
| where EventID = 1
| parse "<ParentImage><![CDATA[*]]></ParentImage>" as ParentImage nodrop
| parse "<ParentCommandLine><![CDATA[*]]></ParentCommandLine>" as ParentCommandLine nodrop
| parse "<Image><![CDATA[*]]></Image>" as ChildImage nodrop
| parse "<CommandLine><![CDATA[*]]></CommandLine>" as ChildCommandLine nodrop
| parse "<User><![CDATA[*]]></User>" as Username nodrop
| where (
    ParentImage matches "*\\pip.exe" OR ParentImage matches "*\\pip3.exe" OR
    ParentImage matches "*\\python.exe" OR ParentImage matches "*\\python3.exe" OR
    ParentImage matches "*\\node.exe" OR ParentImage matches "*\\npm.cmd" OR
    ParentCommandLine matches "*pip install*" OR ParentCommandLine matches "*pip3 install*" OR
    ParentCommandLine matches "*npm install*" OR ParentCommandLine matches "*npm ci*" OR
    ParentCommandLine matches "*yarn add*" OR ParentCommandLine matches "*setup.py*"
  )
| where (
    ChildImage matches "*\\cmd.exe" OR ChildImage matches "*\\powershell.exe" OR
    ChildImage matches "*\\pwsh.exe" OR ChildImage matches "*\\mshta.exe" OR
    ChildImage matches "*\\rundll32.exe" OR ChildImage matches "*\\certutil.exe" OR
    ChildImage matches "*\\bitsadmin.exe" OR ChildImage matches "*\\wscript.exe" OR
    ChildImage matches "*\\cscript.exe" OR ChildImage matches "*\\regsvr32.exe" OR
    ChildImage matches "*\\msiexec.exe" OR ChildImage matches "*\\schtasks.exe" OR
    ChildImage matches "*\\sc.exe" OR ChildImage matches "*\\reg.exe"
  )
| "PackageInstallSpawnedSuspiciousProcess" as DetectionBranch
| fields _messageTime, _sourceHost, Username, ChildImage, ChildCommandLine, ParentImage, ParentCommandLine, DetectionBranch

// Branch 2: Python/Node C2 callback on non-standard ports
| union [
  (_sourceCategory="windows/sysmon" OR _sourceCategory="*sysmon*")
  | where EventID = 3
  | parse "<Image><![CDATA[*]]></Image>" as Image nodrop
  | parse "<DestinationIp>*</DestinationIp>" as DestIP nodrop
  | parse "<DestinationPort>*</DestinationPort>" as DestPort nodrop
  | parse "<DestinationHostname>*</DestinationHostname>" as DestHost nodrop
  | parse "<CommandLine><![CDATA[*]]></CommandLine>" as CommandLine nodrop
  | parse "<User><![CDATA[*]]></User>" as Username nodrop
  | where Image matches "*\\python.exe" OR Image matches "*\\python3.exe" OR Image matches "*\\node.exe"
  | where num(DestPort) != 80 AND num(DestPort) != 443 AND num(DestPort) != 8080 AND num(DestPort) != 8443
  | where !(DestIP matches "10.*" OR DestIP matches "172.1[6-9].*" OR DestIP matches "172.2[0-9].*" OR DestIP matches "172.3[0-1].*" OR DestIP matches "192.168.*" OR DestIP matches "127.*")
  | where !(DestHost matches "*pypi.org" OR DestHost matches "*pythonhosted.org" OR DestHost matches "*npmjs.com" OR DestHost matches "*github.com" OR DestHost matches "*githubusercontent.com" OR DestHost matches "*anaconda.com" OR DestHost matches "*yarnpkg.com")
  | "MaliciousLibraryC2Callback" as DetectionBranch
  | concat(DestIP, ":", DestPort) as NetworkDest
  | fields _messageTime, _sourceHost, Username, Image as ChildImage, CommandLine as ChildCommandLine, NetworkDest, DetectionBranch
]

// Branch 3: Package installer dropping executable/script into sensitive locations
| union [
  (_sourceCategory="windows/sysmon" OR _sourceCategory="*sysmon*")
  | where EventID = 11
  | parse "<Image><![CDATA[*]]></Image>" as Image nodrop
  | parse "<TargetFilename><![CDATA[*]]></TargetFilename>" as DroppedFile nodrop
  | parse "<CommandLine><![CDATA[*]]></CommandLine>" as CommandLine nodrop
  | parse "<User><![CDATA[*]]></User>" as Username nodrop
  | where Image matches "*\\python.exe" OR Image matches "*\\python3.exe" OR Image matches "*\\node.exe" OR Image matches "*\\pip.exe" OR Image matches "*\\pip3.exe"
  | where DroppedFile matches "*.exe" OR DroppedFile matches "*.dll" OR DroppedFile matches "*.bat" OR DroppedFile matches "*.ps1" OR DroppedFile matches "*.vbs" OR DroppedFile matches "*.scr"
  | where DroppedFile matches "*\\Startup\\*" OR DroppedFile matches "*AppData\\Local\\Temp\\*" OR DroppedFile matches "*Windows\\Temp\\*" OR DroppedFile matches "*System32\\*" OR DroppedFile matches "*SysWOW64\\*" OR DroppedFile matches "*\\ProgramData\\*"
  | "PackageInstallerDroppedExecutable" as DetectionBranch
  | fields _messageTime, _sourceHost, Username, Image as ChildImage, CommandLine as ChildCommandLine, DroppedFile, DetectionBranch
]

| sort by _messageTime desc
| count by _sourceHost, Username, ChildImage, DetectionBranch

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log Source for Sysmon Sumo Logic Cloud-to-Cloud Source (if forwarding via SIEM aggregator) Windows Sysmon operational log (Microsoft-Windows-Sysmon/Operational)

Required Tables

Sysmon EventID 1 (Process Create) — _sourceCategory windows/sysmon Sysmon EventID 3 (Network Connect) — _sourceCategory windows/sysmon Sysmon EventID 11 (File Create) — _sourceCategory windows/sysmon

False Positives

Legitimate packages with native extension build requirements (numpy, lxml, psycopg2-binary) frequently invoke cmd.exe or cl.exe via setup.py during installation, especially in developer environments without pre-built wheels. Suppress by adding a filter for known compiler image paths (cl.exe, link.exe, ninja).
Node.js serverless frameworks or desktop apps (Electron-based tools like VS Code extensions) may establish connections to non-standard port APIs during postinstall telemetry or license checks. Whitelist specific application hashes or destination IP ranges for known vendors.
Python deployment automation using Fabric or Invoke that explicitly shells out to PowerShell for Windows host provisioning tasks may trigger Branch 1. Tune by creating an allowlist based on specific ServiceAccount usernames performing these operations.
Security tooling written in Python (vulnerability scanners, pen-test frameworks) legitimately making unusual outbound connections. Correlate with device type (security scanner) before escalating.

Google Chronicle / SecOps

yaral

rule malicious_library_execution_t1204_005 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects malicious library execution via package manager install-time hooks spawning LOLBins, C2 callbacks from Python/Node on non-standard ports, and package runtimes dropping executables in sensitive paths. Covers supply chain compromise, typosquatting, and dependency confusion attacks (T1204.005)."
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1204.005"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1204/005/"

  events:
    // Branch 1: Package manager spawning suspicious child process
    (
      $branch1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($branch1.principal.process.file.full_path, `(?i)(pip\.exe|pip3\.exe|python\.exe|python3\.exe|node\.exe|npm\.cmd)$`)
        or re.regex($branch1.principal.process.command_line, `(?i)(pip install|pip3 install|npm install|npm ci|yarn add|setup\.py)`)
      )
      and re.regex($branch1.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|msiexec\.exe|schtasks\.exe|at\.exe|sc\.exe|reg\.exe|net\.exe|netsh\.exe)$`)
    )
    or
    // Branch 2: Python/Node making C2 callback on non-standard port to public IP
    (
      $branch2.metadata.event_type = "NETWORK_CONNECTION"
      and re.regex($branch2.principal.process.file.full_path, `(?i)(python\.exe|python3\.exe|node\.exe)$`)
      and not net.ip_in_range_cidr($branch2.target.ip, "10.0.0.0/8")
      and not net.ip_in_range_cidr($branch2.target.ip, "172.16.0.0/12")
      and not net.ip_in_range_cidr($branch2.target.ip, "192.168.0.0/16")
      and not net.ip_in_range_cidr($branch2.target.ip, "127.0.0.0/8")
      and not re.regex($branch2.target.hostname, `(?i)(pypi\.org|pythonhosted\.org|npmjs\.com|github\.com|githubusercontent\.com|anaconda\.com|yarnpkg\.com|rubygems\.org|pkg\.go\.dev)$`)
      and $branch2.target.port != 80
      and $branch2.target.port != 443
      and $branch2.target.port != 8080
      and $branch2.target.port != 8443
    )
    or
    // Branch 3: Package runtime dropping executable or script in sensitive path
    (
      $branch3.metadata.event_type = "FILE_CREATION"
      and re.regex($branch3.principal.process.file.full_path, `(?i)(python\.exe|python3\.exe|node\.exe|pip\.exe|pip3\.exe)$`)
      and re.regex($branch3.target.file.full_path, `(?i)\.(exe|dll|bat|ps1|vbs|scr)$`)
      and re.regex($branch3.target.file.full_path, `(?i)(\\Startup\\|AppData\\Local\\Temp\\|Windows\\Temp\\|Windows\\System32\\|Windows\\SysWOW64\\|\\ProgramData\\)`)
    )

  condition:
    $branch1 or $branch2 or $branch3
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Microsoft Defender for Endpoint via Chronicle connector Sysmon logs ingested into Chronicle via Bindplane or Chronicle forwarder CrowdStrike Falcon data ingested into Chronicle Chronicle Windows Event Log parser

Required Tables

UDM events: PROCESS_LAUNCH UDM events: NETWORK_CONNECTION UDM events: FILE_CREATION

False Positives

Packages that compile C extensions during installation (cryptography, numpy, pillow) will spawn cl.exe, link.exe, or cmake on Windows via distutils/setuptools. These share the pip/python parent process pattern. Add exclusions for known compiler executables (cl.exe, link.exe, ninja.exe, cmake.exe) in Branch 1.
Development pipelines using node-gyp to compile native Node.js addons will invoke cmd.exe and PowerShell during npm install. Scope exclusions to CI/CD service accounts or machine asset groups tagged as build infrastructure.
Python-based monitoring agents or observability tools that legitimately make outbound connections on non-standard telemetry ports (e.g., 4317 for OpenTelemetry GRPC, 8125 for StatsD) will match Branch 2. Maintain an approved-ports reference list for known monitoring agents.
Legitimate Python package post-install scripts that generate compiled .pyc/.pyd files in site-packages subdirectories under ProgramData may superficially match Branch 3. Tighten the path match to exclude known site-packages paths.

CrowdStrike LogScale (CQL)

cql

// Branch 1: Package manager spawning suspicious Windows LOLBins (install-time hook abuse)
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(pip\.exe|pip3\.exe|python\.exe|python3\.exe|node\.exe|npm\.cmd)$/i
  OR ParentCommandLine = /pip\s+install|pip3\s+install|npm\s+install|npm\s+ci|yarn\s+add|setup\.py/i
| FileName = /^(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|msiexec\.exe|schtasks\.exe|at\.exe|sc\.exe|reg\.exe|net\.exe|netsh\.exe)$/i
| "PackageInstallSpawnedSuspiciousProcess" as DetectionBranch
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch])

union

// Branch 2: Python/Node C2 callback on non-standard ports to public IPs
#event_simpleName=NetworkConnectIP4
| ImageFileName = /\\(python\.exe|python3\.exe|node\.exe)$/i
| RemotePort != 80 AND RemotePort != 443 AND RemotePort != 8080 AND RemotePort != 8443
| !cidr(RemoteIP, subnet=["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","127.0.0.0/8"])
| !RemoteIP = /^(pypi\.org|files\.pythonhosted\.org|npmjs\.com|registry\.npmjs\.org|github\.com|raw\.githubusercontent\.com|yarnpkg\.com|anaconda\.com)$/i
| "MaliciousLibraryC2Callback" as DetectionBranch
| concat([RemoteIP, ":", RemotePort], str="") as NetworkDest
| table([timestamp, ComputerName, ImageFileName, CommandLine, NetworkDest, DetectionBranch])

union

// Branch 3: Package runtime dropping executable/script in sensitive filesystem locations
#event_simpleName=PeFileWritten OR #event_simpleName=ScriptFileWritten
| ImageFileName = /\\(python\.exe|python3\.exe|node\.exe|pip\.exe|pip3\.exe)$/i
| TargetFileName = /\.(exe|dll|bat|ps1|vbs|scr)$/i
| TargetFileName = /\\(Startup\\|AppData\\Local\\Temp\\|Windows\\Temp\\|System32\\|SysWOW64\\|ProgramData\\)/i
| "PackageInstallerDroppedExecutable" as DetectionBranch
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, DetectionBranch])

| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection — ProcessRollup2 events CrowdStrike Falcon Endpoint Protection — NetworkConnectIP4 events CrowdStrike Falcon Endpoint Protection — PeFileWritten events CrowdStrike Falcon Endpoint Protection — ScriptFileWritten events CrowdStrike Falcon Data Replicator (FDR) or LogScale Falcon SIEM Connector

Required Tables

ProcessRollup2 (#event_simpleName) NetworkConnectIP4 (#event_simpleName) PeFileWritten (#event_simpleName) ScriptFileWritten (#event_simpleName)

False Positives

Native Python extension compilation via pip (e.g., installing cryptography, numpy, or psutil with no pre-built wheel) will invoke cl.exe or link.exe on Windows, generating Branch 1 hits. Tune by excluding known compiler binaries from FileName matches or by allowlisting build machine sensor groups.
Node.js applications using node-gyp for native module compilation will spawn cmd.exe during npm install/rebuild operations. These are especially common in development environments with C++ addon dependencies. Suppress by device group or user directory context.
Legitimate Python-based administrative tools (Ansible-pull, SaltStack Minion, Puppet agent running Python scripts) that write configuration scripts (ps1, bat) as part of normal operation will match Branch 3. Create an exclusion based on known service account SIDs or process hash allowlisting in Falcon's Custom IOA rules.
Security testing and red team tooling written in Python (Impacket, Metasploit Python stagers, BloodHound collection scripts) making intentional non-standard port connections during authorized pen-test windows. Cross-reference with change management data or scheduled maintenance windows before alerting.

Last updated: 2026-04-19 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1204.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.001Malicious Link T1204.002Malicious File T1204.003Malicious Image T1204.004Malicious Copy and Paste

Malicious Library

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections